More cleanup

irees · irees · commit 4643fffea041 · 2026-03-23T18:45:58.000-07:00
diff --git a/server/auth/authz/checker.go b/server/auth/authz/checker.go
@@ -22,7 +22,6 @@ type SubjectRef struct {
 // ObjectPermissions is the generic return from a permissions query.
 type ObjectPermissions struct {
 	Ref      ObjectRef    `json:"ref"`
-	Name     string       `json:"name"`
 	Actions  ActionSet    `json:"actions"`
 	Subjects []SubjectRef `json:"subjects"`
 	Parent   *ObjectRef   `json:"parent,omitempty"`
diff --git a/server/auth/azchecker/checker.go b/server/auth/azchecker/checker.go
@@ -169,7 +169,7 @@ func (c *Checker) UserList(ctx context.Context, req *authz.UserListRequest) (*au
 	}
 	var ret []*authz.User
 	for _, user := range users {
-		ret = append(ret, newAzpbUser(user))
+		ret = append(ret, newUser(user))
 	}
 	return &authz.UserListResponse{Users: ret}, nil
 }
@@ -185,7 +185,7 @@ func (c *Checker) User(ctx context.Context, req *authz.UserRequest) (*authz.User
 	if user == nil || err != nil {
 		return nil, ErrUnauthorized
 	}
-	return &authz.UserResponse{User: newAzpbUser(user)}, err
+	return &authz.UserResponse{User: newUser(user)}, err
 }
 
 // ///////////////////
@@ -434,13 +434,15 @@ func (c *Checker) ObjectPermissions(ctx context.Context, obj authz.ObjectRef) (*
 		Actions: authz.ActionSet{},
 	}
 
-	// Check all actions relevant to this type
+	// Check all actions relevant to this type; only include granted actions
 	for _, action := range actionsForType(obj.Type) {
-		ret.Actions[action], _ = c.checkAction(ctx, action, entKey, ctxTuples...)
+		if ok, _ := c.checkAction(ctx, action, entKey, ctxTuples...); ok {
+			ret.Actions[action] = true
+		}
 	}
 	// Special case: CanSetTenant on groups is global-admin only
-	if obj.Type == GroupType {
-		ret.Actions[CanSetTenant] = c.ctxIsGlobalAdmin(ctx)
+	if obj.Type == GroupType && c.ctxIsGlobalAdmin(ctx) {
+		ret.Actions[CanSetTenant] = true
 	}
 
 	// Get tuples — subjects + parent
@@ -474,7 +476,6 @@ func (c *Checker) ObjectPermissions(ctx context.Context, obj authz.ObjectRef) (*
 	c.hydrateObjectRefs(ctx, toHydrate)
 	// Apply back
 	ret.Ref.Name = toHydrate[0].Name
-	ret.Name = toHydrate[0].Name
 	idx := 1
 	if ret.Parent != nil {
 		ret.Parent.Name = toHydrate[idx].Name
@@ -912,6 +913,6 @@ func newEntityID(t ObjectType, id int64) EntityKey {
 	return authz.NewEntityKey(t, strconv.Itoa(int(id)))
 }
 
-func newAzpbUser(u authn.User) *authz.User {
+func newUser(u authn.User) *authz.User {
 	return &authz.User{Id: u.ID(), Name: u.Name(), Email: u.Email()}
 }

Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ func (c Checker) UserList(ctx context.Context, req authz.UserListRequest) (*au`
`169`	`169`	`}`
`170`	`170`	`var ret []*authz.User`
`171`	`171`	`for _, user := range users {`
`172`		`- ret = append(ret, newAzpbUser(user))`
	`172`	`+ ret = append(ret, newUser(user))`
`173`	`173`	`}`
`174`	`174`	`return &authz.UserListResponse{Users: ret}, nil`
`175`	`175`	`}`
`@@ -185,7 +185,7 @@ func (c Checker) User(ctx context.Context, req authz.UserRequest) (*authz.User`
`185`	`185`	`if user == nil \|\| err != nil {`
`186`	`186`	`return nil, ErrUnauthorized`
`187`	`187`	`}`
`188`		`- return &authz.UserResponse{User: newAzpbUser(user)}, err`
	`188`	`+ return &authz.UserResponse{User: newUser(user)}, err`
`189`	`189`	`}`
`190`	`190`
`191`	`191`	`// ///////////////////`
`@@ -434,13 +434,15 @@ func (c Checker) ObjectPermissions(ctx context.Context, obj authz.ObjectRef) (`
`434`	`434`	`Actions: authz.ActionSet{},`
`435`	`435`	`}`
`436`	`436`
`437`		`- // Check all actions relevant to this type`
	`437`	`+ // Check all actions relevant to this type; only include granted actions`
`438`	`438`	`for _, action := range actionsForType(obj.Type) {`
`439`		`- ret.Actions[action], _ = c.checkAction(ctx, action, entKey, ctxTuples...)`
	`439`	`+ if ok, _ := c.checkAction(ctx, action, entKey, ctxTuples...); ok {`
	`440`	`+ ret.Actions[action] = true`
	`441`	`+ }`
`440`	`442`	`}`
`441`	`443`	`// Special case: CanSetTenant on groups is global-admin only`
`442`		`- if obj.Type == GroupType {`
`443`		`- ret.Actions[CanSetTenant] = c.ctxIsGlobalAdmin(ctx)`
	`444`	`+ if obj.Type == GroupType && c.ctxIsGlobalAdmin(ctx) {`
	`445`	`+ ret.Actions[CanSetTenant] = true`
`444`	`446`	`}`
`445`	`447`
`446`	`448`	`// Get tuples — subjects + parent`
`@@ -474,7 +476,6 @@ func (c Checker) ObjectPermissions(ctx context.Context, obj authz.ObjectRef) (`
`474`	`476`	`c.hydrateObjectRefs(ctx, toHydrate)`
`475`	`477`	`// Apply back`
`476`	`478`	`ret.Ref.Name = toHydrate[0].Name`
`477`		`- ret.Name = toHydrate[0].Name`
`478`	`479`	`idx := 1`
`479`	`480`	`if ret.Parent != nil {`
`480`	`481`	`ret.Parent.Name = toHydrate[idx].Name`
`@@ -912,6 +913,6 @@ func newEntityID(t ObjectType, id int64) EntityKey {`
`912`	`913`	`return authz.NewEntityKey(t, strconv.Itoa(int(id)))`
`913`	`914`	`}`
`914`	`915`
`915`		`-func newAzpbUser(u authn.User) *authz.User {`
	`916`	`+func newUser(u authn.User) *authz.User {`
`916`	`917`	`return &authz.User{Id: u.ID(), Name: u.Name(), Email: u.Email()}`
`917`	`918`	`}`