From d8ba7b3057ccfd58a2a46a68eeb7e13de7cb9e14 Mon Sep 17 00:00:00 2001
From: Yingrong Zhao <yingrong.zhao@gmail.com>
Date: Mon, 30 Nov 2020 11:51:47 -0500
Subject: [PATCH] satellite/console: only allow project member to get all
 bucket names

Change-Id: I8ceb0b7eb19e221072b4ff3411a4ec1a7817d16f
---
 .../consoleweb/consoleapi/buckets_test.go     | 39 +++++++------------
 satellite/console/service.go                  |  7 +++-
 satellite/console/service_test.go             | 11 ++++--
 3 files changed, 29 insertions(+), 28 deletions(-)

diff --git a/satellite/console/consoleweb/consoleapi/buckets_test.go b/satellite/console/consoleweb/consoleapi/buckets_test.go
index 27b21e9df..1cea214da 100644
--- a/satellite/console/consoleweb/consoleapi/buckets_test.go
+++ b/satellite/console/consoleweb/consoleapi/buckets_test.go
@@ -32,8 +32,18 @@ func Test_AllBucketNames(t *testing.T) {
 		},
 	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
 		sat := planet.Satellites[0]
-		project := planet.Uplinks[0].Projects[0]
-		service := sat.API.Console.Service
+
+		newUser := console.CreateUser{
+			FullName:  "Jack-bucket",
+			ShortName: "",
+			Email:     "bucketest@test.test",
+		}
+
+		user, err := sat.AddUser(ctx, newUser, 1)
+		require.NoError(t, err)
+
+		project, err := sat.AddProject(ctx, user.ID, "buckettest")
+		require.NoError(t, err)
 
 		bucket1 := storj.Bucket{
 			ID:        testrand.UUID(),
@@ -47,33 +57,14 @@ func Test_AllBucketNames(t *testing.T) {
 			ProjectID: project.ID,
 		}
 
-		_, err := sat.DB.Buckets().CreateBucket(ctx, bucket1)
+		_, err = sat.DB.Buckets().CreateBucket(ctx, bucket1)
 		require.NoError(t, err)
 
 		_, err = sat.DB.Buckets().CreateBucket(ctx, bucket2)
 		require.NoError(t, err)
 
-		user := console.CreateUser{
-			FullName:  "Jack",
-			ShortName: "",
-			Email:     "bucketest@test.test",
-			Password:  "123a123",
-		}
-		refUserID := ""
-
-		regToken, err := service.CreateRegToken(ctx, 1)
-		require.NoError(t, err)
-
-		createdUser, err := service.CreateUser(ctx, user, regToken.Secret, refUserID)
-		require.NoError(t, err)
-
-		activationToken, err := service.GenerateActivationToken(ctx, createdUser.ID, createdUser.Email)
-		require.NoError(t, err)
-
-		err = service.ActivateAccount(ctx, activationToken)
-		require.NoError(t, err)
-
-		token, err := service.Token(ctx, user.Email, user.Password)
+		// we are using full name as a password
+		token, err := sat.API.Console.Service.Token(ctx, user.Email, user.FullName)
 		require.NoError(t, err)
 
 		client := http.Client{}
diff --git a/satellite/console/service.go b/satellite/console/service.go
index 41fff244e..cc97ffc61 100644
--- a/satellite/console/service.go
+++ b/satellite/console/service.go
@@ -1460,7 +1460,12 @@ func (s *Service) GetBucketTotals(ctx context.Context, projectID uuid.UUID, curs
 func (s *Service) GetAllBucketNames(ctx context.Context, projectID uuid.UUID) (_ []string, err error) {
 	defer mon.Task()(&ctx)(&err)
 
-	_, err = s.getAuthAndAuditLog(ctx, "get all bucket names", zap.String("projectID", projectID.String()))
+	auth, err := s.getAuthAndAuditLog(ctx, "get all bucket names", zap.String("projectID", projectID.String()))
+	if err != nil {
+		return nil, Error.Wrap(err)
+	}
+
+	_, err = s.isProjectMember(ctx, auth.User.ID, projectID)
 	if err != nil {
 		return nil, Error.Wrap(err)
 	}
diff --git a/satellite/console/service_test.go b/satellite/console/service_test.go
index febf33000..edffb71f2 100644
--- a/satellite/console/service_test.go
+++ b/satellite/console/service_test.go
@@ -160,16 +160,21 @@ func TestService(t *testing.T) {
 					ProjectID: up2Pro1.ID,
 				}
 
-				_, err := sat.DB.Buckets().CreateBucket(authCtx1, bucket1)
+				_, err := sat.DB.Buckets().CreateBucket(authCtx2, bucket1)
 				require.NoError(t, err)
 
-				_, err = sat.DB.Buckets().CreateBucket(authCtx1, bucket2)
+				_, err = sat.DB.Buckets().CreateBucket(authCtx2, bucket2)
 				require.NoError(t, err)
 
-				bucketNames, err := service.GetAllBucketNames(authCtx1, up2Pro1.ID)
+				bucketNames, err := service.GetAllBucketNames(authCtx2, up2Pro1.ID)
 				require.NoError(t, err)
 				require.Equal(t, bucket1.Name, bucketNames[0])
 				require.Equal(t, bucket2.Name, bucketNames[1])
+
+				// Getting someone else buckets should not work
+				bucketsForUnauthorizedUser, err := service.GetAllBucketNames(authCtx1, up2Pro1.ID)
+				require.Error(t, err)
+				require.Nil(t, bucketsForUnauthorizedUser)
 			})
 		})
 }