Skip to content

Enforce per-entity permissions in calendar HTTP and WS APIs#169235

Merged
balloob merged 3 commits intodevfrom
claude/kind-shtern-812275
Apr 28, 2026
Merged

Enforce per-entity permissions in calendar HTTP and WS APIs#169235
balloob merged 3 commits intodevfrom
claude/kind-shtern-812275

Conversation

@balloob
Copy link
Copy Markdown
Member

@balloob balloob commented Apr 27, 2026

Proposed change

The calendar HTTP views and WebSocket commands accepted user-supplied entity_id values without consulting the caller's entity policy, so a non-admin user with a restrictive policy could still read or mutate calendars they should not have access to.

This change mirrors the canonical filter pattern used by APIStatesView / APIEntityStateView (homeassistant/components/api/__init__.py) and _async_get_allowed_states / _forward_entity_changes (homeassistant/components/websocket_api/commands.py):

  • CalendarEventView.get — raise Unauthorized(entity_id=…) when the user lacks POLICY_READ.
  • CalendarListView.get — filter the returned list by check_entity(POLICY_READ).
  • calendar/event/create, calendar/event/delete, calendar/event/update — raise Unauthorized when the user lacks POLICY_CONTROL.
  • calendar/event/subscribe — raise Unauthorized when the user lacks POLICY_READ.

Tests cover each handler with a non-admin user whose policy permits only specific calendar entities.

When adding a new admin in the UI we tell users:

The user group feature is a work in progress. The user will be unable to administer the instance via the UI. We're still auditing all management API endpoints to ensure that they correctly limit access to administrators.

This PR is part of that audit.

Type of change

  • Dependency upgrade
  • Bugfix (non-breaking change which fixes an issue)
  • New integration (thank you!)
  • New feature (which adds functionality to an existing integration)
  • Deprecation (breaking change to happen in the future)
  • Breaking change (fix/feature causing existing functionality to break)
  • Code quality improvements to existing code or addition of tests

Additional information

  • This PR fixes or closes issue: fixes #
  • This PR is related to issue:
  • Link to documentation pull request:
  • Link to developer documentation pull request:
  • Link to frontend pull request:

Checklist

  • I understand the code I am submitting and can explain how it works.
  • The code change is tested and works locally.
  • Local tests pass. Your PR cannot be merged unless tests pass
  • There is no commented out code in this PR.
  • I have followed the development checklist
  • I have followed the perfect PR recommendations
  • The code has been formatted using Ruff (ruff format homeassistant tests)
  • Tests have been added to verify that the new code works.
  • Any generated code has been carefully reviewed for correctness and compliance with project standards.

If user exposed functionality or configuration variables are added/changed:

If the code communicates with devices, web services, or third-party tools:

  • The manifest file has all fields filled out correctly.
    Updated and included derived files by running: python3 -m script.hassfest.
  • New or updated dependencies have been added to requirements_all.txt.
    Updated by running python3 -m script.gen_requirements_all.
  • For the updated dependencies a diff between library versions and ideally a link to the changelog/release notes is added to the PR description.

To help with the load of incoming pull requests:

@balloob
Enforce per-entity permissions in calendar HTTP and WS APIs
4c42ba2 
The calendar HTTP views and WebSocket commands accepted user-supplied
entity_ids without consulting the caller's entity policy. Mirror the
canonical filter pattern from APIStatesView and _async_get_allowed_states
so non-admin users with restrictive policies can no longer read or
mutate calendars they do not have access to.
@balloob balloob requested a review from a team as a code owner April 27, 2026 00:46
Copilot AI review requested due to automatic review settings April 27, 2026 00:46
@home-assistant
Copy link
Copy Markdown
Contributor

home-assistant Bot commented Apr 27, 2026

Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration (calendar) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of calendar can trigger bot actions by commenting:

  • @home-assistant close Closes the pull request.
  • @home-assistant mark-draft Mark the pull request as draft.
  • @home-assistant ready-for-review Remove the draft status from the pull request.
  • @home-assistant rename Awesome new title Renames the pull request.
  • @home-assistant reopen Reopen the pull request.
  • @home-assistant unassign calendar Removes the current integration label and assignees on the pull request, add the integration domain after the command.
  • @home-assistant update-branch Update the pull request branch with the base branch.
  • @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) to the pull request.
  • @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) on the pull request.

Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens access control for the Calendar HTTP views and WebSocket commands by enforcing per-entity permission policies so users can only read/control calendars allowed by their entity policy.

Changes:

  • Enforce POLICY_READ for calendar HTTP event retrieval and WS event subscriptions.
  • Enforce POLICY_CONTROL for calendar WS event create/update/delete operations.
  • Add tests validating unauthorized access is rejected and list/event responses are filtered appropriately.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
homeassistant/components/calendar/__init__.py Adds entity-policy permission checks to calendar HTTP and WS endpoints.
tests/components/calendar/test_init.py Adds regression tests for permission enforcement across HTTP and WS handlers.

Comment thread homeassistant/components/calendar/__init__.py
Comment on lines 1008 to +1013
"""Subscribe to calendar event updates."""
entity_id: str = msg["entity_id"]

if not connection.user.permissions.check_entity(entity_id, POLICY_READ):
raise Unauthorized(entity_id=entity_id)

Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extend the permission enforcement to account for policy changes after the subscription is created (currently it’s only checked at subscribe time), e.g., re-check before sending each event update and stop/unsubscribe if access is revoked.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member

@MartinHjelmare MartinHjelmare Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. Although maybe all subscriptions should be stopped centrally if access rights are changed?

Copy link
Copy Markdown
Member Author

@balloob balloob Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's something we should consider for a future audit task. Probably disconnect all users connection when their permissions change.

Comment thread homeassistant/components/calendar/__init__.py Outdated
@balloob
Update homeassistant/components/calendar/__init__.py
f9bf104 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 27, 2026 12:33
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

MartinHjelmare
MartinHjelmare approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@MartinHjelmare MartinHjelmare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! But note this bot review:

https://github.com/home-assistant/core/pull/169235/changes#r3144449900

@balloob
Copy link
Copy Markdown
Member Author

balloob commented Apr 28, 2026

Test failure is unrelated flaky test.

@balloob balloob merged commit 2f2413c into dev Apr 28, 2026
43 of 44 checks passed
@balloob balloob deleted the claude/kind-shtern-812275 branch April 28, 2026 19:06
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@MartinHjelmare MartinHjelmare MartinHjelmare approved these changes

Assignees

No one assigned

Labels

bugfix cla-signed core has-tests integration: calendar Quality Scale: internal small-pr PRs with less than 30 lines.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@balloob @MartinHjelmare