Skip to content

fix: rbac for native user for license call #9530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
YashodhanJoshi1 merged 2 commits into from
Dec 9, 2025
Merged

fix: rbac for native user for license call #9530

YashodhanJoshi1 merged 2 commits into from
Dec 9, 2025

Conversation

@YashodhanJoshi1
Copy link
Contributor

@YashodhanJoshi1 YashodhanJoshi1 commented Dec 9, 2025

#9529 for v0.30.0

@YashodhanJoshi1 YashodhanJoshi1 added this to the v0.30.0 milestone Dec 9, 2025
@YashodhanJoshi1 YashodhanJoshi1 added Needs-Testing Needs-Testing ☢️ Bug Something isn't working labels Dec 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025

Failed to generate code suggestions for PR

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 9, 2025

Greptile Overview

Greptile Summary

This PR fixes an RBAC issue for native users accessing the license endpoint by adding a special case in the authentication validator. When a user is not found in the current organization but the request path is license, the code now checks if the user belongs to at least one organization using org_users::list_orgs_by_user(). If the user is part of any organization, the request is allowed with minimal User role permissions.

Key Changes

  • Added import for db::org_users module
  • Introduced special handling for the license endpoint path in validate_credentials()
  • Prevents native users from getting stuck in logout loops when accessing pages that call the license API

Issues Found

  • Minor typo in comment: "go t any" should be "go to any" (line 207)

Confidence Score: 4/5

  • This PR is safe to merge with minimal risk as it addresses a specific bug in authentication handling
  • The fix is targeted and solves a legitimate issue where native users get stuck in logout loops. The change adds a safety check that ensures users belong to at least one organization before granting access to the license endpoint. The implementation uses existing, tested database functions and follows the pattern of returning a minimal role. The only concern is that this creates a special case in the authentication flow, but it's well-documented with clear comments explaining the rationale.
  • No files require special attention - the single file change is straightforward with only a minor typo to fix

Important Files Changed

File Analysis

Filename Score Overview
src/handler/http/auth/validator.rs 4/5 Added special handling for license path to allow native users who belong to at least one org to access the license endpoint, fixing a logout loop issue

Sequence Diagram

sequenceDiagram
    participant Client
    participant validator.rs
    participant org_users.rs
    participant Database
    
    Client->>validator.rs: Request to /license endpoint
    validator.rs->>validator.rs: Extract path and user_id
    validator.rs->>validator.rs: Check if user exists in org
    
    alt User not found in org
        validator.rs->>validator.rs: Check if path == "license"
        validator.rs->>org_users.rs: list_orgs_by_user(user_id)
        org_users.rs->>Database: Query user's orgs
        Database-->>org_users.rs: Return list of orgs
        org_users.rs-->>validator.rs: Return org list
        
        alt User belongs to at least one org
            validator.rs-->>Client: Return TokenValidationResponse (valid=true, role=User)
        else User belongs to no orgs
            validator.rs-->>Client: Return TokenValidationResponse (valid=false)
        end
    else User found in org
        validator.rs-->>Client: Continue with normal validation
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

src/handler/http/auth/validator.rs Outdated
// logged in. So here we check if the user id is part of atleast one
// org, and if so, allow the call. If the user is not part of the current org
// rest of api calls will get blocked anyways, but without this,
// native users get stuck in logout loop if they go t any page calling license
Copy link
Contributor

@greptile-apps greptile-apps bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

syntax: typo: "go t any" should be "go to any"

Prompt To Fix With AI 
This is a comment left during a code review.
Path: src/handler/http/auth/validator.rs
Line: 207:207

Comment:
**syntax:** typo: "go t any" should be "go to any"

How can I resolve this? If you propose a fix, please make it concise.

@YJDoc2
fix: do a proper cred check
bf6d9c5 
Signed-off-by: Yashodhan Joshi <[email protected]>
@YashodhanJoshi1 YashodhanJoshi1 merged commit 151e8ac into branch-v0.30.0 Dec 9, 2025
35 checks passed
@YashodhanJoshi1 YashodhanJoshi1 deleted the fix/license_native_rbac_v30 branch December 9, 2025 13:00
@priyabrata-stack priyabrata-stack added Testing-Completed Testing-Completed and removed Needs-Testing Needs-Testing labels Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hengfeiyang hengfeiyang hengfeiyang approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

☢️ Bug Something isn't working Testing-Completed Testing-Completed

Projects

None yet

Milestone

v0.30.0

Development

Successfully merging this pull request may close these issues.

5 participants

@YashodhanJoshi1 @hengfeiyang @priyabrata-stack @YJDoc2