fixes: Remove auth bypass in for HOTOSM org #1785

hotosm · Oct 30, 2024 · 7bb71a5 · 7bb71a5
1 parent 2e58733
commit 7bb71a5
Showing 1 changed file with 0 additions and 15 deletions.
diff --git a/src/backend/app/auth/roles.py b/src/backend/app/auth/roles.py
@@ -65,7 +65,6 @@ async def check_access(
     Access is determined based on the user's role and permissions:
     - If the user has an 'ADMIN' role, access is granted.
     - If the user has a 'READ_ONLY' role, access is denied.
-    - If the organisation is HOTOSM, then grant access.
     - For other roles, access is granted if the user is an organisation manager
       for the specified organisation (org_id) or has the specified role
       in the specified project (project_id).
@@ -91,20 +90,6 @@ async def check_access(
                 CASE
                     WHEN role = 'ADMIN' THEN true
                     WHEN role = 'READ_ONLY' THEN false
-                    WHEN EXISTS (
-                        SELECT 1
-                        FROM organisations
-                        WHERE (organisations.id = :org_id
-                            AND organisations.slug = 'hotosm')
-                        OR EXISTS (
-                            SELECT 1
-                            FROM projects
-                            JOIN organisations AS org
-                                ON projects.organisation_id = org.id
-                            WHERE org.slug = 'hotosm'
-                                AND projects.id = :project_id
-                        )
-                    ) THEN true
                     ELSE
                         EXISTS (
                             SELECT 1