Fix set-quotas for non-project scoped tokens

Previously, if set-quotas was called with a non-project scoped token and the all-projects flag was not set, the quotas would be updated but the result returned
would always be the default quota values.
This patch changes the API to require the all-projects flag when set-quota is called and the token is not project scoped.

Closes-Bug: #1966128
Change-Id: I55ca76ef7c2cbeb5fdae1aed1dcbe58b7acddc34

1 files changed, 10 insertions, 0 deletions

diff --git a/designate/api/v2/controllers/quotas.py b/designate/api/v2/controllers/quotas.py
index 7d0a74de..9fbc6d3a 100644
--- a/designate/api/v2/controllers/quotas.py
+++ b/designate/api/v2/controllers/quotas.py
@@ -19,6 +19,7 @@ import pecan
 
 from designate.api.v2.controllers import rest
 from designate.common import keystone
+from designate import exceptions
 from designate.objects.adapters import DesignateAdapter
 from designate.objects import QuotaList
 
@@ -63,6 +64,15 @@ class QuotasController(rest.RestController):
 
         quotas = DesignateAdapter.parse('API_v2', body, QuotaList())
 
+        # The get_quotas lookup will always return the default quotas
+        # if the context does not have a project_id (system scoped token) and
+        # the all_tenants boolean is false. Let's require all_tenants for
+        # contexts with no project ID.
+        if context.project_id is None and not context.all_tenants:
+            raise exceptions.MissingProjectID(
+                "The all-projects flag must be used when using non-project "
+                "scoped tokens.")
+
         for quota in quotas:
             self.central_api.set_quota(context, tenant_id, quota.resource,
                                        quota.hard_limit)