Make API endpoints that change storage superuser-only for now

tw4l · tw4l · commit e4d7aabb51e8 · 2024-09-30T17:49:10.000-04:00
diff --git a/backend/btrixcloud/main.py b/backend/btrixcloud/main.py
@@ -182,7 +182,7 @@ def main() -> None:
 
     crawl_manager = CrawlManager()
 
-    storage_ops = init_storages_api(org_ops, crawl_manager)
+    storage_ops = init_storages_api(org_ops, crawl_manager, current_active_user)
 
     background_job_ops = init_background_jobs_api(
         app,
diff --git a/backend/btrixcloud/storages.py b/backend/btrixcloud/storages.py
@@ -885,7 +885,7 @@ def _parse_json(line) -> dict:
 
 
 # ============================================================================
-def init_storages_api(org_ops, crawl_manager):
+def init_storages_api(org_ops, crawl_manager, user_dep: Callable):
     """API for updating storage for an org"""
 
     storage_ops = StorageOps(org_ops, crawl_manager)
@@ -913,23 +913,37 @@ def get_available_storages(org: Organization = Depends(org_owner_dep)):
         "/custom-storage", tags=["organizations"], response_model=AddedResponseName
     )
     async def add_custom_storage(
-        storage: S3StorageIn, org: Organization = Depends(org_owner_dep)
+        storage: S3StorageIn,
+        org: Organization = Depends(org_owner_dep),
+        user: User = Depends(user_dep),
     ):
+        if not user.is_superuser:
+            raise HTTPException(status_code=403, detail="Not Allowed")
+
         return await storage_ops.add_custom_storage(storage, org)
 
     @router.delete(
         "/custom-storage/{name}", tags=["organizations"], response_model=DeletedResponse
     )
     async def remove_custom_storage(
-        name: str, org: Organization = Depends(org_owner_dep)
+        name: str,
+        org: Organization = Depends(org_owner_dep),
+        user: User = Depends(user_dep),
     ):
+        if not user.is_superuser:
+            raise HTTPException(status_code=403, detail="Not Allowed")
+
         return await storage_ops.remove_custom_storage(name, org)
 
     @router.post("/storage", tags=["organizations"], response_model=UpdatedResponse)
     async def update_storage_ref(
         storage: OrgStorageRef,
         org: Organization = Depends(org_owner_dep),
+        user: User = Depends(user_dep),
     ):
+        if not user.is_superuser:
+            raise HTTPException(status_code=403, detail="Not Allowed")
+
         return await storage_ops.update_storage_ref(storage, org)
 
     @router.post(
@@ -938,7 +952,11 @@ async def update_storage_ref(
     async def update_storage_replica_refs(
         storage: OrgStorageReplicaRefs,
         org: Organization = Depends(org_owner_dep),
+        user: User = Depends(user_dep),
     ):
+        if not user.is_superuser:
+            raise HTTPException(status_code=403, detail="Not Allowed")
+
         return await storage_ops.update_storage_replica_refs(storage, org)
 
     return storage_ops
