Skip to content

fix(list): allow listing an ancestor folder when permission is only on a descendant#299

Merged
kptdobe merged 1 commit into
mainfrom
fix/list-ancestor-permission
Jul 8, 2026
Merged

fix(list): allow listing an ancestor folder when permission is only on a descendant#299
kptdobe merged 1 commit into
mainfrom
fix/list-ancestor-permission

Conversation

@kptdobe

@kptdobe kptdobe commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • A user granted read/write only on a deep path (e.g. /folder2/a/b/c) got 403 listing any ancestor folder — including root — because permission was checked against the exact requested path only.
  • Add hasDescendantPermission as a fallback in the list route: if the exact path isn't directly readable but some descendant is, the listing proceeds, and each child entry is individually checked so only entries that are directly permitted or lead to a permitted descendant are shown.
  • Fix the top-level authorized gate in src/index.js, which short-circuited with 403 before the list route's own (now descendant-aware) check ever ran, for the list api only. All other apis keep the strict exact-path gate.

Test plan

  • npm test — 419 passing
  • npm run lint — clean
  • New unit tests cover: the reported scenario, wildcard (/foo/**) and (/foo/+**) grants, prefix-collision guards (/team vs /teamx), multi-user AND semantics, CONFIG-grant leak prevention, open-ACL passthrough, and regression of existing exact-permission behavior.

Co-Authored-By: Claude Sonnet 5 noreply@anthropic.com

…ranted on a descendant

A user granted read/write on a deep path (e.g. /folder2/a/b/c) got 403
listing any ancestor folder, including root, since permission was only
checked against the exact requested path. Add hasDescendantPermission
as a fallback and filter each listed child individually so only
folders leading to a permitted descendant (or directly permitted
entries) are shown. Also fixes the top-level authorized gate in
index.js, which short-circuited before the list route's own check
ever ran.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Signed-off-by: kptdobe <acapt@adobe.com>
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@kptdobe kptdobe requested a review from bosschaert July 8, 2026 13:03

@auniverseaway auniverseaway left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. A lot of people are going to be happy about this.

@bosschaert

Copy link
Copy Markdown
Contributor

So IIUC this if you have only permissions in a specific subfolder, this would allow you to navigate to that folder from the root, and you would only see the path to your folder and not anything else.

I guess that makes sense 👍

@kptdobe kptdobe merged commit 420f664 into main Jul 8, 2026
6 checks passed
@kptdobe kptdobe deleted the fix/list-ancestor-permission branch July 8, 2026 14:28
adobe-bot pushed a commit that referenced this pull request Jul 8, 2026
## [1.12.1](v1.12.0...v1.12.1) (2026-07-08)

### Bug Fixes

* **list:** allow listing an ancestor folder when permission is only granted on a descendant ([#299](#299)) ([420f664](420f664))
@adobe-bot

Copy link
Copy Markdown
Collaborator

🎉 This PR is included in version 1.12.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

kptdobe added a commit to adobe/da-live that referenced this pull request Jul 9, 2026
adobe/da-admin#299 lets a folder with no direct grant but a permitted
descendant list successfully (filtered), instead of 403. Update the
acl_browse test to expect the filtered listing on testdocs, and add a
sibling no-permission path (otherdir) to keep true-403 coverage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants