Merge pull request #194 from bento-platform/fix/edit-dataset-perms-def

fix(auth): don't allow data type narrowing in edit:dataset permission
bento-platform · May 2, 2024 · 17ab2e0 · 17ab2e0
2 parents 4e0a77d + edb1275
commit 17ab2e0
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 13 deletions.
diff --git a/bento_lib/auth/permissions.py b/bento_lib/auth/permissions.py
@@ -164,6 +164,13 @@ def supports_data_type_narrowing(self) -> bool:
 P_VIEW_NOTIFICATIONS = Permission(VIEW_VERB, NOTIFICATIONS)
 P_CREATE_NOTIFICATIONS = Permission(CREATE_VERB, NOTIFICATIONS)
 
+#  - dataset metadata editing
+P_EDIT_DATASET = Permission(EDIT_VERB, DATASET, supports_data_type_narrowing=False)
+
+#  - can view edit permissions for the resource which granted this permission only:
+P_VIEW_PERMISSIONS = Permission(VIEW_VERB, PERMISSIONS_NOUN)
+P_EDIT_PERMISSIONS = Permission(EDIT_VERB, PERMISSIONS_NOUN)
+
 # ---
 
 # only {everything: true} or {project: ...} (instance- or project-level):
@@ -177,15 +184,6 @@ def supports_data_type_narrowing(self) -> bool:
     DELETE_VERB, DATASET, min_level_required=LEVEL_PROJECT, supports_data_type_narrowing=False, gives=(P_DELETE_DATA,))
 # ---
 
-#  - dataset metadata editing
-P_EDIT_DATASET = Permission(EDIT_VERB, DATASET)
-
-# can view edit permissions for the resource which granted this permission only:
-P_VIEW_PERMISSIONS = Permission(VIEW_VERB, PERMISSIONS_NOUN)
-P_EDIT_PERMISSIONS = Permission(EDIT_VERB, PERMISSIONS_NOUN)
-
-# ---
-
 # only {everything: true} (instance-level):
 
 #  - drop box

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "bento-lib"
-version = "11.7.0"
+version = "11.7.1"
 description = "A set of common utilities and helpers for Bento platform services."
 authors = [
     "David Lougheed <[email protected]>",