mirror of
https://github.com/quay/quay.git
synced 2026-01-27 18:42:52 +03:00
90803ded95
When FEATURE_SUPERUSERS_FULL_ACCESS=false, regular superusers could create/update/delete quotas for other users' organizations (returning 201/200), but couldn't view them (returning 403). This was a security bug - both read and write operations should require FULL_ACCESS permission to access other organizations' quotas. Root cause: Organization quota write endpoints used SuperUserPermission().can() instead of allow_if_superuser_with_full_access(), allowing any superuser to modify other orgs' quotas regardless of the FULL_ACCESS setting. Changes: - endpoints/api/namespacequota.py: Replace SuperUserPermission().can() with allow_if_superuser_with_full_access() in all quota write operations: * OrganizationQuotaList.post() - create quota * OrganizationQuota.put() - update quota * OrganizationQuota.delete() - delete quota * OrganizationQuotaLimitList.post() - create quota limit * OrganizationQuotaLimit.put() - update quota limit * OrganizationQuotaLimit.delete() - delete quota limit - endpoints/api/test/test_superuser_full_access.py: Add comprehensive tests for quota operations with and without FULL_ACCESS enabled (6 new tests) Note: Superuser panel endpoints (/v1/superuser/users/<namespace>/quota) were intentionally NOT changed - these are admin panel functions that should work with basic superuser permission, consistent with other panel operations. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>