Remove not necessary check on ownership in dataset deletion endpoint

jreynard-code · jreynard-code · commit 4d9206130076 · 2024-11-19T21:41:52.000+01:00
diff --git a/dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt b/dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt
@@ -560,14 +560,6 @@ class DatasetServiceImpl(
   override fun deleteDataset(organizationId: String, datasetId: String) {
     val dataset = getVerifiedDataset(organizationId, datasetId, PERMISSION_DELETE)
 
-    val isPlatformAdmin =
-        getCurrentAuthenticatedRoles(csmPlatformProperties).contains(ROLE_PLATFORM_ADMIN)
-    if (dataset.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties) &&
-        !isPlatformAdmin) {
-      // TODO Only the owner or an admin should be able to perform this operation
-      throw CsmAccessForbiddenException("You are not allowed to delete this Resource")
-    }
-
     csmJedisPool.resource.use { jedis ->
       if (jedis.exists(dataset.twingraphId!!)) {
         jedis.del(dataset.twingraphId!!)
diff --git a/dataset/src/test/kotlin/com/cosmotech/dataset/service/DatasetServiceImplTests.kt b/dataset/src/test/kotlin/com/cosmotech/dataset/service/DatasetServiceImplTests.kt
@@ -5,7 +5,6 @@ package com.cosmotech.dataset.service
 import com.cosmotech.api.config.CsmPlatformProperties
 import com.cosmotech.api.events.CsmEventPublisher
 import com.cosmotech.api.events.TwingraphImportJobInfoRequest
-import com.cosmotech.api.exceptions.CsmAccessForbiddenException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
 import com.cosmotech.api.id.CsmIdGenerator
 import com.cosmotech.api.rbac.CsmAdmin
@@ -390,13 +389,12 @@ class DatasetServiceImplTests {
   }
 
   @Test
-  fun `deleteDataset should throw CsmAccessForbiddenException`() {
-    val dataset = baseDataset()
+  fun `deleteDataset do not throw error - rbac is disabled`() {
+    val dataset = baseDataset().apply { twingraphId = "mytwingraphId" }
     every { datasetRepository.findBy(ORGANIZATION_ID, DATASET_ID) } returns Optional.of(dataset)
     every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "my.account-tester"
-    assertThrows<CsmAccessForbiddenException> {
-      datasetService.deleteDataset(ORGANIZATION_ID, DATASET_ID)
-    }
+    datasetService.deleteDataset(ORGANIZATION_ID, DATASET_ID)
+    verify(exactly = 1) { datasetRepository.delete(any()) }
   }
 
   @Test
