From 93411e5806add40d269f45f7fa7b09deedba00d8 Mon Sep 17 00:00:00 2001
From: Donny Winston <donny@polyneme.xyz>
Date: Wed, 13 Dec 2023 17:14:56 -0500
Subject: [PATCH] fix: permission for /metadata/json:submit needed

given that anyone can create an account via ORCiD.
---
 nmdc_runtime/api/endpoints/metadata.py |  5 +++++
 nmdc_runtime/api/main.py               | 10 +++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/nmdc_runtime/api/endpoints/metadata.py b/nmdc_runtime/api/endpoints/metadata.py
index 112d4098..810c6b56 100644
--- a/nmdc_runtime/api/endpoints/metadata.py
+++ b/nmdc_runtime/api/endpoints/metadata.py
@@ -239,6 +239,11 @@ async def submit_json_nmdcdb(
     Submit a NMDC JSON Schema "nmdc:Database" object.
 
     """
+    if not permitted(user.username, "/metadata/json:submit"):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only specific users are allowed to submit json at this time.",
+        )
     rv = validate_json(docs, mdb)
     if rv["result"] == "errors":
         raise HTTPException(
diff --git a/nmdc_runtime/api/main.py b/nmdc_runtime/api/main.py
index 6db86c98..e8fe4015 100644
--- a/nmdc_runtime/api/main.py
+++ b/nmdc_runtime/api/main.py
@@ -302,16 +302,12 @@ def ensure_default_api_perms():
     allowed = {
         "/metadata/changesheets:submit": [
             "admin",
-            "dwinston",
-            "mam",
-            "montana",
-            "pajau",
-            "spatil",
         ],
         "/queries:run(query_cmd:DeleteCommand)": [
             "admin",
-            "dwinston",
-            "scanon",
+        ],
+        "/metadata/json:submit": [
+            "admin",
         ],
     }
     for doc in [