Closed krancour closed 2 years ago
I have just tested that by revoking my PROJECT_CREATOR role and using -c flag while updating a project which doesn't exist. It showed me unauthorized error. From what I understood, the Create method of the projectService which we are calling from the Update method is managing the checking of create permission.
From what I understood, the Create method of the projectService which we are calling from the Update method is managing the checking of create permission.
Ah. You are correct.
I was too hasty here and failed to notice that the call was to another function in the service layer and not a call directly down into the storage layer.
Sorry for the confusion. Closing this.
And obviously we should be.
This is a follow-up to #1958
As it stands now, it's possible to create a project without having proper permission to do so. You just update a project that doesn't exist.
cc @AnuragThePathak