Delete team policies: 404 for nonexistent team (#19516)

## Addresses #18993 - Return `404` when a user tries to delete team policies from a non-existent team – see [this precedent in the codebase](6b3310aa51/server/service/integration_core_test.go (L6212)) for a 404 in this situation - Add missing authorization check for this action <img width="1494" alt="Screenshot 2024-06-04 at 6 22 02 PM" src="https://github.com/fleetdm/fleet/assets/61553566/15b98c7e-5d4b-450c-8403-a062d7d1bd5b"> - [x] Changes file added for user-visible changes in `changes/`, - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2026-05-22 00:18:27 +00:00 · 2024-06-10 10:46:16 -07:00 · 2024-06-10 10:46:16 -07:00 · 92198a22b8
commit 92198a22b8
parent 27b8a1364f
3 changed files with 16 additions and 7 deletions
--- a/changes/18993-404-when-no-team-on-delete-team-policies
+++ b/changes/18993-404-when-no-team-on-delete-team-policies
@ -0,0 +1 @@
+* Error with 404 when the user attempts to delete team policies for a non-existent team
--- a/server/service/integration_core_test.go
+++ b/server/service/integration_core_test.go
@ -6211,6 +6211,9 @@ func (s *integrationTestSuite) TestTeamPoliciesTeamNotExists() {
 	teamPoliciesResponse := listTeamPoliciesResponse{}
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d/policies", 9999999), nil, http.StatusNotFound, &teamPoliciesResponse)
 	require.Len(t, teamPoliciesResponse.Policies, 0)
+
+	deleteTeamPoliciesResponse := deleteTeamPoliciesResponse{}
+	s.DoJSON("POST", fmt.Sprintf("/api/latest/fleet/teams/%d/policies/delete", 9999999), deleteTeamPoliciesRequest{IDs: []uint{1, 1000}}, http.StatusNotFound, &deleteTeamPoliciesResponse)
 }

 func (s *integrationTestSuite) TestSessionInfo() {
--- a/server/service/team_policies.go
+++ b/server/service/team_policies.go
@ -269,6 +269,18 @@ func deleteTeamPoliciesEndpoint(ctx context.Context, request interface{}, svc fl
 }

 func (svc Service) DeleteTeamPolicies(ctx context.Context, teamID uint, ids []uint) ([]uint, error) {
+	if err := svc.authz.Authorize(ctx, &fleet.Policy{
+		PolicyData: fleet.PolicyData{
+			TeamID: ptr.Uint(teamID),
+		},
+	}, fleet.ActionWrite); err != nil {
+		return nil, err
+	}
+
+	if _, err := svc.ds.Team(ctx, teamID); err != nil {
+		return nil, ctxerr.Wrapf(ctx, err, "loading team %d", teamID)
+	}
+
 	if len(ids) == 0 {
 		return nil, nil
 	}
@ -277,13 +289,6 @@ func (svc Service) DeleteTeamPolicies(ctx context.Context, teamID uint, ids []ui
 		return nil, ctxerr.Wrap(ctx, err, "getting policies by ID")
 	}

-	if err := svc.authz.Authorize(ctx, &fleet.Policy{
-		PolicyData: fleet.PolicyData{
-			TeamID: ptr.Uint(teamID),
-		},
-	}, fleet.ActionWrite); err != nil {
-		return nil, err
-	}
 	for _, policy := range policiesByID {
 		if t := policy.PolicyData.TeamID; t == nil || *t != teamID {
 			return nil, authz.ForbiddenWithInternal(
				`@ -0,0 +1 @@`
				`* Error with 404 when the user attempts to delete team policies for a non-existent team`