local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 72 Pull requests 3 Projects 4 Releases Packages 1 Activity Actions

Fix: HasPermission auto_filter and strict_check implementation

Browse source 
Fixes security issue where auto_filter returned nil instead of proper
filter expressions, which could lead to incorrect authorization behavior.
This commit is contained in:
Moritz 2026-01-08 22:54:47 +01:00
parent 4192922fd3
commit 70729bdd73
Signed by: moritz
GPG key ID: 1020A035E5DD0824
3 changed files with 83 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

7
test/mv/authorization/checks/has_permission_integration_test.exs
View file

@ -72,14 +72,15 @@ defmodule Mv.Authorization.Checks.HasPermissionIntegrationTest do
end
describe "Filter Expression Structure - :all scope" do
test "Admin can read all members without filter" do
test "Admin can read all members without filter (returns expr(true))" do
actor = create_actor_with_role("admin")
authorizer = create_authorizer(Mv.Membership.Member, :read)
filter = HasPermission.auto_filter(actor, authorizer, [])
# :all scope should return nil (no filter needed)
assert is_nil(filter)
# :all scope should return [] (empty keyword list = no filter = allow all records)
# After auto_filter fix: no longer returns nil, returns [] instead
assert filter == []
end
end