fix(auth): enforce document and govdoc route grants
This commit is contained in:
@@ -183,7 +183,7 @@ def test_rbac_manageable_permissions_include_rule_version_lifecycle():
|
||||
assert "rules:binding_delete:delete" in permission_keys
|
||||
|
||||
|
||||
def test_rbac_rule_group_permissions_are_folded_into_rules_menu():
|
||||
def test_rbac_rule_groups_route_is_exposed_under_settings():
|
||||
route_paths = {item["route_path"] for item in RbacAdminServiceImpl._MANAGEABLE_ROUTE_BLUEPRINTS}
|
||||
group_permission_paths = {
|
||||
item["route_path"]
|
||||
@@ -191,17 +191,19 @@ def test_rbac_rule_group_permissions_are_folded_into_rules_menu():
|
||||
if item["permission_key"].startswith("evaluation_group:")
|
||||
}
|
||||
|
||||
assert "/rule-groups" not in route_paths
|
||||
assert "/rule-groups" in route_paths
|
||||
assert group_permission_paths == {"/rules"}
|
||||
|
||||
|
||||
def test_user_route_compat_menu_does_not_expose_rule_groups():
|
||||
def test_user_route_compat_menu_exposes_rule_groups_under_settings():
|
||||
service = RbacServiceImpl()
|
||||
routes = service._buildCompatibilityRoutes(["admin"], {"evaluation_group:list:read", "rules:list:read"})
|
||||
paths = service._collectRoutePaths(routes)
|
||||
rules_route = next(route for route in routes if route.route_path == "/rules")
|
||||
settings_route = next(route for route in routes if route.route_path == "/settings")
|
||||
rule_groups_route = next(route for route in (settings_route.children or []) if route.route_path == "/rule-groups")
|
||||
|
||||
assert "/rule-groups" not in paths
|
||||
assert "/rule-groups" in paths
|
||||
assert rule_groups_route.parent_id == settings_route.id
|
||||
assert "evaluation_group:list:read" in rules_route.permissions
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user