Merge pull request #8466 from Neon-White/backport-store-deletion-owne…

…rship-check

[Backport to 5.17] Fix the store deletion ownership check

src/server/system_services/pool_server.js

@@ -92,6 +92,10 @@ function set_pool_controller_factory(pool_controller_factory) {
 // and only allows deletion in case that the owner is also the requester of the deletion
 function check_deletion_ownership(req, resource_owner_id) {
     if (config.RESTRICT_RESOURCE_DELETION) {
+        if (!resource_owner_id) {
+            dbg.error('check_deletion_ownership: pool has no owner');
+            throw new RpcError('INTERNAL_ERROR', 'The pool has no owner, and thus cannot be deleted');
+        }
         const requester_is_sys_owner = String(req.account._id) === String(req.system.owner._id);
         if (!requester_is_sys_owner && String(resource_owner_id) !== String(req.account._id)) {
             dbg.error('check_deletion_ownership: requester (', req.account._id, ') is not the owner (', resource_owner_id, ') of the resource');
@@ -652,7 +656,9 @@ async function update_hosts_pool(req) {
 
 function delete_pool(req) {
     const pool = find_pool_by_name(req);
-    check_deletion_ownership(req, pool.owner_id);
+    // rebuild_object_links() resolves the pool's owner_id to the account object
+    // which is why we have to access ._id to get the actual ID
+    check_deletion_ownership(req, pool.owner_id?._id);
     if (pool.hosts_pool_info) {
         return delete_hosts_pool(req, pool);
     } else {
@@ -662,7 +668,7 @@ function delete_pool(req) {
 
 function delete_namespace_resource(req) {
     const ns = find_namespace_resource_by_name(req);
-    check_deletion_ownership(req, ns.account);
+    check_deletion_ownership(req, ns.account._id);
     dbg.log0('Deleting namespace resource', ns.name);
     return P.resolve()
         .then(() => {