fix: Add more security to the pilot creation router

Robin-Van-de-Merghel · Robin-Van-de-Merghel · commit 6ab3faadcb91 · 2025-08-05T16:17:32.000+02:00
diff --git a/diracx-routers/src/diracx/routers/pilots/management.py b/diracx-routers/src/diracx/routers/pilots/management.py
@@ -12,7 +12,7 @@
     PilotFieldsMapping,
     PilotStatus,
 )
-from diracx.core.properties import GENERIC_PILOT
+from diracx.core.properties import GENERIC_PILOT, JOB_ADMINISTRATOR
 from diracx.logic.pilots.management import (
     delete_pilots as delete_pilots_bl,
 )
@@ -72,10 +72,17 @@ async def add_pilot_stamps(
     if GENERIC_PILOT in user_info.properties:
         if len(pilot_stamps) != 1:
             raise HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED,
+                status_code=status.HTTP_403_FORBIDDEN,
                 detail="As a pilot, you can only create yourself.",
             )
 
+    if JOB_ADMINISTRATOR not in user_info.properties:
+        if not vo == user_info.vo:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You can create pilots only for your VO.",
+            )
+
     try:
         await register_new_pilots(
             pilot_db=pilot_db,
