[s] v6.12.3: Why are we still here? Just to suffer??

build/Version.props

@@ -3,7 +3,7 @@
   <!-- Integration tests will ensure they match across the board -->
   <Import Project="WebpanelVersion.props" />
   <PropertyGroup>
-    <TgsCoreVersion>6.12.2</TgsCoreVersion>
+    <TgsCoreVersion>6.12.3</TgsCoreVersion>
     <TgsConfigVersion>5.4.0</TgsConfigVersion>
     <TgsRestVersion>10.12.0</TgsRestVersion>
     <TgsGraphQLVersion>0.5.0</TgsGraphQLVersion>

src/Tgstation.Server.Host/Core/Application.cs

@@ -298,7 +298,10 @@ void ConfigureNewtonsoftJsonSerializerSettingsForApi(JsonSerializerSettings sett
 			services
 				.AddScoped<GraphQL.Subscriptions.ITopicEventReceiver, ShutdownAwareTopicEventReceiver>()
 				.AddGraphQLServer()
-				.AddAuthorization()
+				.AddAuthorization(
+					options => options.AddPolicy(
+						TgsAuthorizeAttribute.PolicyName,
+						builder => builder.RequireRole(TgsAuthorizeAttribute.UserEnabledRole)))
 				.ModifyOptions(options =>
 				{
 					options.EnsureAllNodesCanBeResolved = true;

src/Tgstation.Server.Host/Security/TgsAuthorizeAttribute.cs

@@ -15,10 +15,15 @@ namespace Tgstation.Server.Host.Security
 	[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
 	sealed class TgsAuthorizeAttribute : AuthorizeAttribute
 	{
+		/// <summary>
+		/// Policy used to apply global requirement of <see cref="UserEnabledRole"/>.
+		/// </summary>
+		public const string PolicyName = "Policy.UserEnabled";
+
 		/// <summary>
 		/// Role used to indicate access to the server is allowed.
 		/// </summary>
-		public const string UserEnabledRole = "Core.UserEnabled";
+		public const string UserEnabledRole = "Role.UserEnabled";
 
 		/// <summary>
 		/// Gets the <see cref="Api.Rights.RightsType"/> associated with the <see cref="TgsAuthorizeAttribute"/> if any.
@@ -130,8 +135,12 @@ public TgsAuthorizeAttribute(InstancePermissionSetRights requiredRights)
 		private TgsAuthorizeAttribute(IEnumerable<string> roles)
 		{
 			var listRoles = roles.ToList();
-			listRoles.Add(UserEnabledRole);
-			Roles = String.Join(",", listRoles);
+			if (listRoles.Count != 0)
+			{
+				Roles = String.Join(",", listRoles);
+			}
+
+			Policy = PolicyName;
 		}
 	}
 }

src/Tgstation.Server.Host/Security/TgsGraphQLAuthorizeAttribute.cs

@@ -125,8 +125,12 @@ public TgsGraphQLAuthorizeAttribute(InstancePermissionSetRights requiredRights)
 		private TgsGraphQLAuthorizeAttribute(IEnumerable<string> roleNames)
 		{
 			var listRoles = roleNames.ToList();
-			listRoles.Add(TgsAuthorizeAttribute.UserEnabledRole);
-			Roles = [.. listRoles];
+			if (listRoles.Count != 0)
+			{
+				Roles = [.. listRoles];
+			}
+
+			Policy = TgsAuthorizeAttribute.PolicyName;
 			Apply = ApplyPolicy.Validation;
 		}
 	}

tests/Tgstation.Server.Tests/Live/Instance/InstanceTest.cs

@@ -48,7 +48,7 @@ public async Task RunTests(
 			await using var engineTest = new EngineTest(instanceClient.Engine, instanceClient.Jobs, fileDownloader, instanceClient.Metadata, testVersion.Engine.Value);
 			await using var chatTest = new ChatTest(instanceClient.ChatBots, instanceManagerClient, instanceClient.Jobs, instanceClient.Metadata);
 			var configTest = new ConfigurationTest(instanceClient.Configuration, instanceClient.Metadata);
-			await using var repoTest = new RepositoryTest(instanceClient.Repository, instanceClient.Jobs);
+			await using var repoTest = new RepositoryTest(instanceClient, instanceClient.Repository, instanceClient.Jobs);
 			await using var dmTest = new DeploymentTest(instanceClient, instanceClient.Jobs, dmPort, ddPort, lowPrioDeployment, testVersion);
 
 			var byondTask = engineTest.Run(cancellationToken, out var firstInstall);

tests/Tgstation.Server.Tests/Live/Instance/RepositoryTest.cs

@@ -8,18 +8,21 @@
 using Tgstation.Server.Api.Models;
 using Tgstation.Server.Api.Models.Request;
 using Tgstation.Server.Api.Models.Response;
+using Tgstation.Server.Api.Rights;
 using Tgstation.Server.Client;
 using Tgstation.Server.Client.Components;
 
 namespace Tgstation.Server.Tests.Live.Instance
 {
 	sealed class RepositoryTest : JobsRequiredTest
 	{
+		readonly IInstanceClient instanceClient;
 		readonly IRepositoryClient repositoryClient;
 
-		public RepositoryTest(IRepositoryClient repositoryClient, IJobsClient jobsClient)
+		public RepositoryTest(IInstanceClient instanceClient, IRepositoryClient repositoryClient, IJobsClient jobsClient)
 			: base(jobsClient)
 		{
+			this.instanceClient = instanceClient ?? throw new ArgumentNullException(nameof(instanceClient));
 			this.repositoryClient = repositoryClient ?? throw new ArgumentNullException(nameof(repositoryClient));
 		}
 
@@ -141,6 +144,29 @@ await repositoryClient.Update(new RepositoryUpdateRequest
 
 			var prNumber = 2;
 			await TestMergeTests(updated, prNumber, cancellationToken);
+
+			await RegressionTest2064(cancellationToken);
+		}
+
+		async ValueTask RegressionTest2064(CancellationToken cancellationToken)
+		{
+			var oldPerms = await instanceClient.PermissionSets.Read(cancellationToken);
+
+			var newPerms = await instanceClient.PermissionSets.Update(new InstancePermissionSetRequest
+			{
+				PermissionSetId = oldPerms.PermissionSetId,
+				RepositoryRights = RepositoryRights.SetSha,
+			}, cancellationToken);
+
+			Assert.AreEqual(RepositoryRights.SetSha, newPerms.RepositoryRights);
+
+			await ApiAssert.ThrowsException<InsufficientPermissionsException>(async () => await repositoryClient.Read(cancellationToken));
+
+			await instanceClient.PermissionSets.Update(new InstancePermissionSetRequest
+			{
+				PermissionSetId = oldPerms.PermissionSetId,
+				RepositoryRights = oldPerms.RepositoryRights,
+			}, cancellationToken);
 		}
 
 		async ValueTask RecloneTest(CancellationToken cancellationToken)

tests/Tgstation.Server.Tests/Live/TestLiveServer.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.IO;
@@ -1942,7 +1942,7 @@ await adminClient.Execute(
 					Assert.AreEqual(expectedStaged, currentDD.ActiveCompileJob.Job.Id.Value);
 					Assert.IsNull(currentDD.StagedCompileJob);
 
-					await using var repoTestObj = new RepositoryTest(instanceClient.Repository, instanceClient.Jobs);
+					await using var repoTestObj = new RepositoryTest(instanceClient, instanceClient.Repository, instanceClient.Jobs);
 					var repoTest = repoTestObj.RunPostTest(cancellationToken);
 					await using var chatTestObj = new ChatTest(instanceClient.ChatBots, restAdminClient.Instances, instanceClient.Jobs, instance);
 					await chatTestObj.RunPostTest(cancellationToken);