From 95f121f03e67cd9da6143182c7ffcf8e2aa00018 Mon Sep 17 00:00:00 2001
From: Rahul Chauhan <rahul.chauhan@cern.ch>
Date: Thu, 14 Mar 2024 17:49:07 +0100
Subject: [PATCH] Allow non USER datatier in non cms scopes for admin accounts

---
 src/policy/CMSRucioPolicy/permission.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/policy/CMSRucioPolicy/permission.py b/src/policy/CMSRucioPolicy/permission.py
index f4e7a28..a9b87e9 100644
--- a/src/policy/CMSRucioPolicy/permission.py
+++ b/src/policy/CMSRucioPolicy/permission.py
@@ -574,7 +574,7 @@ def perm_add_did(issuer, kwargs, *, session: "Optional[Session]" = None):
             if rule['account'] != issuer:
                 return False
 
-    if kwargs['scope'].external != u'cms':
+    if kwargs['scope'].external != 'cms' and not has_account_attribute(account=issuer, key='admin', session=session):
         if kwargs['type'] == 'DATASET':
             if '/USER#' not in kwargs['name']:
                 return False
@@ -597,6 +597,8 @@ def perm_add_dids(issuer, kwargs, *, session: "Optional[Session]" = None):
     :param session: The DB session to use
     :returns: True if account is allowed, otherwise False
     """
+    #TODO: Check scope ownership for bulk add operation too
+    
     # Check the accounts of the issued rules
     if not _is_root(issuer) and not has_account_attribute(account=issuer, key='admin', session=session):
         for did in kwargs['dids']: