Always have read permission on config

adobe · Jan 10, 2025 · bda99ac · bda99ac
1 parent a7948cc
commit bda99ac
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 5 deletions.
diff --git a/src/routes/config.js b/src/routes/config.js
@@ -23,8 +23,11 @@ export async function postConfig({ req, env, daCtx }) {
 }
 
 export async function getConfig({ env, daCtx }) {
-  if (!hasPermission(daCtx, 'CONFIG', 'read', true)) {
-    return { status: 403 };
-  }
+  // // TODO maybe we should turn the order around?
+  // if (!hasPermission(daCtx, 'CONFIG', 'read', true)) {
+  //   const key = daCtx.key.startsWith('/') ? daCtx.key : `/${daCtx.key}`
+  //   if (!hasPermission(daCtx, key, 'read', true)) { // TODO
+  //     return { status: 403 };
+  // }
   return getKv(env, daCtx);
 }
diff --git a/src/utils/auth.js b/src/utils/auth.js
@@ -190,6 +190,20 @@ export async function getAclCtx(env, org, users, key, api) {
   // Expose the action trace or not?
   actionTrace = users.every((u) => aclTrace.includes(u.email)) ? actionTrace : undefined;
 
+  if (k === 'CONFIG') {
+    actionSet.add('read');
+  }
+
+  // // TODO maybe we should turn the order around because it's more likely to have read
+  // // permission on the content than explicitly on CONFIG
+
+  // // If the user doesn't have read persmissions on config, get them from the content
+  // const pathActions = getAllUserActions(pathLookup, users, key.startsWith('/') ? key : `/${key}`);
+  // if (pathActions.actionSet.has('read')) {
+  //   actionSet.add('read');
+  //   actionTrace = pathActions.actionTrace;
+  // }
+
   return { pathLookup, actionSet, actionTrace };
 }
 

diff --git a/test/routes/config.test.js b/test/routes/config.test.js
@@ -110,8 +110,7 @@ describe('Config', () => {
     );
 
     const res = await getConfig({ env, daCtx: ctx });
-    assert.strictEqual(res.status, 403);
-    assert.strictEqual(getKVCalled.length, 0);
+    assert.strictEqual(getKVCalled.length, 1, "Should always have get permission on config");
 
     const res2 = await postConfig({ req, env, daCtx: ctx });
     assert.strictEqual(res2.status, 403);

diff --git a/test/utils/auth.test.js b/test/utils/auth.test.js
@@ -225,6 +225,12 @@ describe('DA auth', () => {
       assert(hasPermission({users, org: 'test', aclCtx, key: ''}, 'CONFIG', 'write', true));
       assert(hasPermission({users, org: 'test', aclCtx, key: '/somewhere'}, 'CONFIG', 'write', true));
     });
+
+    it('test CONFIG always has read permission', async () => {
+      const users = [{ident: "blah@foo.org"}];
+      const aclCtx = await getAclCtx(env2, 'test', users, '/', 'config');
+      assert(aclCtx.actionSet.has('read'));
+    })
   });
 
   describe('persmissions single sheet', () => {