From 158e017be489eea5402ef258ea260183067bf1ca Mon Sep 17 00:00:00 2001
From: Michael Johnson <johnsomor@gmail.com>
Date: Wed, 23 Mar 2022 20:52:35 +0000
Subject: [PATCH] Fix set-quotas for non-project scoped tokens

Previously, if set-quotas was called with a non-project scoped token and the all-projects flag was not set, the quotas would be updated but the result returned
would always be the default quota values.
This patch changes the API to require the all-projects flag when set-quota is called and the token is not project scoped.

Closes-Bug: #1966128
Change-Id: I55ca76ef7c2cbeb5fdae1aed1dcbe58b7acddc34
---
 designate/api/v2/controllers/quotas.py                 | 10 ++++++++++
 ...ith-non-project-scoped-tokens-ffe3082db3dbb55b.yaml |  6 ++++++
 2 files changed, 16 insertions(+)
 create mode 100644 releasenotes/notes/Require-all-projects-for-set-quotas-with-non-project-scoped-tokens-ffe3082db3dbb55b.yaml

diff --git a/designate/api/v2/controllers/quotas.py b/designate/api/v2/controllers/quotas.py
index 7d0a74deb..9fbc6d3ad 100644
--- a/designate/api/v2/controllers/quotas.py
+++ b/designate/api/v2/controllers/quotas.py
@@ -19,6 +19,7 @@ import pecan
 
 from designate.api.v2.controllers import rest
 from designate.common import keystone
+from designate import exceptions
 from designate.objects.adapters import DesignateAdapter
 from designate.objects import QuotaList
 
@@ -63,6 +64,15 @@ class QuotasController(rest.RestController):
 
         quotas = DesignateAdapter.parse('API_v2', body, QuotaList())
 
+        # The get_quotas lookup will always return the default quotas
+        # if the context does not have a project_id (system scoped token) and
+        # the all_tenants boolean is false. Let's require all_tenants for
+        # contexts with no project ID.
+        if context.project_id is None and not context.all_tenants:
+            raise exceptions.MissingProjectID(
+                "The all-projects flag must be used when using non-project "
+                "scoped tokens.")
+
         for quota in quotas:
             self.central_api.set_quota(context, tenant_id, quota.resource,
                                        quota.hard_limit)
diff --git a/releasenotes/notes/Require-all-projects-for-set-quotas-with-non-project-scoped-tokens-ffe3082db3dbb55b.yaml b/releasenotes/notes/Require-all-projects-for-set-quotas-with-non-project-scoped-tokens-ffe3082db3dbb55b.yaml
new file mode 100644
index 000000000..eaf17979c
--- /dev/null
+++ b/releasenotes/notes/Require-all-projects-for-set-quotas-with-non-project-scoped-tokens-ffe3082db3dbb55b.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed an issue where set-quotas will always return the default quotas if
+    it was called with a non-project scoped token and the all-projects flag
+    was not set.