From e80eb410f1777e1004d2e562ad13b90eb6b46bd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Samin?= <francois.samin@corp.ovh.com>
Date: Thu, 7 Apr 2022 09:35:55 +0200
Subject: [PATCH] fix(api): getWorkerModelSecretHandler permission (#6141)

Signed-off-by: francois  samin <francois.samin@corp.ovh.com>
---
 engine/api/router_middleware_auth_permission.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/engine/api/router_middleware_auth_permission.go b/engine/api/router_middleware_auth_permission.go
index 3791a47606..5ea5c1fbd2 100644
--- a/engine/api/router_middleware_auth_permission.go
+++ b/engine/api/router_middleware_auth_permission.go
@@ -367,6 +367,10 @@ func (api *API) checkGroupPermissions(ctx context.Context, w http.ResponseWriter
 			}
 		}
 	} else {
+		// Hatcheries started for "shared.infra" group are granted for group "shared.infra"
+		if isHatcheryShared(ctx) {
+			return nil
+		}
 		if !isGroupMember(ctx, g) && !isMaintainer(ctx) { // Only group member or CDS maintainer can get a group or its dependencies
 			return sdk.WithStack(sdk.ErrForbidden)
 		}