Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7138

changeOrganizationDetails API with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • quay-v3.11.2
    • quay-v3.11.0
    • quay
    • 0

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, changeOrganizationDetails API with super user token doesn't work against organization created by normal user. 

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. Enable FEATURE_SUPERUSERS_FULL_ACCESS in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay
FEATURE_MAILING: true
MAIL_DEFAULT_SENDER: quay_qe@163.com
MAIL_PASSWORD: .......
MAIL_PORT: 25
MAIL_SERVER: smtp.163.com
MAIL_USE_AUTH: true
MAIL_USE_TLS: true
MAIL_USERNAME: quay_qe@163.com

      2. Create a normal user "user1" and a super user "whuquay".

      3. Log in quay by normal user "user1" and create a organization "user1_org"

      4.Call changeOrganizationDetails API with super user token against organization "user1_org". 

      Actual results:

      Super user can't update organization created by normal user by calling API "PUT /api/v1/organization/{orgname}"  when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> update organization by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
------------------------------
%  curl -k -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG"  --data '{"email":"updateemail@bogus.com"}' https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org|jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   304  100   271  100    33    290     35 --:--:-- --:--:-- --:--:--   325
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

      Expected results

      Super user can update organization created by normal user by calling API "PUT /api/v1/organization/{orgname}" when enable FEATURE_SUPERUSERS_FULL_ACCESS

      Additional Information:

      Normal user "user1" can update organization by calling API "PUT /api/v1/organization/{orgname}" successfully.

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : XZre7yUiq7F4DLzGsFAT60NuxOTuiKdkICmuwKaG
-> normal user token: KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan
->
-> update organization by normal user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*= 

% curl -k -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer  KSN96FEMn02FrpCsYNjRQrLG3Ps8aWIdSnmSDqan"  --data '{"email":"updateemail@bogus.com"}' https://quayregistry-quay-quay-enterprise.apps.whu415aw12.qe.devcluster.openshift.com/api/v1/organization/user1_org|jq .


  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1156  100  1123  100    33   1235     36 --:--:-- --:--:-- --:--:--  1271
{
  "name": "user1_org",
  "email": "updateemail@bogus.com",
  "avatar": {
    "name": "user1_org",
    "hash": "f579c6f942b541511cd1322b22aa87beb31a3d46c6081a8380a29d23b94a2a51",
    "color": "#5254a3",
    "kind": "user"
  },
  "is_admin": true,
  "is_member": true,
  "teams": {
    "owners": {
      "name": "owners",
      "description": "",
      "role": "admin",
      "avatar": {
        "name": "owners",
        "hash": "6f0e3a8c0eb46e8834b43b03374ece43a030621d92a7437beb48f871e90f8d90",
        "color": "#c7c7c7",
        "kind": "team"
      },
      "can_view": true,
      "repo_count": 0,
      "member_count": 1,
      "is_synced": false
    },
    "user1_team": {
      "name": "user1_team",
      "description": "",
      "role": "member",
      "avatar": {
        "name": "user1_team",
        "hash": "573545c1eceaf01f637d3e0fe05eb38ee91861600fff9a8c3cbf5568a76f7868",
        "color": "#9c9ede",
        "kind": "team"
      },
      "can_view": true,
      "repo_count": 0,
      "member_count": 1,
      "is_synced": false
    }
  },
  "ordered_teams": [
    "owners",
    "user1_team"
  ],
  "invoice_email": false,
  "invoice_email_address": null,
  "tag_expiration_s": 1209600,
  "is_free_account": true,
  "quotas": [],
  "quota_report": {
    "quota_bytes": 5594576,
    "configured_quota": null,
    "running_backfill": "complete",
    "backfill_status": "complete"
  }
}

       

       

            bcaton@redhat.com Brandon Caton
            rhwhu Weihua Hu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: