satellite/console: prevent unauthorized project mutation
This change further restricts projects members from modifying project details by restricting the project edit graphql mutation; making it check if the user performing the operation is the owner of the project. Change-Id: Iaf10d16269ddc29437d3d5629db06e20cea3004e
This commit is contained in:
parent
bcce6023c3
commit
30d0094c43
@ -870,7 +870,7 @@ func TestWrongUser(t *testing.T) {
|
||||
}`}))
|
||||
require.Contains(t, body, "not authorized")
|
||||
// TODO: wrong error code
|
||||
require.Equal(t, http.StatusInternalServerError, resp.StatusCode)
|
||||
require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
|
||||
}
|
||||
|
||||
{ // get bucket usages
|
||||
|
@ -1813,12 +1813,11 @@ func (s *Service) UpdateProject(ctx context.Context, projectID uuid.UUID, update
|
||||
return nil, Error.Wrap(err)
|
||||
}
|
||||
|
||||
isMember, err := s.isProjectMember(ctx, user.ID, projectID)
|
||||
_, project, err := s.isProjectOwner(ctx, user.ID, projectID)
|
||||
if err != nil {
|
||||
return nil, Error.Wrap(err)
|
||||
}
|
||||
|
||||
project := isMember.project
|
||||
if updatedProject.Name != project.Name {
|
||||
passesNameCheck, err := s.checkProjectName(ctx, updatedProject, user.ID)
|
||||
if err != nil || !passesNameCheck {
|
||||
|
@ -270,6 +270,19 @@ func TestService(t *testing.T) {
|
||||
})
|
||||
require.Error(t, err)
|
||||
require.Nil(t, updatedProject)
|
||||
|
||||
user2, userCtx2 := getOwnerAndCtx(ctx, up2Proj)
|
||||
_, err = service.AddProjectMembers(userCtx1, up1Proj.ID, []string{user2.Email})
|
||||
require.NoError(t, err)
|
||||
// Members should not be able to update project.
|
||||
_, err = service.UpdateProject(userCtx2, up1Proj.ID, console.ProjectInfo{
|
||||
Name: updatedName,
|
||||
})
|
||||
require.Error(t, err)
|
||||
require.True(t, console.ErrUnauthorized.Has(err))
|
||||
// remove user2.
|
||||
err = service.DeleteProjectMembersAndInvitations(userCtx1, up1Proj.ID, []string{user2.Email})
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("AddProjectMembers", func(t *testing.T) {
|
||||
|
Loading…
Reference in New Issue
Block a user