Update permissions aren't being enforced in registry server

[tokoko]

Current Behavior

apply_x methods in registry server check permissions on the object that's passed in the request. This is correct for object creation, but overlooks updates. During updates we should be checking permissions on the existing object as well. With current behavior, user is allowed to overwrite objects even when updates aren't allowed.

Possible Solution

Pseudocode for a typical apply method should look something like this:

• Check if the object already exists in the registry
• Assert update permission on the existing object (if it exists)
• Assert create permission on the object contained in the request
• Proceed with apply

[dmartinol]

@tokoko could you explain why the following code is not covering the update use case?

        self.proxied_registry.apply_entity(
            entity=cast(
                Entity,
                assert_permissions(
                    resource=Entity.from_proto(request.entity),
                    actions=CRUD,
                ),
            ),
            project=request.project,
            commit=request.commit,
        )

IIUC, it runs the assert check before trying the apply, so the update should not happen if not authorized.

[tokoko]

The problem isn't the order, it's the fact that assert is happening on a wrong object. Say I have an update permission on objects tagged like {"team": "A"} and I'm applying an update to an entity that already exists and is tagged like {"team": "B"}. The code above checks only the fact that I'm authorized to create entities of team A and overwrites team B's object because existing object is never touched during permission assertion.

There should be two separate asserts, one on the object that's already in the registry and another one on the object that's supplied as part of the request.

[dmartinol]

Please TAL at #4449