PROD-2254: User must have delete scope to delete systems (#5037)

Co-authored-by: Dawn Pattison <pattisdr@users.noreply.github.com>

Author: 2 people

CHANGELOG.md

@@ -23,6 +23,7 @@ The types of changes are:
 ### Fixed
 - Fixed a bug where system information form was not loading for Viewer users [#5034](https://github.com/ethyca/fides/pull/5034)
 - Fixed viewers being given the option to delete systems [#5035](https://github.com/ethyca/fides/pull/5035)
+- Restrict Delete Systems API endpoint such that user must have "SYSTEM_DELETE" scope [#5037](https://github.com/ethyca/fides/pull/5037)
 
 ### Removed
 - Removed the `fetch` polyfill from FidesJS [#5026](https://github.com/ethyca/fides/pull/5026)

src/fides/api/api/v1/endpoints/system.py

@@ -33,10 +33,12 @@
 from fides.api.models.sql_models import System  # type:ignore[attr-defined]
 from fides.api.oauth.system_manager_oauth_util import (
     verify_oauth_client_for_system_from_fides_key,
-    verify_oauth_client_for_system_from_fides_key_cli,
     verify_oauth_client_for_system_from_request_body_cli,
 )
-from fides.api.oauth.utils import get_current_user, verify_oauth_client_prod
+from fides.api.oauth.utils import (
+    get_current_user,
+    verify_oauth_client_prod,
+)
 from fides.api.schemas.connection_configuration import connection_secrets_schemas
 from fides.api.schemas.connection_configuration.connection_config import (
     BulkPutConnectionConfiguration,
@@ -294,6 +296,12 @@ async def upsert(
 
 @SYSTEM_ROUTER.delete(
     "/{fides_key}",
+    dependencies=[
+        Security(
+            verify_oauth_client_prod,
+            scopes=[SYSTEM_DELETE],
+        )
+    ],
     responses={
         status.HTTP_403_FORBIDDEN: {
             "content": {
@@ -311,10 +319,7 @@ async def upsert(
     },
 )
 async def delete(
-    fides_key: str = Security(
-        verify_oauth_client_for_system_from_fides_key_cli,
-        scopes=[SYSTEM_DELETE],
-    ),  # Security dependency defined here instead of the path operation decorator so we have access to the fides_key
+    fides_key: str,
     # to retrieve the System and also return a value
     db: AsyncSession = Depends(get_async_db),
 ) -> Dict:

tests/ctl/core/test_api.py

@@ -2542,9 +2542,7 @@ def test_system_delete_as_system_manager(
             resource_id=system.fides_key,
             headers=auth_header,
         )
-        assert result.status_code == HTTP_200_OK
-        assert result.json()["message"] == "resource deleted"
-        assert result.json()["resource"]["fides_key"] == system.fides_key
+        assert result.status_code == HTTP_403_FORBIDDEN
 
     def test_delete_system_deletes_connection_config_and_dataset(
         self,

tests/ops/service/connectors/test_queryconfig.py

@@ -475,6 +475,7 @@ def test_generate_query(
                 "birthday": 1,
                 "comments": 1,
                 "customer_id": 1,
+                "customer_uuid": 1,
                 "emergency_contacts": 1,
                 "children": 1,
                 "gender": 1,