From 422d40142e4373f51c539fa846cc33b604e54c0f Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 14 May 2026 09:06:40 -0500
Subject: Separate checking of system and resource privileges.

Merging the resource and system privileges before checking leads to
some subtle bugs. This commit separates the checking of the two.
---
 gn_libs/privileges/authspec.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'gn_libs')

diff --git a/gn_libs/privileges/authspec.py b/gn_libs/privileges/authspec.py
index 2ae154f..2819f9d 100644
--- a/gn_libs/privileges/authspec.py
+++ b/gn_libs/privileges/authspec.py
@@ -167,10 +167,11 @@ def check(spec: str, privileges: tuple[str, ...]) -> bool:
 
 
 def privileges_fulfill_specs(
-        queried_privileges: tuple[str, ...],
+        resource_privileges: tuple[str, ...],
+        system_privileges: tuple[str, ...],
         resource_spec: str,
         system_spec: str
 ) -> bool:
     """Check whether a user's privileges fulfill the given specs."""
-    return (check(resource_spec, queried_privileges) or
-            check(system_spec, queried_privileges))
+    return (check(resource_spec, resource_privileges) or
+            check(system_spec, system_privileges))
-- 
cgit 1.4.1