allow shared secret when determining org for quotas update endpoint

try using `org_dep` directly in quotas endpoint

this should be safe, since there's still a check for if user is
superuser

allow shared secret in org dep

Author: emma-sg

backend/btrixcloud/orgs.py

@@ -1523,6 +1523,20 @@ async def org_dep(oid: UUID, user: User = Depends(user_dep)):
 
         return org
 
+    async def org_or_shared_secret_dep(
+        oid: UUID, user: User = Depends(user_or_shared_secret_dep)
+    ):
+        org = await ops.get_org_for_user_by_id(oid, user)
+        if not org:
+            raise HTTPException(status_code=404, detail="org_not_found")
+        if not org.is_viewer(user):
+            raise HTTPException(
+                status_code=403,
+                detail="User does not have permission to view this organization",
+            )
+
+        return org
+
     async def org_crawl_dep(
         org: Organization = Depends(org_dep), user: User = Depends(user_dep)
     ):
@@ -1653,7 +1667,7 @@ async def get_plans(user: User = Depends(user_dep)):
     @router.post("/quotas", tags=["organizations"], response_model=UpdatedResponse)
     async def update_quotas(
         quotas: OrgQuotasIn,
-        org: Organization = Depends(org_owner_dep),
+        org: Organization = Depends(org_or_shared_secret_dep),
         user: User = Depends(user_or_shared_secret_dep),
     ):
         if not user.is_superuser:

backend/btrixcloud/subs.py

@@ -245,9 +245,7 @@ async def add_sub_event(
         data["oid"] = oid
         await self.subs.insert_one(data)
 
-    def _get_sub_by_type_from_data(
-        self, data: dict[str, object]
-    ) -> Union[
+    def _get_sub_by_type_from_data(self, data: dict[str, object]) -> Union[
         SubscriptionCreateOut,
         SubscriptionImportOut,
         SubscriptionUpdateOut,