Skip to content

Bugfixes #1375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 15, 2025
Merged

Bugfixes #1375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7066011
Bugfixes
parmesant Jul 14, 2025
66e7a79
Coderabbit suggestions
parmesant Jul 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion src/rbac/map.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,7 +239,16 @@ impl Sessions {
| ParseableResourceType::Llm(resource_id) => {
let ok_resource =
if let Some(context_resource_id) = context_resource {
resource_id == context_resource_id || resource_id == "*"
let is_internal = PARSEABLE
.get_stream(context_resource_id)
.is_ok_and(|stream| {
stream
.get_stream_type()
.eq(&crate::storage::StreamType::Internal)
});
resource_id == context_resource_id
|| resource_id == "*"
|| is_internal
} else {
// if no resource to match then resource check is not needed
// WHEN IS THIS VALID??
Expand Down
32 changes: 26 additions & 6 deletions src/utils/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,10 @@ pub mod uid;
pub mod update;

use crate::handlers::http::rbac::RBACError;
use crate::parseable::PARSEABLE;
use crate::query::{TableScanVisitor, QUERY_SESSION};
use crate::rbac::map::SessionKey;
use crate::rbac::role::{Action, Permission};
use crate::rbac::role::{Action, ParseableResourceType, Permission};
use crate::rbac::Users;
use actix::extract_session_key_from_req;
use actix_web::HttpRequest;
Expand Down Expand Up @@ -113,14 +114,33 @@ pub fn user_auth_for_datasets(
authorized = true;
break;
}
Permission::Resource(
Action::Query,
crate::rbac::role::ParseableResourceType::Stream(stream),
) => {
if stream == table_name || stream == "*" {
Permission::Resource(Action::Query, ParseableResourceType::Stream(stream)) => {
let is_internal = PARSEABLE.get_stream(table_name).is_ok_and(|stream| {
stream
.get_stream_type()
.eq(&crate::storage::StreamType::Internal)
});

if stream == table_name || stream == "*" || is_internal {
authorized = true;
}
}
Permission::Resource(action, ParseableResourceType::All)
if ![
Action::All,
Action::PutUser,
Action::PutRole,
Action::DeleteUser,
Action::DeleteRole,
Action::ModifyUserGroup,
Action::CreateUserGroup,
Action::DeleteUserGroup,
Action::DeleteNode,
]
.contains(action) =>
{
authorized = true;
}
_ => (),
}
}
Expand Down
Loading