Additional actor restriction should not grant access to additional actions (#2569)

Closes #2568
2025-12-10 16:51:24 +01:00 · 2025-11-01 18:38:29 -07:00 · 2025-11-01 18:38:29 -07:00 · a528555e84
commit a528555e84
parent 2b962beaeb
3 changed files with 116 additions and 19 deletions
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -1117,16 +1117,29 @@ async def test_api_explorer_visibility(


@pytest.mark.asyncio
-async def test_view_table_token_can_access_table(perms_ds):
-    actor = {
-        "id": "restricted-token",
-        "token": "dstok",
-        # Restricted to just view-table on perms_ds_two/t1
-        "_r": {"r": {"perms_ds_two": {"t1": ["vt"]}}},
+async def test_view_table_token_cannot_gain_access_without_base_permission(perms_ds):
+    # Only allow a different actor to view this table
+    previous_config = perms_ds.config
+    perms_ds.config = {
+        "databases": {
+            "perms_ds_two": {
+                # Only someone-else can see anything in this database
+                "allow": {"id": "someone-else"},
+            }
+        }
    }
-    cookies = {"ds_actor": perms_ds.client.actor_cookie(actor)}
-    response = await perms_ds.client.get("/perms_ds_two/t1.json", cookies=cookies)
-    assert response.status_code == 200
+    try:
+        actor = {
+            "id": "restricted-token",
+            "token": "dstok",
+            # Restricted token claims access to perms_ds_two/t1 only
+            "_r": {"r": {"perms_ds_two": {"t1": ["vt"]}}},
+        }
+        cookies = {"ds_actor": perms_ds.client.actor_cookie(actor)}
+        response = await perms_ds.client.get("/perms_ds_two/t1.json", cookies=cookies)
+        assert response.status_code == 403
+    finally:
+        perms_ds.config = previous_config


@pytest.mark.asyncio
@ -1337,6 +1350,35 @@ async def test_actor_restrictions_filters_allowed_resources(perms_ds):
    assert len(db_page.resources) == 0


+@pytest.mark.asyncio
+async def test_actor_restrictions_do_not_expand_allowed_resources(perms_ds):
+    """Restrictions cannot grant access not already allowed to the actor."""
+
+    previous_config = perms_ds.config
+    perms_ds.config = {
+        "databases": {
+            "perms_ds_one": {
+                "allow": {"id": "someone-else"},
+            }
+        }
+    }
+    try:
+        actor = {"id": "user", "_r": {"r": {"perms_ds_one": {"t1": ["vt"]}}}}
+
+        # Base actor is not allowed to see t1, so restrictions should not change that
+        page = await perms_ds.allowed_resources("view-table", actor)
+        assert len(page.resources) == 0
+
+        # And explicit permission checks should still deny
+        response = await perms_ds.client.get(
+            "/perms_ds_one/t1.json",
+            cookies={"ds_actor": perms_ds.client.actor_cookie(actor)},
+        )
+        assert response.status_code == 403
+    finally:
+        perms_ds.config = previous_config
+
+
@pytest.mark.asyncio
 async def test_actor_restrictions_database_level(perms_ds):
    """Test database-level restrictions allow all tables in database - issue #2534"""