Skip to content

Fix app-wide denial of stratos-level permissions (checker contract)#5574

Merged
norman-abramovitz merged 2 commits into
cloudfoundry:developfrom
nabramovitz:norm/fix/permission-checker-contract
Jul 5, 2026
Merged

Fix app-wide denial of stratos-level permissions (checker contract)#5574
norman-abramovitz merged 2 commits into
cloudfoundry:developfrom
nabramovitz:norm/fix/permission-checker-contract

Conversation

@nabramovitz

Copy link
Copy Markdown
Contributor

Description

The strict-null pass in #5446 changed CfUserPermissionsChecker to answer "deny" instead of "not mine" for permission types it doesn't own. CurrentUserPermissionsService.findChecker then saw two claimants for every stratos-level check and denied it app-wide (Permissions: Found too many ... Permission Denied in the console). This hid the Register Endpoint button from admins (#5570), bounced admins off /api-keys (#5571), and silently disabled password-change / profile-edit / endpoint-admin gating.

The first commit restores the checker contract (undefined/null for unowned configs, matching v4.9.3 semantics) and pins it with unit tests, including the two-checkers-registered integration case the #5446 gate missed. The second commit updates the shared e2e list harness for signal-list markup, which the newly reachable api-keys CRUD tests exposed.

How Has This Been Tested?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Fixes #5570
Fixes #5571
Refs #5446

The strict-null pass in cloudfoundry#5446 replaced CfUserPermissionsChecker's implicit
"this config is not mine" (returning undefined from getBaseSimpleCheck's
missing default case) with an explicit of(false) denial. That made the CF
checker claim every stratos-level check (internal, internal-scope, api-key)
alongside StratosUserPermissionsChecker, so findChecker() saw two claimants
and denied the permission app-wide ("Permissions: Found too many ...").

Every stratos permission was denied for every user: the Register Endpoint
button never rendered for admins (cloudfoundry#5570), the /api-keys route guard bounced
admins to home (cloudfoundry#5571), and password-change / profile-edit / endpoint-admin
gating were silently off.

Restore the contract explicitly: getSimpleCheck returns undefined for
non-CF permission types, and getComplexCheck returns null (not a truthy
empty array) when it handles none of the config groups.

The new spec pins the checker contract and the two-checkers-registered
integration paths that cloudfoundry#5446's gate missed.

Fixes cloudfoundry#5570
Fixes cloudfoundry#5571
The api-keys CRUD tests were unreachable while the route guard bounced
admins off /api-keys (cloudfoundry#5571); with the guard fixed they run again and hit
three stale legacy selectors in the shared list harness:

- ListComponent's default root only matched the legacy app-list; migrated
  pages render app-signal-list. Match either (a page has exactly one).
- Header parsing read sortable th text verbatim, which includes the
  material-icons sort ligature ("Description sort"), so findRow() never
  matched a column. Strip icon elements before reading header text.
- Row-action menus: signal-list renders data-test="row-actions" /
  "row-actions-menu" instead of the app-table-cell-actions markup; accept
  both in openRowActionMenuByRow and the api-keys delete step.

api-keys.spec.ts now passes 10/10 including the delete flow, which had
always self-skipped ("key row not found").

@norman-abramovitz norman-abramovitz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM full e2e was run before ths R was submitted

@norman-abramovitz norman-abramovitz merged commit b7a42d1 into cloudfoundry:develop Jul 5, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

/api-keys redirects an admin back to home mid-session Endpoints Register button never appears for admins on a fresh session

2 participants