From 6e6e7fef9bf7f48426c0bd0d49417c6cd1afe46d Mon Sep 17 00:00:00 2001
From: Jade McGough <jade@thezets.com>
Date: Thu, 5 Sep 2019 11:22:18 -0700
Subject: [PATCH] feat(http): block writes to system buckets (#14920)

---
 authorizer/bucket.go  | 2 +-
 bucket.go             | 8 ++++++++
 http/write_handler.go | 9 +++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/authorizer/bucket.go b/authorizer/bucket.go
index 0fb17f2f22..1d81f20959 100644
--- a/authorizer/bucket.go
+++ b/authorizer/bucket.go
@@ -106,7 +106,7 @@ func (s *BucketService) FindBuckets(ctx context.Context, filter influxdb.BucketF
 	buckets := bs[:0]
 	for _, b := range bs {
 		// temporary hack for system buckets
-		if b.ID == influxdb.TasksSystemBucketID || b.ID == influxdb.MonitoringSystemBucketID {
+		if b.IsSystem() {
 			buckets = append(buckets, b)
 			continue
 		}
diff --git a/bucket.go b/bucket.go
index b3d22a0481..b5da69aeda 100644
--- a/bucket.go
+++ b/bucket.go
@@ -6,6 +6,8 @@ import (
 	"time"
 )
 
+// TasksSystemBucketID and MonitoringSystemBucketID are IDs that are reserved for system buckets.
+// If any system bucket IDs are added, Bucket.IsSystem must be updated to include them.
 const (
 	// TasksSystemBucketID is the fixed ID for our tasks system bucket
 	TasksSystemBucketID = ID(10)
@@ -27,6 +29,12 @@ type Bucket struct {
 	CRUDLog
 }
 
+// TODO(jade): move this logic to a type set directly on Bucket.
+// IsSystem returns true if a bucket is a known system bucket
+func (b *Bucket) IsSystem() bool {
+	return b.ID == TasksSystemBucketID || b.ID == MonitoringSystemBucketID
+}
+
 // ops for buckets error and buckets op logs.
 var (
 	OpFindBucketByID = "FindBucketByID"
diff --git a/http/write_handler.go b/http/write_handler.go
index 65d22fd687..128b071f34 100644
--- a/http/write_handler.go
+++ b/http/write_handler.go
@@ -177,6 +177,15 @@ func (h *WriteHandler) handleWrite(w http.ResponseWriter, r *http.Request) {
 		bucket = b
 	}
 
+	// TODO(jade): remove this after system buckets issue is resolved
+	if bucket.IsSystem() {
+		h.HandleHTTPError(ctx, &platform.Error{
+			Code: platform.EForbidden,
+			Op:   "http/handleWrite",
+			Msg:  fmt.Sprintf("cannot write to internal bucket %s", bucket.Name),
+		}, w)
+	}
+
 	p, err := platform.NewPermissionAtID(bucket.ID, platform.WriteAction, platform.BucketsResourceType, org.ID)
 	if err != nil {
 		h.HandleHTTPError(ctx, &platform.Error{