From b7707fb4800241a18b831747da90c612b0621ebb Mon Sep 17 00:00:00 2001
From: Zach Wolfenbarger <zach.wolfenbarger@gmail.com>
Date: Wed, 18 Oct 2023 11:08:42 -0500
Subject: [PATCH] Require admin flag for admin UPP requests  (#4257)

* Check api_user, not api_user.user, for admin flag

* Add admin flag to admin request
---
 app/controllers/api/v1/project_preferences_controller.rb       | 2 +-
 spec/controllers/api/v1/project_preferences_controller_spec.rb | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/v1/project_preferences_controller.rb b/app/controllers/api/v1/project_preferences_controller.rb
index c690984d0..8a0b49b24 100644
--- a/app/controllers/api/v1/project_preferences_controller.rb
+++ b/app/controllers/api/v1/project_preferences_controller.rb
@@ -26,7 +26,7 @@ def find_upp_for_update_settings
   end
 
   def user_allowed?
-    @upp.project.owners_and_collaborators.include?(api_user.user) || api_user.user.is_admin?
+    @upp.project.owners_and_collaborators.include?(api_user.user) || api_user.is_admin?
   end
 
   def update_settings_response
diff --git a/spec/controllers/api/v1/project_preferences_controller_spec.rb b/spec/controllers/api/v1/project_preferences_controller_spec.rb
index cf9d3f572..68bbf6e7d 100644
--- a/spec/controllers/api/v1/project_preferences_controller_spec.rb
+++ b/spec/controllers/api/v1/project_preferences_controller_spec.rb
@@ -173,6 +173,7 @@
 
       it 'lets the admin update UPP settings' do
         default_request user_id: admin_user.id, scopes: scopes
+        settings_params[:admin] = true
         run_update
         expect(response.status).to eq(200)
       end