alkdev/operations
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(checkAccess): deny access when resourceType set but identity.resources undefined

Browse Source 
The resource access check in checkAccess() was bypassed when identity.resources
was undefined because the condition  evaluated to false, falling through to .

Changed to  with an explicit
 check inside the block, implementing
default-deny semantics per ADR-006.

Added 7 test cases covering:
- undefined resources with resourceType set (denied)
- empty resources with resourceType set (denied)
- non-matching resource type (denied)
- matching type but wrong action (denied)
- matching type and action (granted)
- no resourceType/resourceAction set (granted)
- matching resources with extra scopes (granted)
This commit is contained in:
glm-5.1
2026-05-11 01:50:12 +00:00
parent b6c2b2c186
commit ac28c9308c
2 changed files with 171 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/call.ts
View File

@@ -245,7 +245,8 @@ function checkAccess(accessControl: AccessControl, identity: Identity): boolean
if (!hasAny) return false;
}
if (resourceType && resourceAction && identity.resources) {
if (resourceType && resourceAction) {
if (!identity.resources) return false;
for (const [key, actions] of Object.entries(identity.resources)) {
if (key.startsWith(`${resourceType}:`) && actions.includes(resourceAction)) {
return true;