Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7180

deleteTeamMemberEmailInvite api with super user token doesn't work when enable FEATURE_SUPERUSERS_FULL_ACCESS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • quay-v3.11.0
    • quay

      Description of problem:

      When enable FEATURE_SUPERUSERS_FULL_ACCESS, deleteTeamMemberEmailInvite api with super user token doesn't work  against team created by normal user. 

      Version-Release number of selected component (if applicable):

      quay-operator-bundle-container-v3.11.1-18)
------------------------------ 
registry.redhat.io/quay/quay-operator-rhel8@sha256:a3a2171448b30385700e6f64633016abfb5dc331849a91cdc354405a32eb444c
------------------------------
registry.redhat.io/quay/quay-rhel8@sha256:bca647c67c7ece7fb427498db44af850ca05b4cba2f55b78d90fb9d7059883e7

      How reproducible:

      1. enable FEATURE_SUPERUSERS_FULL_ACCESS  and FEATURE_MAILING in quay config.yaml

      FEATURE_SUPERUSERS_FULL_ACCESS: true 
SUPER_USERS:
  - whuquay
FEATURE_MAILING: true
MAIL_DEFAULT_SENDER: quay_qe@163.com
MAIL_PASSWORD: ......
MAIL_PORT: 25
MAIL_SERVER: smtp.163.com
MAIL_USE_AUTH: true
MAIL_USE_TLS: true
MAIL_USERNAME: quay_qe@163.com

      2. Create a normal user "user1" and a super user "whuquay".

      3. log in quay by normal user "user1" and create a organization "user1_org"

      4 create a  team "user1_team" and invite emails to this team by both super user and normal user

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969
-> normal user token: m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b
->
-> invites an email to team 
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=


------------------------------
$ curl -k -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969" https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/organization/user1_org/team/user1_team/invite/super@bogus.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   215  100   215    0     0     40      0  0:00:05  0:00:05 --:--:--    63
{
  "email": "super@bogus.com",
  "kind": "invite",
  "avatar": {
    "name": "super@bogus.com",
    "hash": "a017392ff7b54d4e4e35bd2020e95325411409ad96a42177a835d597afb458e2",
    "color": "#969696",
    "kind": "user"
  },
  "invited": true
} 

------------------------------
$ curl -k -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b" https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/organization/user1_org/team/user1_team/invite/normal@bogus.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   217  100   217    0     0     47      0  0:00:04  0:00:04 --:--:--    47
{
  "email": "normal@bogus.com",
  "kind": "invite",
  "avatar": {
    "name": "normal@bogus.com",
    "hash": "333803e831d2589cf88f8f0dcb1f4c5778e0d358d0a3f756d0a1c8d5faf9d247",
    "color": "#9edae5",
    "kind": "user"
  },
  "invited": true
}

      5. call deleteTeamMemberEmailInvite API with super user token against email "normal@bogus.com" and  "super@bogus.com". 

      Actual results:

      Super user can't delete emails created by both normal user and super user by calling api "DELETE /api/v1/organization/{orgname}/team/{teamname}/invite/{email}" when enable FEATURE_SUPERUSERS_FULL_ACCESS

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969
-> normal user token: m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b
->
-> delete an email from team by super user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

------------------------------
$ curl -k -X DELETE -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969" https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com//api/v1/organization/user1_org/team/user1_team/invite/normal@bogus.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   277  100   277    0     0    259      0  0:00:01  0:00:01 --:--:--   259
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

------------------------------
$ curl -k -X DELETE -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969" https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com//api/v1/organization/user1_org/team/user1_team/invite/super@bogus.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   277  100   277    0     0    237      0  0:00:01  0:00:01 --:--:--   237
{
  "detail": "Unauthorized",
  "error_message": "Unauthorized",
  "error_type": "insufficient_scope",
  "title": "insufficient_scope",
  "type": "https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com/api/v1/error/insufficient_scope",
  "status": 403
}

      Expected results

      Super user can delete emails created by both normal user and super user by calling api "DELETE /api/v1/organization/{orgname}/team/{teamname}/invite/{email}" when enable FEATURE_SUPERUSERS_FULL_ACCESS

      Additional Information:

      Normal user "user1" can delete emails created by both normal user and super user by calling api "DELETE /api/v1/organization/{orgname}/team/{teamname}/invite/{email}"  successfully.

      =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=
-> super user token : Jb2V0SoFId1XNopz5Nf5GS0VR7O05vd0QWg82969
-> normal user token: m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b
->
-> delete an email from team by normal user
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*==*=*=

------------------------------
$ curl -k -X DELETE -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b" https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com//api/v1/organization/user1_org/team/user1_team/invite/normal@bogus.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0


------------------------------
$ curl -k -X DELETE -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer m5e5KUS5vXvnDdwgTJa7QmvnJN4CQkjrCB2Fxf8b" https://quayregistry-quay-quay-enterprise.apps.whu415az22.qe.azure.devcluster.openshift.com//api/v1/organization/user1_org/team/user1_team/invite/super@bogus.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0

            bcaton@redhat.com Brandon Caton
            rhwhu Weihua Hu
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: