-
Bug
-
Resolution: Done
-
Blocker
-
None
-
quay-v3.16.0
-
False
-
-
False
-
-
Description:
This is an issue found in Quay 3.16.0, when Quay config "FEATURE_SUPERUSERS_FULL_ACCESS" is set to false, found both regular super user and global readonly super user can't access the team permissions of normal users' organization, in this condition, regular super user should not be able to access the the team permissions of normal users' organization, that's correct, but global readonly super user should be able access the team permissions of normal users' organization, pls review this issue.
Quay Config.yaml:
FEATURE_SUPERUSERS_FULL_ACCESS: false
SUPER_USERS:
- quay
- admin
GLOBAL_READONLY_SUPER_USERS:
- superglobalro
Quay: 3.16.0
Quay Global readonly super user can't access the team permissions of organization for normal user "tom001", that's not correct
curl --location 'http://localhost:8080/api/v1/organization/tom001org1/team/tom001team1/permissions' \ --header 'Authorization: Bearer ******' | jq { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "http://localhost/api/v1/error/insufficient_scope", "status": 403 }
Quay Regular super user can't access the team permissions of organization for normal user "tom001", that's correct.
curl --location 'http://localhost:8080/api/v1/organization/tom001org1/team/tom001team1/permissions' \ --header 'Authorization: Bearer ******' | jq { "detail": "Unauthorized", "error_message": "Unauthorized", "error_type": "insufficient_scope", "title": "insufficient_scope", "type": "http://localhost/api/v1/error/insufficient_scope", "status": 403 }