Remove administrative-specific privileges. HEAD main

The `system:resource:[view/edit/delete]` privileges are administrative and checking for them here is a bug. It exposes data publicly.
author: Frederick Muriuki Muriithi 2026-05-13 15:05:26 -0500
committer: Frederick Muriuki Muriithi 2026-05-13 15:05:26 -0500
commit: 087a476fe37ec097196693abb5c0a0b12f8f38ae (patch)
tree: ed3ec391f4274ead9d6b2d82cb1121e9f73d67b9
parent: c82e37fd38f9589ef3853f54d40f1f4a6e935d9d (diff)
download: gn-libs-087a476fe37ec097196693abb5c0a0b12f8f38ae.tar.gz
1 files changed, 6 insertions, 12 deletions
diff --git a/gn_libs/privileges/resources.py b/gn_libs/privileges/resources.py
index 4b66c59..217a57d 100644
--- a/gn_libs/privileges/resources.py
+++ b/gn_libs/privileges/resources.py
@@ -11,9 +11,9 @@ logger = logging.getLogger(__name__)
 can_view = partial(
     privileges_fulfill_specs,
     resource_spec=(
-        "(OR group:resource:view-resource system:resource:view "
-        "    system:inbredset:view-case-attribute)"),
-    system_spec="(OR system:system-wide:data:view system:resource:view)")
+        "(OR group:resource:view-resource system:inbredset:view-case-attribute "
+        "    system:resource:public-read)"),
+    system_spec="(OR system:system-wide:data:view)")
 
 
 can_edit = partial(
@@ -21,13 +21,11 @@ can_edit = partial(
     resource_spec=(
         "(OR "
         "  (AND group:resource:view-resource group:resource:edit-resource) "
-        "  (AND system:resource:view system:resource:edit) "
         "  (AND system:inbredset:view-case-attribute "
         "       system:inbredset:edit-case-attribute))"),
     system_spec=(
         "(OR "
-        "  (AND system:system-wide:data:view system:system-wide:data:edit) "
-        "  (AND system:resource:view system:resource:edit))"))
+        "  (AND system:system-wide:data:view system:system-wide:data:edit))"))
 
 
 def can_batch_edit(queried_privileges: tuple[str, ...]) -> bool:
@@ -53,15 +51,11 @@ can_delete = partial(
         "       group:resource:edit-resource group:resource:delete-resource) "
         "  (AND system:inbredset:view-case-attribute "
         "       system:inbredset:edit-case-attribute "
-        "       system:inbredset:delete-case-attribute) "
-        "  (AND system:resource:view system:resource:edit "
-        "       system:resource:delete))"),
+        "       system:inbredset:delete-case-attribute))"),
     system_spec=(
         "(OR "
         "  (AND system:system-wide:data:view system:system-wide:data:edit "
-        "       system:system-wide:data:delete) "
-        "  (AND system:resource:view system:resource:edit "
-        "       system:resource:delete))"))
+        "       system:system-wide:data:delete))"))
 
 
 can_apply_or_reject_edit = partial(
author	Frederick Muriuki Muriithi	2026-05-13 15:05:26 -0500
committer	Frederick Muriuki Muriithi	2026-05-13 15:05:26 -0500
commit	087a476fe37ec097196693abb5c0a0b12f8f38ae (patch)
tree	ed3ec391f4274ead9d6b2d82cb1121e9f73d67b9
parent	c82e37fd38f9589ef3853f54d40f1f4a6e935d9d (diff)
download	gn-libs-087a476fe37ec097196693abb5c0a0b12f8f38ae.tar.gz