Skip to content

fix: restore authorization checks and default-deny filtering#100

Open
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781290934-fix-authz-regression
Open

fix: restore authorization checks and default-deny filtering#100
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781290934-fix-authz-regression

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

The eval-bug-1 branch carried a regression that reverted the authz hardening from PR Netflix#6155. This PR restores the correct behavior across two files:

auth/views.pyGET /users/{user_id} was missing its PermissionsDependency([OrganizationMemberPermission]) guard, allowing unauthenticated reads. Restored.

database/service.py — Three issues:

  1. search_filter_sort_paginate stored the restricted query in a separate query_restricted variable and applied it via intersect only for Incident/Case models. This broke sorting (intersect discards ORDER BY) and skipped restriction for all other models. Restored to applying apply_model_specific_filters directly to query.

  2. restricted_incident_filter / restricted_case_filter only filtered when role == UserRoles.member, giving non-member non-admin roles unrestricted access. Also used INNER JOIN, which dropped incidents/cases with no participants. Restored default-deny: admin/owner/manager get early return; all other roles use outerjoin + and_(visibility == restricted, email == current_user).

  3. Stray print() call removed from apply_filter_specific_joins.

All 25 tests in tests/database/test_service.py now pass.

Link to Devin session: https://app.devin.ai/sessions/4ee1830cbc0d445aa8323330232ffa8b

- Restore PermissionsDependency on GET /users/{user_id} endpoint
- Remove debug print() in apply_filter_specific_joins
- Apply model-specific filters directly to query instead of via intersect
- Restore default-deny in restricted_incident_filter and restricted_case_filter:
  admin/owner/manager get unrestricted access; all other roles use outerjoin
  with restrictive visibility filtering

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants