Separate checking of system and resource privileges.
HEAD mainMerging the resource and system privileges before checking leads to
some subtle bugs. This commit separates the checking of the two.
1 files changed, 4 insertions, 3 deletions
diff --git a/gn_libs/privileges/authspec.py b/gn_libs/privileges/authspec.py
index 2ae154f..2819f9d 100644
--- a/gn_libs/privileges/authspec.py
+++ b/gn_libs/privileges/authspec.py
@@ -167,10 +167,11 @@ def check(spec: str, privileges: tuple[str, ...]) -> bool:
def privileges_fulfill_specs(
- queried_privileges: tuple[str, ...],
+ resource_privileges: tuple[str, ...],
+ system_privileges: tuple[str, ...],
resource_spec: str,
system_spec: str
) -> bool:
"""Check whether a user's privileges fulfill the given specs."""
- return (check(resource_spec, queried_privileges) or
- check(system_spec, queried_privileges))
+ return (check(resource_spec, resource_privileges) or
+ check(system_spec, system_privileges))
|
