fix(auth): enforce document and govdoc route grants

This commit is contained in:
wren
2026-05-25 15:37:53 +08:00
parent 75c077da77
commit 4ac53ded5a
8 changed files with 424 additions and 19 deletions
+7 -5
View File
@@ -183,7 +183,7 @@ def test_rbac_manageable_permissions_include_rule_version_lifecycle():
assert "rules:binding_delete:delete" in permission_keys
def test_rbac_rule_group_permissions_are_folded_into_rules_menu():
def test_rbac_rule_groups_route_is_exposed_under_settings():
route_paths = {item["route_path"] for item in RbacAdminServiceImpl._MANAGEABLE_ROUTE_BLUEPRINTS}
group_permission_paths = {
item["route_path"]
@@ -191,17 +191,19 @@ def test_rbac_rule_group_permissions_are_folded_into_rules_menu():
if item["permission_key"].startswith("evaluation_group:")
}
assert "/rule-groups" not in route_paths
assert "/rule-groups" in route_paths
assert group_permission_paths == {"/rules"}
def test_user_route_compat_menu_does_not_expose_rule_groups():
def test_user_route_compat_menu_exposes_rule_groups_under_settings():
service = RbacServiceImpl()
routes = service._buildCompatibilityRoutes(["admin"], {"evaluation_group:list:read", "rules:list:read"})
paths = service._collectRoutePaths(routes)
rules_route = next(route for route in routes if route.route_path == "/rules")
settings_route = next(route for route in routes if route.route_path == "/settings")
rule_groups_route = next(route for route in (settings_route.children or []) if route.route_path == "/rule-groups")
assert "/rule-groups" not in paths
assert "/rule-groups" in paths
assert rule_groups_route.parent_id == settings_route.id
assert "evaluation_group:list:read" in rules_route.permissions