Improve: Make deny_filter robust and add regression test
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
- Change deny_filter from [id: {:in, []}] to expr(false)
- Add regression test to ensure deny-filter matches 0 records
This commit is contained in:
parent
05cbd833bc
commit
dd4b88f0b7
GPG key ID:
1020A035E5DD0824
2 changed files with 48 additions and 3 deletions
|
|
@ -179,10 +179,11 @@ defmodule Mv.Authorization.Checks.HasPermission do
|
|||
|
||||
# Helper function to return a filter that never matches (deny all records)
|
||||
# Used when authorization should be denied (fail-closed)
|
||||
# Returns [id: {:in, []}] which means "id IN []" - never matches (correct deny-all)
|
||||
# NOTE: [id: {:not, {:in, []}}] would be "NOT (id IN [])" = true for all IDs (allow-all) - WRONG!
|
||||
#
|
||||
# Using `expr(false)` avoids depending on the primary key being named `:id`.
|
||||
# This is more robust than [id: {:in, []}] which assumes the primary key is `:id`.
|
||||
defp deny_filter do
|
||||
[id: {:in, []}]
|
||||
expr(false)
|
||||
end
|
||||
|
||||
# Helper to extract action type from authorizer
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue