Fix #391: let admins show/edit/delete containers they don't own#393
Open
Om-singhaI wants to merge 1 commit into
Open
Fix #391: let admins show/edit/delete containers they don't own#393Om-singhaI wants to merge 1 commit into
Om-singhaI wants to merge 1 commit into
Conversation
…'t own
The container list route already lets an admin see every owner's
containers (resolveUsernameFilter), but the single-container routes
(GET/PUT/DELETE /:id) hard-scoped the lookup with
`username: req.session.user`. An admin opening the edit form for a
container they don't own therefore got a 404 and an empty form.
Add a containerOwnerWhere(session) helper that returns an empty owner
constraint for admins and `{ username }` for everyone else, mirroring
the `user=*` behaviour of the list route, and apply it to the show,
update, and delete routes. Site scoping is unchanged — the existing
node.siteId checks still confine access to the current site — and
non-admins remain restricted to their own containers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Fixes #391 — 404 for non-owned container as Admin. An admin can see other users' containers in the "all containers" list, but selecting Edit on one they don't own renders an empty form; the network tab shows a 404 on
GET /api/v1/sites/:siteId/containers/:id.Root cause
The list route (
GET /containers) already resolves admin access correctly viaresolveUsernameFilter(user=*returns every owner for admins). But the three single-container routes hard-scoped their lookup to the requester:So an admin can list a container they don't own, yet
GET/PUT/DELETE /:idall 404 on it — hence the empty edit form.Change
Add a small
containerOwnerWhere(session)helper that mirrors the list route's ownership logic:{}(no owner constraint){ username: session.user }and apply it to the show, update, and delete routes.
create-a-container/routers/api/v1/containers.js(+16/-3)Preserved behaviour
node.siteIdchecks (and the PUT route's inner join onsiteId) still confine access to the current site, so this does not let an admin reach another site's containers.Testing
This package has no test harness and the app requires Postgres + Proxmox + LDAP to run end to end, so I verified this by inspection and
node --check. The change is a targeted authorization scoping fix. Happy to add tests if you'd like a harness introduced, or to adjust if admins should be limited to a subset of these operations (e.g. view-only vs. full manage).