Skip to content

fix: restore authorization filters for incident/case visibility#98

Open
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781290750-fix-authz-filters
Open

fix: restore authorization filters for incident/case visibility#98
devin-ai-integration[bot] wants to merge 1 commit into
eval-bug-1from
devin/1781290750-fix-authz-filters

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

The authorization filters in restricted_incident_filter and restricted_case_filter were using INNER JOINs on Participant/IndividualContact, which silently dropped open-visibility incidents and cases that had no participants. Additionally, admin/owner/manager roles were not short-circuited, the restricted-visibility check was too permissive (bare or_ on email instead of and_(visibility == restricted, email == ...)), and search_filter_sort_paginate used intersect with a separate restricted query which broke sort ordering.

Key changes in src/dispatch/database/service.py:

  • restricted_incident_filter / restricted_case_filter: early-return for admin/owner/manager; switch .join(...).outerjoin(...) with explicit join condition on IndividualContact.id == Participant.individual_contact_id; tighten filter to or_(visibility == open, and_(visibility == restricted, email == current_user.email))
  • search_filter_sort_paginate: apply apply_model_specific_filters directly to query instead of intersecting a separate query_restricted, preserving sort order
  • Remove stray print() in apply_filter_specific_joins

Also restores PermissionsDependency([OrganizationMemberPermission]) on GET /users/{user_id} in src/dispatch/auth/views.py.

Link to Devin session: https://app.devin.ai/sessions/e75be85a9d664441a6da7100a0030d86

- Use outerjoin instead of inner join in restricted_incident_filter and
  restricted_case_filter so open-visibility items without participants
  are not silently excluded
- Add early return for admin/owner/manager roles (default-deny approach)
- Require both restricted visibility AND matching email (and_ condition)
  instead of loose or_ on email alone
- Apply model-specific filters directly to the query instead of using
  intersect, which was breaking sort ordering
- Restore PermissionsDependency on GET /users/{user_id} endpoint
- Remove stray print() in apply_filter_specific_joins

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants