fix: apply admin layer to admin routes only

gateway/src/api/latest.rs

@@ -765,17 +765,23 @@ impl ApiBuilder {
     }
 
     pub fn with_default_routes(mut self) -> Self {
+        let admin_routes = Router::new()
+            .route("/projects", get(get_projects))
+            .route("/revive", post(revive_projects))
+            .route("/destroy", post(destroy_projects))
+            .route("/stats/load", get(get_load_admin).delete(delete_load_admin))
+            // TODO: The `/swagger-ui` responds with a 303 See Other response which is followed in
+            // browsers but leads to 404 Not Found. This must be investigated.
+            .merge(SwaggerUi::new("/swagger-ui").url("/api-docs/openapi.json", ApiDoc::openapi()))
+            .layer(ScopedLayer::new(vec![Scope::Admin]));
+
         self.router = self
             .router
             .route("/", get(get_status))
             .route(
                 "/projects",
                 get(get_projects_list.layer(ScopedLayer::new(vec![Scope::Project]))),
             )
-            // .route(
-            //     "/projects/:state",
-            //     get(get_projects_list_with_filter.layer(ScopedLayer::new(vec![Scope::Project]))),
-            // )
             .route(
                 "/projects/:project_name",
                 get(get_project.layer(ScopedLayer::new(vec![Scope::Project])))
@@ -784,31 +790,8 @@ impl ApiBuilder {
             )
             .route("/projects/:project_name/*any", any(route_project))
             .route("/stats/load", post(post_load).delete(delete_load))
-            .route(
-                "/admin/projects",
-                get(get_projects.layer(ScopedLayer::new(vec![Scope::Admin]))),
-            )
-            .route(
-                "/admin/revive",
-                post(revive_projects.layer(ScopedLayer::new(vec![Scope::Admin]))),
-            )
-            .route(
-                "/admin/destroy",
-                post(destroy_projects.layer(ScopedLayer::new(vec![Scope::Admin]))),
-            )
-            .route(
-                "/admin/stats/load",
-                get(get_load_admin)
-                    .delete(delete_load_admin)
-                    .layer(ScopedLayer::new(vec![Scope::Admin])),
-            )
-            // TODO: The `/admin/swagger-ui` responds with a 303 See Other response which is followed in
-            // browsers but leads to 404 Not Found. This must be investigated.
-            .merge(
-                SwaggerUi::new("/admin/swagger-ui")
-                    .url("/admin/api-docs/openapi.json", ApiDoc::openapi()),
-            )
-            .layer(ScopedLayer::new(vec![Scope::Admin]));
+            .nest("/admin", admin_routes);
+
         self
     }
 
@@ -991,6 +974,38 @@ pub mod tests {
             .await
             .unwrap();
 
+        let get_load = || {
+            Request::builder()
+                .method("GET")
+                .uri("/admin/stats/load")
+                .body(Body::empty())
+                .unwrap()
+        };
+
+        // Non-admin user cannot access admin routes
+        router
+            .call(get_load().with_header(&authorization))
+            .map_ok(|resp| {
+                assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+            })
+            .await
+            .unwrap();
+
+        // Create new admin user
+        let admin_neo_key = world.create_user("admin-neo");
+        world.set_super_user("admin-neo");
+
+        let authorization = Authorization::bearer(&admin_neo_key).unwrap();
+
+        // Admin user can access admin routes
+        router
+            .call(get_load().with_header(&authorization))
+            .map_ok(|resp| {
+                assert_eq!(resp.status(), StatusCode::OK);
+            })
+            .await
+            .unwrap();
+
         // TODO: setting the user to admin here doesn't update the cached token, so the
         // commands will still fail. We need to add functionality for this or modify the test.
         // world.set_super_user("trinity");