Description:

This is an issue found in Quay 3.16.0, when FEATURE_SUPERUSERS_FULL_ACCESS is set to false, found regular super user can still create/update/delete the Quota of normal user's organizations, but can't view the Quota, the expected behavior is regular super user should not have permissions for normal user's Quota resources when missing the cross namespace permissions, pls review this issue.

Quay 3.16.0:

quay.io/redhat-user-workloads/quay-eng-tenant/stable-3-16-v4-20@sha256:5dab3f70960879a8b69903cc0bf9255efffe55b9f3b940a6781790e4fc34a7b4 

When FEATURE_SUPERUSERS_FULL_ACCESS = FALSE, the current behavior is a regular superuser can't view the Quota, but can create/update/delete the Quota for normal user's organization.

  # ❌ CANNOT view current quota

  curl -X GET https://quay.example.com/api/v1/organization/tom001org/quota \

    -H "Authorization: Bearer $SUPERUSER_TOKEN"

  # Returns: 403 Forbidden

  # ✅ CAN create a quota blindly

  curl -X POST https://quay.example.com/api/v1/organization/tom001org/quota \

    -H "Authorization: Bearer $SUPERUSER_TOKEN" \

    -d '{"limit_bytes": 1073741824}'

  # Returns: 201 Created

  # ✅ CAN modify quota without seeing current value

  curl -X PUT https://quay.example.com/api/v1/organization/tom001org/quota/123 \

    -H "Authorization: Bearer $SUPERUSER_TOKEN" \

    -d '{"limit_bytes": 5368709120}'

  # Returns: 200 OK

  # ✅ CAN delete quota without seeing what it was

  curl -X DELETE https://quay.example.com/api/v1/organization/tom001org/quota/123 \

    -H "Authorization: Bearer $SUPERUSER_TOKEN"

  # Returns: 204 No Content