Skip to content
Snippets Groups Projects
Commit e65ce01f authored by Derek Hudson's avatar Derek Hudson
Browse files

Added checking create to the default data authorization REGO as this should... 

Added checking create to the default data authorization REGO as this should ensure that records are not created with invalid ACLs.
parent b01b66c9
No related branches found
No related tags found
1 merge request!492Added checking create to the default data authorization REGO as this should...
Pipeline #270349 failed
Stage: review
Stage: build
Stage: containerize
Stage: scan
Stage: deploy
Stage: bootstrap
Stage: integration
Stage: publish
Hide whitespace changes
Inline Side-by-side
deployment/default-policies/dataauthz.rego
+ 2
2
View file @ e65ce01f
...@@ -38,7 +38,7 @@ check_errors[{"id": id, "message": "User is not authorized to create or update r ...@@ -38,7 +38,7 @@ check_errors[{"id": id, "message": "User is not authorized to create or update r
} }
check_errors[{"id": id, "message": "The user is not authorized to perform this action", "reason": "Access denied", "code": "403"}] { check_errors[{"id": id, "message": "The user is not authorized to perform this action", "reason": "Access denied", "code": "403"}] {
input.operation == ["update", "purge", "delete"][_] input.operation == ["create", "update", "purge", "delete"][_]
owners := {o | o := input.records[x].acls.owners[_]} owners := {o | o := input.records[x].acls.owners[_]}
count(owners & permissionSet) == 0 count(owners & permissionSet) == 0
root_user == false root_user == false
...@@ -78,4 +78,4 @@ check_errors[{"id": id, "message": "Invalid 'operation' supplied on input", "rea ...@@ -78,4 +78,4 @@ check_errors[{"id": id, "message": "Invalid 'operation' supplied on input", "rea
input.operation != "delete" input.operation != "delete"
id := input.records[x].id id := input.records[x].id
} }
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment