bug: if -c flag is set on `brig project update`, we're not checking for create permission

brigadecore / brigade

Event-driven scripting for Kubernetes

https://brigade.sh/

Apache License 2.0

2.4k stars 247 forks source link

bug: if -c flag is set on `brig project update`, we're not checking for create permission #1959

Closed krancour closed 2 years ago

krancour commented 2 years ago

And obviously we should be.

This is a follow-up to #1958

As it stands now, it's possible to create a project without having proper permission to do so. You just update a project that doesn't exist.

cc @AnuragThePathak

AnuragThePathak commented 2 years ago

I have just tested that by revoking my PROJECT_CREATOR role and using -c flag while updating a project which doesn't exist. It showed me unauthorized error. From what I understood, the Create method of the projectService which we are calling from the Update method is managing the checking of create permission.

krancour commented 2 years ago

From what I understood, the Create method of the projectService which we are calling from the Update method is managing the checking of create permission.

Ah. You are correct.

I was too hasty here and failed to notice that the call was to another function in the service layer and not a call directly down into the storage layer.

Sorry for the confusion. Closing this.