fix(security): prevent fail-open in role permission checker (#23)

google-labs-jules[bot] · web-flow · commit 7b5387c5fd24 · 2026-02-15T22:40:43.000Z
The `RolePermissionChecker.scopeMatches` method previously returned `true` by default for unhandled scope types. This could allow unauthorized access if a new scope type was added without updating the permission logic. This change enforces a "Fail Closed" strategy by returning `false` for any unknown scope types.

Co-authored-by: google-labs-jules[bot] &lt;161369871+google-labs-jules[bot]@users.noreply.github.com&gt;
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,7 @@
+# Sentinel's Journal
+
+## 2026-02-15 - Fail-Open Authorization Logic
+
+**Vulnerability:** Found a "Fail Open" pattern in `RolePermissionChecker.scopeMatches` where unhandled scope types would default to `true` (allow access), potentially bypassing authorization checks if new scope types were added without updating the logic.
+**Learning:** Default return values in authorization checks must always be restrictive (`false` or `deny`). Code that relies on "falling through" to a default should fall to a safe state.
+**Prevention:** Always implement "Fail Closed" logic. When checking permissions, start with `false` and only switch to `true` if an explicit allow condition is met. Use exhaustive checks (like TypeScript's `never` check) in switch statements or if-else chains to ensure all cases are handled, but still default to `false` as a safety net.
diff --git a/app/domain/src/permission-checker.ts b/app/domain/src/permission-checker.ts
@@ -46,21 +46,20 @@ export class RolePermissionChecker {
     if (roleScope.type !== requestedScope.type) return false
 
     // For space scopes, check spaceId match
-    if (roleScope.type === "space" && requestedScope.type === "space") {
+    if (roleScope.type === "space" && requestedScope.type === "space")
       return roleScope.spaceId === requestedScope.spaceId
-    }
 
     // For group scopes, check groupId match
-    if (roleScope.type === "group" && requestedScope.type === "group") {
+    if (roleScope.type === "group" && requestedScope.type === "group")
       return roleScope.groupId === requestedScope.groupId
-    }
 
     // For workflow template scopes, check workflowTemplateId match
-    if (roleScope.type === "workflow_template" && requestedScope.type === "workflow_template") {
+    if (roleScope.type === "workflow_template" && requestedScope.type === "workflow_template")
       return roleScope.workflowTemplateId === requestedScope.workflowTemplateId
-    }
 
-    return true
+    // The conditions above should cover all possible cases, but to be sure
+    // we default to false.
+    return false
   }
 
   static hasGroupPermission(
