fix: enforce role hierarchy on permission edits

This commit is contained in:
wren
2026-05-25 10:13:48 +08:00
parent f6c79fa44d
commit fe424761e2
3 changed files with 57 additions and 2 deletions
+35
View File
@@ -216,6 +216,41 @@ def test_rbac_seed_cache_reuses_recent_route_map():
assert service._get_cached_admin_seed_route_map() == route_map
@pytest.mark.asyncio
async def test_rbac_rejects_lower_role_editing_higher_role_permissions(monkeypatch):
service = RbacAdminServiceImpl()
async def fake_context(_current_user_id):
return {"is_super_admin": False, "max_role_priority": 50}
async def fake_role_row(_session, _role_id):
return {"id": 1, "priority": 90}
monkeypatch.setattr(service, "_getCurrentUserContext", fake_context)
monkeypatch.setattr(service, "_getRoleRow", fake_role_row)
with pytest.raises(LeauditException) as exc:
await service._assertCanManageTargetRole(None, 100, 1)
assert exc.value.status == StatusCodeEnum.HTTP_403_FORBIDDEN
@pytest.mark.asyncio
async def test_rbac_allows_super_admin_editing_higher_role_permissions(monkeypatch):
service = RbacAdminServiceImpl()
async def fake_context(_current_user_id):
return {"is_super_admin": True, "max_role_priority": 100}
async def fail_if_called(_session, _role_id):
raise AssertionError("super_admin should bypass target role lookup")
monkeypatch.setattr(service, "_getCurrentUserContext", fake_context)
monkeypatch.setattr(service, "_getRoleRow", fail_if_called)
await service._assertCanManageTargetRole(None, 100, 1)
def test_permission_cache_is_shared_and_can_invalidate_user():
first = PermissionServiceImpl()
second = PermissionServiceImpl()