fix: restore authz checks and default-deny filtering in restricted_*_filter#94
Open
devin-ai-integration[bot] wants to merge 1 commit into
Open
fix: restore authz checks and default-deny filtering in restricted_*_filter#94devin-ai-integration[bot] wants to merge 1 commit into
devin-ai-integration[bot] wants to merge 1 commit into
Conversation
…ring in restricted_*_filter
- Restore OrganizationMemberPermission dependency on GET /users/{user_id}
- Restore admin/owner/manager role bypass in restricted_incident_filter and restricted_case_filter
- Use outerjoin instead of inner join so open-visibility items are not dropped
- Add restricted visibility condition (was missing, allowing unrestricted access)
- Apply model-specific filters directly to query instead of via intersect (fixes sort ordering)
- Remove stray debug print() in apply_filter_specific_joins
Co-Authored-By: bot_apk <apk@cognition.ai>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restores the authorization and query-filtering fixes from Netflix#6155 that were reverted in source only (tests retained), causing 3 test failures.
auth/views.py—GET /users/{user_id}was missing itsOrganizationMemberPermissiondependency, leaving the endpoint unprotected. Re-added it.database/service.py— three regressions:restricted_incident_filter/restricted_case_filteronly filtered forrole == member, leaving admin/owner/manager/none roles unhandled. Restored default-deny approach:Also switched
join→outerjoin(inner join dropped open-visibility items with no participants) and added the missingVisibility.restrictedcondition.search_filter_sort_paginatestored the restricted query inquery_restrictedand applied it via.intersect()only for Incident/Case models, breaking sort ordering for all models. Restored directquery = apply_model_specific_filters(...)application.Removed a stray
print()debug statement inapply_filter_specific_joins.Link to Devin session: https://app.devin.ai/sessions/275b7e9077c04ac4b2648bb9d8969025