Major When user who is both a superuser and a restricted user, LDAP Search prioritizes restricted user over superuser and comes back with Unauthorized on trying to create an organization:
..
if features.SUPERUSERS_ORG_CREATION_ONLY and not SuperUserPermission().can():
raise Unauthorized()
user = get_authenticated_user()
org_data = request.get_json()
existing = None
# Super users should be able to create new orgs regardless of user restriction
if user.username not in app.config.get("SUPER_USERS", None):
if features.RESTRICTED_USERS and usermanager.is_restricted_user(user.username):
raise Unauthorized()
...
def is_restricted_user(self, username: str, include_robots: bool = True) -> bool:
"""
Returns if the given username represents a restricted user.
"""
if include_robots:
username = username.split("+", 1)[0]
if super().restricted_whitelist_is_set() and not super().is_restricted_user(username):
return False
return self.federated_users.is_restricted_user(username) or super().is_restricted_user(
username
)
def is_restricted_user(self, username: str, include_robots: bool = True) -> bool:
if include_robots:
username = username.split("+")[0]
if self._restricted_users_array:
usernames = self._restricted_users_array.value.decode("utf8").split(",")
return not (username in usernames)
else:
return True
https://github.com/quay/quay/blob/dc8ad71acdef45e28fe8c6186d1892b91c839f64/util/config/superusermanager.py#L83-L91
credit goes to rhn-support-ibazulic for the code analysis. If this could be changed so that the superuser is prioritized over the restricted user that would be awesome.
Dan Shoemaker