Skip to content

fix: restore authorization checks reverted from #6155#2

Closed
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781208437-fix-authz-regression
Closed

fix: restore authorization checks reverted from #6155#2
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781208437-fix-authz-regression

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

The seeded bug reverted the authz hardening from PR Netflix#6155, causing test failures in tests/database/test_service.py. The revert introduced three classes of regressions:

  1. Missing permission guard on GET /users/{user_id} — the OrganizationMemberPermission dependency was stripped, making the endpoint publicly accessible to any authenticated user regardless of org membership.

  2. Broken role-based filtering in restricted_incident_filter / restricted_case_filter — the reverted code only applied filtering for role == member and used join (inner) instead of outerjoin, which excluded open incidents/cases that had no participants at all. The fix restores:

    • Early return for admin/owner/manager (unrestricted access)
    • Default-deny outerjoin + or_(open, restricted AND participant_email) for all other roles
    • Explicit Visibility.restricted guard in the and_() clause
  3. search_filter_sort_paginate used intersect with a stale query_restricted instead of applying model-specific filters directly to query, which broke ordering and pagination. Also removed a stray print() in apply_filter_specific_joins.

Link to Devin session: https://app.devin.ai/sessions/6c1453e8f2f64370902940df8a6c0573

- Restore OrganizationMemberPermission on GET /users/{user_id}
- Apply model-specific filters directly to query instead of using intersect
- Restore admin/owner/manager bypass in restricted_incident_filter and
  restricted_case_filter (default-deny approach for all other roles)
- Use outerjoin instead of join so open entities without participants are
  still visible to members
- Add Visibility.restricted guard in the and_ clause for participant checks
- Remove stray debug print() in apply_filter_specific_joins

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot deleted the devin/1781208437-fix-authz-regression branch June 12, 2026 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants