mirror of
https://github.com/quay/quay.git
synced 2026-01-26 06:21:37 +03:00
a1ea484530
fix: allow global readonly superusers to access quota limit endpoints (PROJQUAY-9804) This fixes an issue where global readonly superusers were blocked from accessing organization quota limit endpoints when FEATURE_SUPERUSERS_FULL_ACCESS was set to false. Fixed endpoints in endpoints/api/namespacequota.py: - OrganizationQuotaLimitList.get() - List quota limits - OrganizationQuotaLimit.get() - Get individual quota limit Both endpoints now use the consistent permission pattern: permission.can() OR allow_if_global_readonly_superuser() OR allow_if_superuser_with_full_access() Added comprehensive tests in test_global_readonly_superuser.py: - test_global_readonly_superuser_can_access_quota_limit_list - test_global_readonly_superuser_can_access_individual_quota_limit - test_regular_superuser_cannot_access_quota_limits_without_full_access Test implementation uses autouse fixture to ensure FEATURE_SUPERUSERS_FULL_ACCESS is disabled for all tests in the class, following the pattern from TestOrganizationLogsAccessWithoutFullAccess. Tests verify: 1. Global readonly superusers CAN access quota limits for auditing, regardless of FEATURE_SUPERUSERS_FULL_ACCESS setting 2. Regular superusers are still blocked when FEATURE_SUPERUSERS_FULL_ACCESS is false (correct security behavior) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Dave O'Connor <doconnor@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>