fix: enforce role hierarchy on permission edits
This commit is contained in:
@@ -216,6 +216,41 @@ def test_rbac_seed_cache_reuses_recent_route_map():
|
||||
assert service._get_cached_admin_seed_route_map() == route_map
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_rbac_rejects_lower_role_editing_higher_role_permissions(monkeypatch):
|
||||
service = RbacAdminServiceImpl()
|
||||
|
||||
async def fake_context(_current_user_id):
|
||||
return {"is_super_admin": False, "max_role_priority": 50}
|
||||
|
||||
async def fake_role_row(_session, _role_id):
|
||||
return {"id": 1, "priority": 90}
|
||||
|
||||
monkeypatch.setattr(service, "_getCurrentUserContext", fake_context)
|
||||
monkeypatch.setattr(service, "_getRoleRow", fake_role_row)
|
||||
|
||||
with pytest.raises(LeauditException) as exc:
|
||||
await service._assertCanManageTargetRole(None, 100, 1)
|
||||
|
||||
assert exc.value.status == StatusCodeEnum.HTTP_403_FORBIDDEN
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_rbac_allows_super_admin_editing_higher_role_permissions(monkeypatch):
|
||||
service = RbacAdminServiceImpl()
|
||||
|
||||
async def fake_context(_current_user_id):
|
||||
return {"is_super_admin": True, "max_role_priority": 100}
|
||||
|
||||
async def fail_if_called(_session, _role_id):
|
||||
raise AssertionError("super_admin should bypass target role lookup")
|
||||
|
||||
monkeypatch.setattr(service, "_getCurrentUserContext", fake_context)
|
||||
monkeypatch.setattr(service, "_getRoleRow", fail_if_called)
|
||||
|
||||
await service._assertCanManageTargetRole(None, 100, 1)
|
||||
|
||||
|
||||
def test_permission_cache_is_shared_and_can_invalidate_user():
|
||||
first = PermissionServiceImpl()
|
||||
second = PermissionServiceImpl()
|
||||
|
||||
Reference in New Issue
Block a user