Skip to content

fix(authz): restore default-deny authorization filters and endpoint permissions#93

Open
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781290460-fix-authz-filter
Open

fix(authz): restore default-deny authorization filters and endpoint permissions#93
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781290460-fix-authz-filter

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

Restores the authorization fix from PR Netflix#6155 that was inadvertently reverted. Three bugs were reintroduced:

  1. GET /users/{user_id} endpoint lost its OrganizationMemberPermission guard — any unauthenticated caller could fetch user details.

  2. restricted_incident_filter / restricted_case_filter only checked role == member — non-admin roles like none bypassed filtering entirely. The fix restores a default-deny approach:

    # admin/owner/manager → unrestricted
    if role in [UserRoles.admin, UserRoles.owner, UserRoles.manager]:
        return query.distinct()
    # all others → outerjoin Participant/IndividualContact, filter to open OR (restricted AND participant)
  3. search_filter_sort_paginate used query.intersect(query_restricted) — this broke ORDER BY since SQL INTERSECT discards ordering. Fix applies apply_model_specific_filters directly to query (no separate variable, no intersect for authz).

Also removes a stray print() in apply_filter_specific_joins.

Link to Devin session: https://app.devin.ai/sessions/1587d9d4f5044989beb300fcec6baf10

…ermissions

- Restore OrganizationMemberPermission on GET /users/{user_id} endpoint
- Fix restricted_incident_filter and restricted_case_filter to use
  default-deny approach: admin/owner/manager get unrestricted access,
  all other roles see only open items or restricted items where they
  are a participant
- Use outerjoin instead of inner join so open items are still returned
  for non-admin users without participant records
- Apply model-specific filters directly to query instead of using
  intersect with a separate query_restricted variable, which broke
  sort ordering
- Remove debug print statement from apply_filter_specific_joins

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants