fix: require_privilege 500s on a non-dict privileges blob from auth.json (#1693)

2026-06-03 05:37:54 +01:00
parent 933c461f38
commit f0b172020e
2 changed files with 38 additions and 0 deletions
--- a/src/auth_helpers.py
+++ b/src/auth_helpers.py
@@ -107,6 +107,8 @@ def require_privilege(request: Request, key: str) -> str:
        privs = auth_mgr.get_privileges(user) or {}
    except Exception:
        return user
    if not isinstance(privs, dict):
        privs = {}
    # True = permitted; missing key defaults to permitted (unknown privileges
    # fail open — the UI gates display-side).
    if not privs.get(key, True):
--- a/tests/test_auth_require_privilege_nondict.py
+++ b/tests/test_auth_require_privilege_nondict.py
@@ -0,0 +1,36 @@
 import types
 import pytest
 from src import auth_helpers
 from src.auth_helpers import require_privilege
 class _Mgr:
    def __init__(self, privs):
        self._privs = privs
    def get_privileges(self, user):
        return self._privs
 def _request(mgr):
    state = types.SimpleNamespace(auth_manager=mgr)
    return types.SimpleNamespace(app=types.SimpleNamespace(state=state))
 def test_require_privilege_tolerates_non_dict_privileges(monkeypatch):
    # A corrupt auth.json can make get_privileges return a non-dict (e.g. a
    # list). The privs.get(...) call sits outside the try, so the old code
    # raised AttributeError and turned a privilege check into a 500. It should
    # fall back to the documented fail-open behaviour.
    monkeypatch.setattr(auth_helpers, "require_user", lambda request: "bob")
    req = _request(_Mgr(["do_x"]))
    assert require_privilege(req, "do_x") == "bob"
 def test_require_privilege_still_blocks_disallowed(monkeypatch):
    monkeypatch.setattr(auth_helpers, "require_user", lambda request: "bob")
    req = _request(_Mgr({"do_x": False}))
    with pytest.raises(Exception):
        require_privilege(req, "do_x")