Align code content to updated access right handling

sapcc · Nov 14, 2024 · ea650de · ea650de
1 parent 92fb1d2
commit ea650de
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 9 deletions.
diff --git a/internal/api/api_test.go b/internal/api/api_test.go
@@ -925,7 +925,7 @@ func Test_PutMaxQuotaOnProject(t *testing.T) {
 	`)
 
 	// happy case: set max quota with project permissions
-	s.TokenValidator.Enforcer.AllowDomain = false
+	s.TokenValidator.Enforcer.AllowEditMaxQuota = false
 	assert.HTTPRequest{
 		Method:       "PUT",
 		Path:         "/v1/domains/uuid-for-germany/projects/uuid-for-berlin/max-quota",
@@ -935,18 +935,18 @@ func Test_PutMaxQuotaOnProject(t *testing.T) {
 	tr.DBChanges().AssertEqualf(`
 		UPDATE project_resources SET max_quota_from_local_admin = %d WHERE id = 4 AND service_id = 2 AND name = 'things';
 	`, 500)
-	s.TokenValidator.Enforcer.AllowDomain = true
+	s.TokenValidator.Enforcer.AllowEditMaxQuota = true
 
 	// error case: missing the appropriate edit permission
-	s.TokenValidator.Enforcer.AllowEditMaxQuota = false
+	s.TokenValidator.Enforcer.AllowEdit = false
 	assert.HTTPRequest{
 		Method:       "PUT",
 		Path:         "/v1/domains/uuid-for-germany/projects/uuid-for-berlin/max-quota",
 		Body:         makeRequest("shared", assert.JSONObject{"name": "things", "max_quota": 1000}),
 		ExpectStatus: http.StatusForbidden,
 		ExpectBody:   assert.StringData("Forbidden\n"),
 	}.Check(t, s.Handler)
-	s.TokenValidator.Enforcer.AllowEditMaxQuota = true
+	s.TokenValidator.Enforcer.AllowEdit = true
 
 	// error case: invalid service
 	assert.HTTPRequest{

diff --git a/internal/api/projects.go b/internal/api/projects.go
@@ -184,12 +184,11 @@ func (p *v1Provider) PutProjectMaxQuota(w http.ResponseWriter, r *http.Request)
 	httpapi.IdentifyEndpoint(r, "/v1/domains/:id/projects/:id/max-quota")
 	requestTime := p.timeNow()
 	token := p.CheckToken(r)
-	if !token.Require("project:edit") {
+	if !token.Require(w, "project:edit") {
 		return
 	}
+	// domain admins have project edit rights by inheritance.
 	domainAccess := token.Check("project:edit_as_outside_admin")
-		return
-	}
 	dbDomain := p.FindDomainFromRequest(w, r)
 	if dbDomain == nil {
 		return
@@ -288,7 +287,7 @@ func (p *v1Provider) PutProjectMaxQuota(w http.ResponseWriter, r *http.Request)
 					res.MaxQuotaFromOutsideAdmin = requestedChange.NewValue
 					return nil
 				}
-				if requestedChange != nil && projectAccess {
+				if requestedChange != nil {
 					requestedChange.OldValue = res.MaxQuotaFromLocalAdmin
 					res.MaxQuotaFromLocalAdmin = requestedChange.NewValue
 				}

diff --git a/internal/test/mock_validator.go b/internal/test/mock_validator.go
@@ -71,7 +71,7 @@ func (e *PolicyEnforcer) allowAction(action string) bool {
 		return e.AllowView
 	case "edit":
 		return e.AllowEdit
-	case "edit_max_quota":
+	case "edit_as_outside_admin":
 		return e.AllowEditMaxQuota
 	case "uncommit":
 		return e.AllowUncommit