RBAC: Add an additional check on UserID before fetching the permissions (#53002)

* RBAC: add an additional check before fetching permissions * Nit. * Readd removed test * change message
2025-07-30 21:42:37 +08:00 · 2022-08-03 11:06:06 +02:00
parent 2054414d37
commit 00ff61cb9e
2 changed files with 31 additions and 8 deletions
--- a/pkg/services/accesscontrol/database/database_test.go
+++ b/pkg/services/accesscontrol/database/database_test.go
@ -16,6 +16,7 @@ import (

 type getUserPermissionsTestCase struct {
 	desc               string
+	anonymousUser      bool
 	orgID              int64
 	role               string
 	userPermissions    []string
@ -74,6 +75,16 @@ func TestAccessControlStore_GetUserPermissions(t *testing.T) {
 			expected:           0,
 			actions:            []string{},
 		},
+		{
+			desc:               "should only get br permissions for anonymous user",
+			anonymousUser:      true,
+			orgID:              1,
+			role:               "Admin",
+			userPermissions:    []string{"1", "2", "10"},
+			teamPermissions:    []string{"100", "2"},
+			builtinPermissions: []string{"5", "6"},
+			expected:           2,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
@ -118,9 +129,13 @@ func TestAccessControlStore_GetUserPermissions(t *testing.T) {
 				}
 			}

+			userID := user.ID
+			if tt.anonymousUser {
+				userID = 0
+			}
 			permissions, err := store.GetUserPermissions(context.Background(), accesscontrol.GetUserPermissionsQuery{
 				OrgID:   tt.orgID,
-				UserID:  user.ID,
+				UserID:  userID,
 				Roles:   roles,
 				Actions: tt.actions,
 			})