mirror of
https://github.com/quay/quay.git
synced 2026-01-26 06:21:37 +03:00
fbfd20b2bc
* fix: allow global readonly superusers to access all organization data without FULL_ACCESS (PROJQUAY-9798) This is a comprehensive fix for multiple endpoints where global readonly superusers were incorrectly blocked from accessing organization data when FEATURE_SUPERUSERS_FULL_ACCESS was set to false. Fixed endpoints in endpoints/api/logs.py: - OrgLogs.get() - Organization audit logs - OrgAggregateLogs.get() - Aggregated organization logs - ExportOrgLogs.post() - Export organization logs Fixed endpoints in endpoints/api/team.py: - TeamMemberList.get() - Team member list - TeamPermissions.get() - Team repository permissions Fixed endpoints in endpoints/api/organization.py: - OrganizationMemberList.get() - Organization member list - OrganizationMember.get() - Individual member details - OrganizationApplications.get() - OAuth application list - OrganizationApplication.get() - Individual application details Fixed endpoints in endpoints/api/prototype.py: - PermissionPrototypeList.get() - Default permission prototypes All endpoints now use consistent permission logic: permission.can() OR allow_if_global_readonly_superuser() OR allow_if_superuser_with_full_access() Added comprehensive tests verifying: 1. Global readonly superusers CAN access all data for auditing, regardless of FEATURE_SUPERUSERS_FULL_ACCESS setting 2. Regular superusers are still blocked when FEATURE_SUPERUSERS_FULL_ACCESS is false (correct behavior) * fix(test): ensure owners team exists for testorglogs org in test setup Addresses review feedback from PR #4549 comment #2539202868. The test was attempting to access the 'owners' team in 'testorglogs' org, but the fixture only created the organization without creating any teams. This could cause the test to receive a 404 (team not found) instead of 403 (permission denied), making it pass for the wrong reason. Also simplified the test logic to only expect 403 since the team now exists in the fixtures, ensuring the test validates permission blocking rather than missing resources.