Major With FEATURE_RESTRICTED_USERS: true set Quay's config.yaml file, Quay superusers cannot create new content inside Quay outside of already created organizations. This includes both new repositories in their own private namespace as well as new orgs:
gunicorn-web stdout | 2024-11-08 20:52:28,126 [262] [DEBUG] [app] Starting request: urn:request:9d63f6e2-bd2c-48fc-99a8-ce2e7cb08070 (/api/v1/repository) {'X-Forwarded-For': '172.24.0.1'}
gunicorn-web stdout | 2024-11-08 20:52:28,127 [262] [DEBUG] [app] User loader loading deferred user with uuid: bbdb7b0f-168a-4b11-9bd6-9dc9ef07cdd9
gunicorn-web stdout | 2024-11-08 20:52:28,127 [262] [DEBUG] [auth.cookie] Loading user from cookie: bbdb7b0f-168a-4b11-9bd6-9dc9ef07cdd9
gunicorn-web stdout | 2024-11-08 20:52:28,127 [262] [DEBUG] [peewee] ('SELECT "t1"."id", "t1"."uuid", "t1"."username", "t1"."password_hash", "t1"."email", "t1"."verified", "t1"."stripe_id", "t1"."organization", "t1"."robot", "t1"."invoice_email", "t1"."invalid_login_attempts", "t1"."last_invalid_login", "t1"."removed_tag_expiration_s", "t1"."enabled", "t1"."invoice_email_address", "t1"."given_name", "t1"."family_name", "t1"."company", "t1"."location", "t1"."maximum_queued_builds_count", "t1"."creation_date", "t1"."last_accessed" FROM "user" AS "t1" WHERE (("t1"."uuid" = %s) AND ("t1"."organization" = %s)) LIMIT %s OFFSET %s', ['bbdb7b0f-168a-4b11-9bd6-9dc9ef07cdd9', False, 1, 0])
gunicorn-web stdout | 2024-11-08 20:52:28,138 [262] [DEBUG] [auth.decorators] Found valid auth result: (<AuthKind.cookie: 'cookie'>, False, None, [<User: 1>, None, None, None, None, None, None])
gunicorn-web stdout | 2024-11-08 20:52:28,138 [262] [DEBUG] [auth.permissions] Identity loaded: <QuayDeferredPermissionUser id="bbdb7b0f-168a-4b11-9bd6-9dc9ef07cdd9" auth_type="user_uuid" provides=set()>
gunicorn-web stdout | 2024-11-08 20:52:28,138 [262] [DEBUG] [auth.permissions] Deferring permissions for user with uuid: bbdb7b0f-168a-4b11-9bd6-9dc9ef07cdd9
gunicorn-web stdout | 2024-11-08 20:52:28,140 [262] [DEBUG] [auth.permissions] Loading user permissions after deferring for: bbdb7b0f-168a-4b11-9bd6-9dc9ef07cdd9
gunicorn-web stdout | 2024-11-08 20:52:28,140 [262] [DEBUG] [auth.permissions] User permission: _UserTypeNeed(type='user', username='ibazulic', role='admin')
gunicorn-web stdout | 2024-11-08 20:52:28,140 [262] [DEBUG] [auth.permissions] User namespace permission: _NamespaceWideNeed(type='organization', namespace='ibazulic', role='admin')
gunicorn-web stdout | 2024-11-08 20:52:28,140 [262] [DEBUG] [auth.permissions] User namespace repo permission: _NamespaceWideNeed(type='organizationrepo', namespace='ibazulic', role='admin')
gunicorn-web stdout | 2024-11-08 20:52:28,141 [262] [DEBUG] [app] Ending request: urn:request:9d63f6e2-bd2c-48fc-99a8-ce2e7cb08070 (/api/v1/repository) {'endpoint': 'api.repositorylist', 'request_id': 'urn:request:9d63f6e2-bd2c-48fc-99a8-ce2e7cb08070', 'remote_addr': '172.24.0.1', 'http_method': 'POST', 'original_url': 'https://quay.skynet/api/v1/repository', 'path': '/api/v1/repository', 'parameters': {}, 'json_body': {'namespace': 'ibazulic', 'repository': 'asdgasd', 'visibility': 'public', 'description': '', 'repo_kind': 'image'}, 'confsha': '911f9a2f', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36'}
gunicorn-web stdout | 2024-11-08 20:52:28,141 [262] [DEBUG] [data.database] Disconnecting from database.
gunicorn-web stdout | 2024-11-08 20:52:28,142 [262] [INFO] [gunicorn.access] 172.24.0.1 - - [08/Nov/2024:20:52:28 +0000] "POST /api/v1/repository HTTP/1.0" 403 231 "https://quay.skynet/organization/ibazulic" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
The expectation is that super user can create content regardless of the restricted users whitelist.
