Skip to content

Commit 8c457fe

Browse files
ireesirees
committed
Additional tests
1 parent e76cb26 commit 8c457fe

2 files changed

Lines changed: 49 additions & 0 deletions

File tree

server/gql/permission_resolver.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,9 @@ func (r *groupResolver) Feeds(ctx context.Context, obj *model.Group, limit *int)
9494
if err != nil {
9595
return nil, err
9696
}
97+
// No per-child ObjectPermissions check needed here: feed IDs are passed
98+
// to FindFeeds which applies PermFilter at the SQL layer, so unauthorized
99+
// feeds are filtered out before results are returned.
97100
var ids []int
98101
for _, child := range perms.Children {
99102
if child.Type == authz.FeedType {

server/gql/permission_resolver_test.go

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -662,6 +662,52 @@ func TestPermissionResolver_Filtering(t *testing.T) {
662662
assert.NotContains(t, groupNames, "HA-group")
663663
})
664664

665+
t.Run("partial-user group permissions children filtered", func(t *testing.T) {
666+
// Verify resolvePermissions filters children on a non-tenant type (group)
667+
c := newPermTestClientFromConfig(cfg, "partial-user")
668+
jj := postQuery(t, c, `{ groups { name permissions { children { type name } } } }`, nil)
669+
groups := gjson.Get(jj, "groups").Array()
670+
assert.Equal(t, 1, len(groups), "partial-user should see exactly 1 group")
671+
assert.Equal(t, "CT-group", groups[0].Get("name").Str)
672+
childNames := names(groups[0].Get("permissions.children").Array(), "name")
673+
assert.Contains(t, childNames, "CT")
674+
assert.NotContains(t, childNames, "BA", "group permissions children should not include feeds from other groups")
675+
})
676+
677+
t.Run("partial-user tenant groups with limit", func(t *testing.T) {
678+
// Verify that limit is applied after filtering, not before.
679+
// tl-tenant has 3 groups but partial-user can only see CT-group.
680+
// With limit=1 the user should still get CT-group (not an empty
681+
// result from limiting before filtering).
682+
c := newPermTestClientFromConfig(cfg, "partial-user")
683+
jj := postQuery(t, c, `{ tenants { name groups(limit: 1) { name } } }`, nil)
684+
for _, tenant := range gjson.Get(jj, "tenants").Array() {
685+
if tenant.Get("name").Str != "tl-tenant" {
686+
continue
687+
}
688+
groupNames := names(tenant.Get("groups").Array(), "name")
689+
assert.Equal(t, 1, len(groupNames), "should return exactly 1 group")
690+
assert.Contains(t, groupNames, "CT-group")
691+
return
692+
}
693+
t.Fatal("tl-tenant not found")
694+
})
695+
696+
t.Run("full-user tenant groups with limit", func(t *testing.T) {
697+
// full-user can see all 3 groups; limit=2 should cap at 2
698+
c := newPermTestClientFromConfig(cfg, "full-user")
699+
jj := postQuery(t, c, `{ tenants { name groups(limit: 2) { name } } }`, nil)
700+
for _, tenant := range gjson.Get(jj, "tenants").Array() {
701+
if tenant.Get("name").Str != "tl-tenant" {
702+
continue
703+
}
704+
groupNames := names(tenant.Get("groups").Array(), "name")
705+
assert.Equal(t, 2, len(groupNames), "should return exactly 2 groups")
706+
return
707+
}
708+
t.Fatal("tl-tenant not found")
709+
})
710+
665711
t.Run("nobody sees nothing", func(t *testing.T) {
666712
c := newPermTestClientFromConfig(cfg, "nobody")
667713
jj := postQuery(t, c, `{ tenants { id } }`, nil)

0 commit comments

Comments
 (0)