diff --git a/satellite/console/consoleweb/consoleapi/apikeys.go b/satellite/console/consoleweb/consoleapi/apikeys.go index db6125847..03a7b6019 100644 --- a/satellite/console/consoleweb/consoleapi/apikeys.go +++ b/satellite/console/consoleweb/consoleapi/apikeys.go @@ -67,7 +67,7 @@ func (keys *APIKeys) CreateAPIKey(w http.ResponseWriter, r *http.Request) { info, key, err := keys.service.CreateAPIKey(ctx, projectID, name) if err != nil { - if console.ErrUnauthorized.Has(err) { + if console.ErrUnauthorized.Has(err) || console.ErrNoMembership.Has(err) { keys.serveJSONError(ctx, w, http.StatusUnauthorized, err) return } diff --git a/satellite/console/consoleweb/consoleapi/projects.go b/satellite/console/consoleweb/consoleapi/projects.go index e4759e970..be3c6d46d 100644 --- a/satellite/console/consoleweb/consoleapi/projects.go +++ b/satellite/console/consoleweb/consoleapi/projects.go @@ -262,6 +262,10 @@ func (p *Projects) GetMembersAndInvitations(w http.ResponseWriter, r *http.Reque project, err := p.service.GetProject(ctx, publicID) if err != nil { + if console.ErrUnauthorized.Has(err) || console.ErrNoMembership.Has(err) { + p.serveJSONError(ctx, w, http.StatusUnauthorized, err) + return + } p.serveJSONError(ctx, w, http.StatusInternalServerError, err) return } @@ -424,6 +428,10 @@ func (p *Projects) InviteUsers(w http.ResponseWriter, r *http.Request) { _, err = p.service.InviteProjectMembers(ctx, id, data.Emails) if err != nil { + if console.ErrUnauthorized.Has(err) || console.ErrNoMembership.Has(err) { + p.serveJSONError(ctx, w, http.StatusUnauthorized, err) + return + } p.serveJSONError(ctx, w, http.StatusInternalServerError, err) } } @@ -590,6 +598,10 @@ func (p *Projects) DeleteMembersAndInvitations(w http.ResponseWriter, r *http.Re err = p.service.DeleteProjectMembersAndInvitations(ctx, id, emails) if err != nil { + if console.ErrUnauthorized.Has(err) || console.ErrNoMembership.Has(err) { + p.serveJSONError(ctx, w, http.StatusUnauthorized, err) + return + } p.serveJSONError(ctx, w, http.StatusInternalServerError, err) } } diff --git a/satellite/console/consoleweb/consoleapi/usagelimits.go b/satellite/console/consoleweb/consoleapi/usagelimits.go index 348d0c4d4..2751b27f6 100644 --- a/satellite/console/consoleweb/consoleapi/usagelimits.go +++ b/satellite/console/consoleweb/consoleapi/usagelimits.go @@ -64,7 +64,7 @@ func (ul *UsageLimits) ProjectUsageLimits(w http.ResponseWriter, r *http.Request usageLimits, err := ul.service.GetProjectUsageLimits(ctx, projectID) if err != nil { switch { - case console.ErrUnauthorized.Has(err): + case console.ErrUnauthorized.Has(err) || console.ErrNoMembership.Has(err): ul.serveJSONError(ctx, w, http.StatusUnauthorized, err) return case accounting.ErrInvalidArgument.Has(err): @@ -140,7 +140,7 @@ func (ul *UsageLimits) DailyUsage(w http.ResponseWriter, r *http.Request) { dailyUsage, err := ul.service.GetDailyProjectUsage(ctx, projectID, since, before) if err != nil { - if console.ErrUnauthorized.Has(err) { + if console.ErrUnauthorized.Has(err) || console.ErrNoMembership.Has(err) { ul.serveJSONError(ctx, w, http.StatusUnauthorized, err) return } diff --git a/satellite/console/consoleweb/endpoints_test.go b/satellite/console/consoleweb/endpoints_test.go index 3e0c49b7f..4aea93419 100644 --- a/satellite/console/consoleweb/endpoints_test.go +++ b/satellite/console/consoleweb/endpoints_test.go @@ -500,16 +500,80 @@ func TestWrongUser(t *testing.T) { SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 1, }, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) { test := newTest(t, ctx, planet) - user := test.defaultUser() - _ = user - user2 := test.registerUser("user@mail.test", "#$Rnkl12i3nkljfds") - test.login(user2.email, user2.password) + authorizedUser := test.defaultUser() + unauthorizedUser := test.registerUser("user@mail.test", "#$Rnkl12i3nkljfds") + test.login(unauthorizedUser.email, unauthorizedUser.password) - { // Get_ProjectUsageLimitById - resp, body := test.request(http.MethodGet, `/projects/`+test.defaultProjectID()+`/usage-limits`, nil) - require.Contains(t, body, "not authorized") - // TODO: wrong error code - require.Equal(t, http.StatusInternalServerError, resp.StatusCode) + type endpointTest struct { + endpoint string + method string + body interface{} + } + + baseProjectsUrl := "/projects" + baseProjectIdUrl := fmt.Sprintf("%s/%s", baseProjectsUrl, test.defaultProjectID()) + getProjectResourceUrl := func(resource string) string { + return fmt.Sprintf("%s/%s", baseProjectIdUrl, resource) + } + + testCases := []endpointTest{ + { + endpoint: baseProjectIdUrl, + method: http.MethodPatch, + body: map[string]interface{}{ + "name": "new name", + }, + }, + { + endpoint: getProjectResourceUrl("members") + "?emails=" + "some@email.com", + method: http.MethodDelete, + }, + { + endpoint: getProjectResourceUrl("salt"), + method: http.MethodGet, + }, + { + endpoint: getProjectResourceUrl("members"), + method: http.MethodGet, + }, + { + endpoint: getProjectResourceUrl("invite"), + method: http.MethodPost, + body: map[string]interface{}{ + "emails": []string{"some@email.com"}, + }, + }, + { + endpoint: getProjectResourceUrl("usage-limits"), + method: http.MethodGet, + }, + { + endpoint: getProjectResourceUrl("daily-usage") + "?from=100000000&to=200000000000", + method: http.MethodGet, + }, + { + endpoint: "/api-keys/create/" + test.defaultProjectID(), + method: http.MethodPost, + body: "name", + }, + } + + for _, testCase := range testCases { + t.Run(fmt.Sprintf("Unauthorized on %s", testCase.endpoint), func(t *testing.T) { + resp, body := test.request(testCase.method, testCase.endpoint, test.toJSON(testCase.body)) + require.Contains(t, body, "not authorized") + require.Equal(t, http.StatusUnauthorized, resp.StatusCode) + }) + } + + // login with correct user to make sure they have access. + test.login(authorizedUser.email, authorizedUser.password) + for _, testCase := range testCases { + t.Run(fmt.Sprintf("Authorized on %s", testCase.endpoint), func(t *testing.T) { + resp, body := test.request(testCase.method, testCase.endpoint, test.toJSON(testCase.body)) + require.NotContains(t, body, "not authorized") + require.NotEqual(t, http.StatusUnauthorized, resp.StatusCode) + }) } }) }