From eaa477387ec6497a910f00e373b06316c6d98cd9 Mon Sep 17 00:00:00 2001 From: Joongi Kim Date: Wed, 15 Jan 2025 20:08:16 +0900 Subject: [PATCH] fix: (Super)admins should be able to get-id and delete other users' vfolders --- src/ai/backend/manager/api/vfolder.py | 3 +++ src/ai/backend/manager/models/vfolder.py | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/ai/backend/manager/api/vfolder.py b/src/ai/backend/manager/api/vfolder.py index 21522d07b1..a225511c54 100644 --- a/src/ai/backend/manager/api/vfolder.py +++ b/src/ai/backend/manager/api/vfolder.py @@ -2291,6 +2291,7 @@ async def delete_by_id(request: web.Request, params: DeleteRequestModel) -> web. request, VFolderPermissionSetAlias.READABLE, folder_id, + allow_privileged_access=True, ) assert len(rows) == 1 row = rows[0] @@ -2326,6 +2327,7 @@ async def delete_by_name(request: web.Request) -> web.Response: request, VFolderPermissionSetAlias.READABLE, folder_name, + allow_privileged_access=True, ) if len(rows) > 1: raise TooManyVFoldersFound( @@ -2372,6 +2374,7 @@ async def get_vfolder_id(request: web.Request, params: IDRequestModel) -> Compac request, VFolderPermissionSetAlias.READABLE, folder_name, + allow_privileged_access=True, ) if len(rows) > 1: raise TooManyVFoldersFound( diff --git a/src/ai/backend/manager/models/vfolder.py b/src/ai/backend/manager/models/vfolder.py index 43ab4a34be..1a70cc0402 100644 --- a/src/ai/backend/manager/models/vfolder.py +++ b/src/ai/backend/manager/models/vfolder.py @@ -616,9 +616,7 @@ async def _append_entries(_query, _is_owner=True): query = query.where( vfolders.c.status.not_in(vfolder_status_map[VFolderStatusSet.INACCESSIBLE]) ) - if not allow_privileged_access or ( - user_role != UserRole.ADMIN and user_role != UserRole.SUPERADMIN - ): + if not allow_privileged_access or user_role not in (UserRole.ADMIN, UserRole.SUPERADMIN): query = query.where(vfolders.c.user == user_uuid) await _append_entries(query)