Fix vouch verification authorization (STI policy misroute)#274
Open
leowilkin wants to merge 1 commit into
Open
Fix vouch verification authorization (STI policy misroute)#274leowilkin wants to merge 1 commit into
leowilkin wants to merge 1 commit into
Conversation
Verification is an STI base class, so Pundit's class-based authorize
resolves Verification::VouchVerification via model_name -> the base
class name ("Verification"), landing on VerificationPolicy instead of
Verification::VouchVerificationPolicy. VerificationPolicy never defines
create?, so it falls through to ApplicationPolicy#create? = false and
denies everyone, including super admins.
Pass policy_class explicitly on both new_vouch and create_vouch so the
super_admin gate in VouchVerificationPolicy#create? actually runs.
leowilkin
force-pushed
the
fix/vouch-verification-policy-resolution
branch
from
2edd0c4 to
5889dfe
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Creating a vouch verification returns "you don't seem to be authorized to do that?" for everyone — including super admins. Sentry confirms the failure:
Root cause
Verificationis an STI base class andVerification::VouchVerificationis a subclass. WhenBackend::IdentitiesController#new_vouch/#create_vouchcall:Pundit resolves the policy via
find_class_name, which callssubject.model_name. For an STI subclass,model_namereturns the base class name ("Verification"), so Pundit buildsVerificationPolicyand never reachesVerification::VouchVerificationPolicy.VerificationPolicydoesn't definecreate?, so it falls through toApplicationPolicy#create? = false→ denied for all users. The intended gate,VouchVerificationPolicy#create? = user.super_admin?, never runs.Fix
Pass
policy_class:explicitly at both call sites so STImodel_nameresolution can't misroute it:create?is the only method where the subclass policy diverges fromVerificationPolicy, and it's only ever invoked with the class form in these two actions, so this is the minimal correct change.Testing
/backend/identities/:id/new_vouchand create a vouch