From ef18dd4eb9d4c16a893951619e1dfb793655657e Mon Sep 17 00:00:00 2001
From: zhangl <zhangl@us.ibm.com>
Date: Tue, 28 Mar 2023 10:57:39 -0400
Subject: [PATCH] Issue 3727 - Bug: non-admin user is able to delete a manifest

Signed-off-by: zhangl <zhangl@us.ibm.com>
---
 core/base/apiServer.go | 8 +++++---
 swagger.json           | 1 -
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/core/base/apiServer.go b/core/base/apiServer.go
index 975f79e..2cacd0e 100644
--- a/core/base/apiServer.go
+++ b/core/base/apiServer.go
@@ -767,11 +767,13 @@ func handleObjectRequest(orgID string, objectType string, objectID string, write
 		if trace.IsLogging(logger.DEBUG) {
 			trace.Debug("In handleObjects. Delete %s %s\n", objectType, objectID)
 		}
+		// authObjectAdmin will return as authAdmin in canUserAccessObject because they have same level of read access
+		// side-effect: all auth code (except authSyncAdmin) will need to be checked against security.CanUserCreateObject() function
 		if _, code, _ := canUserAccessObject(request, orgID, objectType, objectID, false); code == security.AuthFailed {
 			writer.WriteHeader(http.StatusForbidden)
 			writer.Write(unauthorizedBytes)
 			return
-		} else if (code == security.AuthUser || code == security.AuthNodeUser) && common.Configuration.NodeType == common.CSS {
+		} else if common.Configuration.NodeType == common.CSS && code != security.AuthSyncAdmin {
 			// Retrieve metadata, check object type and destination types againest acls
 			if metaData, err := GetObject(orgID, objectType, objectID); err != nil {
 				communications.SendErrorResponse(writer, err, "", 0)
@@ -3870,9 +3872,9 @@ func handleACLUpdate(request *http.Request, aclType string, orgID string, parts
 }
 
 func canUserAccessObject(request *http.Request, orgID, objectType, objectID string, checkLastDestinationPolicyServices bool) (bool, int, string) {
-	accessToALlObject, code, userID := security.CanUserAccessAllObjects(request, orgID, objectType)
+	accessToAllObject, code, userID := security.CanUserAccessAllObjects(request, orgID, objectType)
 	if code != security.AuthService || common.Configuration.NodeType == common.CSS || objectID == "" {
-		return accessToALlObject, code, userID
+		return accessToAllObject, code, userID
 	}
 
 	if trace.IsLogging(logger.DEBUG) {
diff --git a/swagger.json b/swagger.json
index 9b84bc2..94fca3d 100644
--- a/swagger.json
+++ b/swagger.json
@@ -2919,7 +2919,6 @@
         },
         "value": {
           "description": "Value is the value of the property",
-          "type": "object",
           "x-go-name": "Value"
         }
       },