◐ Shell
clean mode source ↗

Update permissions aren't being enforced in registry server

tokoko

Current Behavior

apply_x methods in registry server check permissions on the object that's passed in the request. This is correct for object creation, but overlooks updates. During updates we should be checking permissions on the existing object as well. With current behavior, user is allowed to overwrite objects even when updates aren't allowed.

Possible Solution

Pseudocode for a typical apply method should look something like this:

  • Check if the object already exists in the registry
  • Assert update permission on the existing object (if it exists)
  • Assert create permission on the object contained in the request
  • Proceed with apply