revert policy project middlewares

api/server/authz/policy.go

@@ -39,8 +39,13 @@ type PolicyHandler struct {
 }
 
 func (h *PolicyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// get the project id from the URL param context
-	reqScopes, _ := r.Context().Value(types.RequestScopeCtxKey).(map[types.PermissionScope]*types.RequestAction)
+	// get the full map of scopes to resource actions
+	reqScopes, reqErr := getRequestActionForEndpoint(r, h.endpointMeta)
+
+	if reqErr != nil {
+		apierrors.HandleAPIError(h.config.Logger, h.config.Alerter, w, r, reqErr, true)
+		return
+	}
 
 	policyLoaderOpts := &policy.PolicyLoaderOpts{}
 

api/server/authz/project.go

@@ -13,35 +13,27 @@ import (
 )
 
 type ProjectScopedFactory struct {
-	config       *config.Config
-	endpointMeta types.APIRequestMetadata
+	config *config.Config
 }
 
 func NewProjectScopedFactory(
 	config *config.Config,
-	endpointMeta types.APIRequestMetadata,
 ) *ProjectScopedFactory {
-	return &ProjectScopedFactory{config, endpointMeta}
+	return &ProjectScopedFactory{config}
 }
 
 func (p *ProjectScopedFactory) Middleware(next http.Handler) http.Handler {
-	return &ProjectScopedMiddleware{next, p.endpointMeta, p.config}
+	return &ProjectScopedMiddleware{next, p.config}
 }
 
 type ProjectScopedMiddleware struct {
-	next         http.Handler
-	endpointMeta types.APIRequestMetadata
-	config       *config.Config
+	next   http.Handler
+	config *config.Config
 }
 
 func (p *ProjectScopedMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// get the full map of scopes to resource actions
-	reqScopes, reqErr := getRequestActionForEndpoint(r, p.endpointMeta)
-
-	if reqErr != nil {
-		apierrors.HandleAPIError(p.config.Logger, p.config.Alerter, w, r, reqErr, true)
-		return
-	}
+	// get the project id from the URL param context
+	reqScopes, _ := r.Context().Value(types.RequestScopeCtxKey).(map[types.PermissionScope]*types.RequestAction)
 
 	projID := reqScopes[types.ProjectScope].Resource.UInt
 
@@ -61,7 +53,6 @@ func (p *ProjectScopedMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Reque
 	}
 
 	ctx := NewProjectContext(r.Context(), project)
-	ctx = NewRequestScopeCtx(ctx, reqScopes)
 	r = r.Clone(ctx)
 	p.next.ServeHTTP(w, r)
 }

api/server/router/router.go

@@ -168,6 +168,10 @@ func registerRoutes(config *config.Config, routes []*router.Route) {
 	// after authentication. Each subsequent http.Handler can lookup the user in context.
 	authNFactory := authn.NewAuthNFactory(config)
 
+	// Create a new "project-scoped" factory which will create a new project-scoped request
+	// after authorization. Each subsequent http.Handler can lookup the project in context.
+	projFactory := authz.NewProjectScopedFactory(config)
+
 	// Create a new "cluster-scoped" factory which will create a new cluster-scoped request
 	// after authorization. Each subsequent http.Handler can lookup the cluster in context.
 	clusterFactory := authz.NewClusterScopedFactory(config)
@@ -226,14 +230,10 @@ func registerRoutes(config *config.Config, routes []*router.Route) {
 					atomicGroup.Use(authNFactory.NewAuthenticated)
 				}
 			case types.ProjectScope:
-				// Create a new "project-scoped" factory which will create a new project-scoped request
-				// after authorization. Each subsequent http.Handler can lookup the project in context.
-				projFactory := authz.NewProjectScopedFactory(config, *route.Endpoint.Metadata)
-
 				policyFactory := authz.NewPolicyMiddleware(config, *route.Endpoint.Metadata, policyDocLoader)
 
-				atomicGroup.Use(projFactory.Middleware)
 				atomicGroup.Use(policyFactory.Middleware)
+				atomicGroup.Use(projFactory.Middleware)
 			case types.ClusterScope:
 				atomicGroup.Use(clusterFactory.Middleware)
 			case types.NamespaceScope: