From 394ed23da7daa44cc37eea00ccaa205ddaf94ffa Mon Sep 17 00:00:00 2001
From: Rahul Chauhan <rahul.chauhan@cern.ch>
Date: Fri, 1 Mar 2024 17:21:49 +0100
Subject: [PATCH] Restrict rse expression to single rse when ask_approval is
 used

---
 src/policy/CMSRucioPolicy/permission.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/policy/CMSRucioPolicy/permission.py b/src/policy/CMSRucioPolicy/permission.py
index 10b73685..f34eb644 100644
--- a/src/policy/CMSRucioPolicy/permission.py
+++ b/src/policy/CMSRucioPolicy/permission.py
@@ -315,6 +315,10 @@ def perm_add_rule(issuer, kwargs, *, session: "Optional[Session]" = None):
             if rse_attr.get('requires_approval', False):
                 return False
 
+    # If asked for approval, rse_expression can only be a single RSE
+    if kwargs["activity"] != "User AutoApprove" and kwargs["ask_approval"] and len(rses) != 1:
+        return False
+
     if kwargs["activity"] == "User AutoApprove":
         return _check_for_auto_approve_eligibility(issuer, rses, kwargs, session=session)