Skip to content

security: let database permissions override code-level AllowAnonymous#4646

Open
ktsapo wants to merge 1 commit intoshesha-io:releases/0.43from
ktsapo:hotfix/4621/db-permissions-override-code-attributes
Open

security: let database permissions override code-level AllowAnonymous#4646
ktsapo wants to merge 1 commit intoshesha-io:releases/0.43from
ktsapo:hotfix/4621/db-permissions-override-code-attributes

Conversation

@ktsapo
Copy link
Copy Markdown
Contributor

@ktsapo ktsapo commented Mar 18, 2026

Summary

  • Remove early return for IAllowAnonymous in SheshaAuthorizationFilter so authorization helpers always run
  • In ApiAuthorizationHelper, instead of returning early for [AllowAnonymous] attributes, pass AllowAnonymous as the replaceInherited fallback
  • This means: if a DB record has an explicit access level (Disable, RequiresPermissions, AnyAuthenticated), the DB wins; if no DB override exists (Inherited), the code attribute is respected

Test plan

  • Verify endpoints with [AllowAnonymous] and no DB override still work anonymously
  • Verify endpoints with [AllowAnonymous] but a DB override of RequiresPermissions require the configured permission
  • Verify endpoints with [AllowAnonymous] but a DB override of Disable return 404

Closes #4621

🤖 Generated with Claude Code

@kudzaitsapo @claude
security: let database permissions override code-level AllowAnonymous
6651639 
Code-level [AllowAnonymous] attributes completely bypassed database-configured
permissions. Modify the authorization pipeline so database configuration takes
precedence. If a DB record has an explicit access level, it overrides the code
attribute. If no DB override exists, the code attribute is still respected.

Closes shesha-io#4621

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Mar 18, 2026

Warning

Rate limit exceeded

@ktsapo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 48 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cfab8463-3a93-45e9-9dc4-ed470ed36640

📥 Commits

Reviewing files that changed from the base of the PR and between e6a4084 and 6651639.

📒 Files selected for processing (2)
  • shesha-core/src/Shesha.Application/Authorization/ApiAuthorizationHelper.cs
  • shesha-core/src/Shesha.Application/Authorization/SheshaAuthorizationFilter.cs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ktsapo ktsapo requested a review from IvanIlyichev March 19, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlexStepantsov AlexStepantsov AlexStepantsov approved these changes

@IvanIlyichev IvanIlyichev Awaiting requested review from IvanIlyichev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ktsapo @AlexStepantsov @kudzaitsapo