Skip to content

fix: rbac for native user for license call (main) #9529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
YashodhanJoshi1 merged 11 commits into from
Dec 10, 2025
Merged

fix: rbac for native user for license call (main) #9529

YashodhanJoshi1 merged 11 commits into from
Dec 10, 2025

Conversation

@YashodhanJoshi1
Copy link
Contributor

@YashodhanJoshi1 YashodhanJoshi1 commented Dec 9, 2025

Fixes an issue where a native user in non-default account would get 401 for license api call, whereas we want all users to have get access to license call.

@github-actions github-actions bot added the ☢️ Bug Something isn't working label Dec 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025

Failed to generate code suggestions for PR

@YashodhanJoshi1 YashodhanJoshi1 mentioned this pull request Dec 9, 2025
Merged
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 9, 2025

Greptile Overview

Greptile Summary

Fixed RBAC issue where native users in non-default organizations received 401 errors when accessing the license API endpoint, causing infinite logout loops.

Key Changes:

  • Added import for db::org_users module to access list_orgs_by_user function
  • Implemented special authentication bypass for the "license" path in validate_credentials function
  • When a user is not found for the requested org but the path is "license", the code now checks if the user belongs to any organization using list_orgs_by_user
  • If the user belongs to at least one org, they're granted minimal access (UserRole::User) to view license info

Rationale:
The license endpoint (/license) is designed as an org-agnostic endpoint that should be accessible to any authenticated user across all their organizations (see comment in src/handler/http/request/license/mod.rs:102-104). However, the authentication flow was rejecting native users when they accessed this endpoint from a non-default org context.

Confidence Score: 3/5

  • This PR is mostly safe but has a potential security issue with error handling that should be addressed
  • The change correctly addresses the logout loop issue for native users, but uses unwrap_or_default() which could silently hide database errors and potentially allow unintended access if the database query fails. Additionally, there's a typo in the comment. The logic is sound otherwise and aligns with the intended behavior of the license endpoint.
  • The validator.rs file needs attention for the error handling in the license path check (lines 209-214)

Important Files Changed

File Analysis

Filename Score Overview
src/handler/http/auth/validator.rs 4/5 Added special RBAC handling for license endpoint to allow native users in non-default orgs to access license info without 401 errors

Sequence Diagram

sequenceDiagram
    participant Client
    participant Validator as validate_credentials
    participant UserDB as users::get_user
    participant OrgUsers as org_users::list_orgs_by_user
    participant Response as TokenValidationResponse

    Client->>Validator: Request to /license (from non-default org)
    Validator->>UserDB: get_user(org_id, user_id)
    UserDB-->>Validator: None (user not in this org)
    
    alt path == "license" (NEW)
        Validator->>OrgUsers: list_orgs_by_user(user_id)
        OrgUsers-->>Validator: Vec<UserOrgExpandedRecord>
        
        alt !orgs.is_empty()
            Validator->>Response: Create minimal access response
            Note over Response: is_valid=true<br/>user_role=User<br/>is_internal_user=true
            Validator-->>Client: Allow access (200)
        else orgs.is_empty()
            Validator->>Response: Create invalid response
            Note over Response: is_valid=false
            Validator-->>Client: Unauthorized (401)
        end
    else path != "license" (OLD behavior)
        Validator->>Response: Create invalid response
        Note over Response: is_valid=false
        Validator-->>Client: Unauthorized (401)
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@YJDoc2
fix: do a proper cred check
e6ac545 
Signed-off-by: Yashodhan Joshi <[email protected]>
YashodhanJoshi1 added a commit that referenced this pull request Dec 9, 2025
@YashodhanJoshi1 @YJDoc2
fix: rbac for native user for license call (#9530)
151e8ac 
#9529 for v0.30.0

---------

Signed-off-by: Yashodhan Joshi <[email protected]>
Co-authored-by: Yashodhan Joshi <[email protected]>
@YashodhanJoshi1 YashodhanJoshi1 merged commit 4780a9e into main Dec 10, 2025
41 checks passed
@YashodhanJoshi1 YashodhanJoshi1 deleted the fix/license_native_rbac branch December 10, 2025 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hengfeiyang hengfeiyang hengfeiyang approved these changes

@Subhra264 Subhra264 Subhra264 approved these changes

@Loaki07 Loaki07 Loaki07 approved these changes

@uddhavdave uddhavdave Awaiting requested review from uddhavdave

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

☢️ Bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@YashodhanJoshi1 @hengfeiyang @Subhra264 @Loaki07 @YJDoc2