Skip to content

fix: restore authz filters and default-deny approach for incident/case queries#11

Closed
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781209243-fix-authz-filters
Closed

fix: restore authz filters and default-deny approach for incident/case queries#11
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781209243-fix-authz-filters

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

Restores the authorization fix from Netflix#6155 that was reverted in the seeded bug commit. Three issues were causing test failures:

  1. restricted_incident_filter / restricted_case_filter only gated on role == member, allowing non-privileged roles (e.g. none) unrestricted access. Fixed by restoring the default-deny approach: admin/owner/manager get early-return; all other roles get restrictive filtering via outerjoin + and_(visibility == restricted, email == current_user).

  2. search_filter_sort_paginate stored the restricted query in a separate query_restricted variable and then intersect-ed it back, which broke sort ordering and returned empty results for non-Incident/Case models. Fixed by applying apply_model_specific_filters directly to query.

  3. get_user endpoint was missing PermissionsDependency([OrganizationMemberPermission]) — restored.

Also removed a stray debug print() in apply_filter_specific_joins.

Link to Devin session: https://app.devin.ai/sessions/5e8142866dab4c2d8cde92e5516c76a6

…e queries

- Restore PermissionsDependency on GET /users/{user_id} endpoint
- Restore admin/owner/manager early-return in restricted_incident_filter and
  restricted_case_filter (default-deny for non-privileged roles)
- Use outerjoin instead of inner join so open incidents/cases are returned
  even when the user is not a participant
- Filter restricted visibility with explicit and_() condition
- Apply model-specific filters directly to query instead of using intersect,
  which broke sort ordering
- Remove debug print statement from apply_filter_specific_joins

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot deleted the devin/1781209243-fix-authz-filters branch June 12, 2026 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants