satellite/console: only allow project member to get all bucket names

Change-Id: I8ceb0b7eb19e221072b4ff3411a4ec1a7817d16f

satellite/console/consoleweb/consoleapi/buckets_test.go

@@ -32,8 +32,18 @@ func Test_AllBucketNames(t *testing.T) {
 		},
 	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
 		sat := planet.Satellites[0]
-		project := planet.Uplinks[0].Projects[0]
-		service := sat.API.Console.Service
+
+		newUser := console.CreateUser{
+			FullName:  "Jack-bucket",
+			ShortName: "",
+			Email:     "bucketest@test.test",
+		}
+
+		user, err := sat.AddUser(ctx, newUser, 1)
+		require.NoError(t, err)
+
+		project, err := sat.AddProject(ctx, user.ID, "buckettest")
+		require.NoError(t, err)
 
 		bucket1 := storj.Bucket{
 			ID:        testrand.UUID(),
@@ -47,33 +57,14 @@ func Test_AllBucketNames(t *testing.T) {
 			ProjectID: project.ID,
 		}
 
-		_, err := sat.DB.Buckets().CreateBucket(ctx, bucket1)
+		_, err = sat.DB.Buckets().CreateBucket(ctx, bucket1)
 		require.NoError(t, err)
 
 		_, err = sat.DB.Buckets().CreateBucket(ctx, bucket2)
 		require.NoError(t, err)
 
-		user := console.CreateUser{
-			FullName:  "Jack",
-			ShortName: "",
-			Email:     "bucketest@test.test",
-			Password:  "123a123",
-		}
-		refUserID := ""
-
-		regToken, err := service.CreateRegToken(ctx, 1)
-		require.NoError(t, err)
-
-		createdUser, err := service.CreateUser(ctx, user, regToken.Secret, refUserID)
-		require.NoError(t, err)
-
-		activationToken, err := service.GenerateActivationToken(ctx, createdUser.ID, createdUser.Email)
-		require.NoError(t, err)
-
-		err = service.ActivateAccount(ctx, activationToken)
-		require.NoError(t, err)
-
-		token, err := service.Token(ctx, user.Email, user.Password)
+		// we are using full name as a password
+		token, err := sat.API.Console.Service.Token(ctx, user.Email, user.FullName)
 		require.NoError(t, err)
 
 		client := http.Client{}

satellite/console/service.go

@@ -1460,7 +1460,12 @@ func (s *Service) GetBucketTotals(ctx context.Context, projectID uuid.UUID, curs
 func (s *Service) GetAllBucketNames(ctx context.Context, projectID uuid.UUID) (_ []string, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	_, err = s.getAuthAndAuditLog(ctx, "get all bucket names", zap.String("projectID", projectID.String()))
+	auth, err := s.getAuthAndAuditLog(ctx, "get all bucket names", zap.String("projectID", projectID.String()))
+	if err != nil {
+		return nil, Error.Wrap(err)
+	}
+
+	_, err = s.isProjectMember(ctx, auth.User.ID, projectID)
 	if err != nil {
 		return nil, Error.Wrap(err)
 	}

satellite/console/service_test.go

@@ -160,16 +160,21 @@ func TestService(t *testing.T) {
 					ProjectID: up2Pro1.ID,
 				}
 
-				_, err := sat.DB.Buckets().CreateBucket(authCtx1, bucket1)
+				_, err := sat.DB.Buckets().CreateBucket(authCtx2, bucket1)
 				require.NoError(t, err)
 
-				_, err = sat.DB.Buckets().CreateBucket(authCtx1, bucket2)
+				_, err = sat.DB.Buckets().CreateBucket(authCtx2, bucket2)
 				require.NoError(t, err)
 
-				bucketNames, err := service.GetAllBucketNames(authCtx1, up2Pro1.ID)
+				bucketNames, err := service.GetAllBucketNames(authCtx2, up2Pro1.ID)
 				require.NoError(t, err)
 				require.Equal(t, bucket1.Name, bucketNames[0])
 				require.Equal(t, bucket2.Name, bucketNames[1])
+
+				// Getting someone else buckets should not work
+				bucketsForUnauthorizedUser, err := service.GetAllBucketNames(authCtx1, up2Pro1.ID)
+				require.Error(t, err)
+				require.Nil(t, bucketsForUnauthorizedUser)
 			})
 		})
 }