mirror of
https://github.com/MODSetter/SurfSense.git
synced 2026-06-30 21:59:46 +02:00
fix(authz):publish zero parent tables
This commit is contained in:
parent
2b6bf504ec
commit
08c1d12eb1
3 changed files with 57 additions and 0 deletions
|
|
@ -0,0 +1,23 @@
|
||||||
|
"""publish Zero authz parent tables
|
||||||
|
|
||||||
|
Revision ID: 168
|
||||||
|
Revises: 167
|
||||||
|
"""
|
||||||
|
|
||||||
|
from collections.abc import Sequence
|
||||||
|
|
||||||
|
from alembic import op
|
||||||
|
from app.zero_publication import apply_publication
|
||||||
|
|
||||||
|
revision: str = "168"
|
||||||
|
down_revision: str | None = "167"
|
||||||
|
branch_labels: str | Sequence[str] | None = None
|
||||||
|
depends_on: str | Sequence[str] | None = None
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade() -> None:
|
||||||
|
apply_publication(op.get_bind())
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade() -> None:
|
||||||
|
"""No-op. Historical publication shapes are immutable."""
|
||||||
|
|
@ -80,6 +80,28 @@ async def get_user_permissions(
|
||||||
return []
|
return []
|
||||||
|
|
||||||
|
|
||||||
|
async def get_allowed_read_space_ids(
|
||||||
|
session: AsyncSession,
|
||||||
|
auth: AuthContext,
|
||||||
|
) -> list[int]:
|
||||||
|
"""Return search spaces the principal may read through sync transports.
|
||||||
|
|
||||||
|
This mirrors the basic REST search-space access rule: membership is required,
|
||||||
|
and PAT principals are additionally constrained by the per-space API gate.
|
||||||
|
"""
|
||||||
|
stmt = (
|
||||||
|
select(SearchSpaceMembership.search_space_id)
|
||||||
|
.join(SearchSpace, SearchSpace.id == SearchSpaceMembership.search_space_id)
|
||||||
|
.filter(SearchSpaceMembership.user_id == auth.user.id)
|
||||||
|
.order_by(SearchSpaceMembership.search_space_id)
|
||||||
|
)
|
||||||
|
if auth.is_gated:
|
||||||
|
stmt = stmt.filter(SearchSpace.api_access_enabled == True) # noqa: E712
|
||||||
|
|
||||||
|
result = await session.execute(stmt)
|
||||||
|
return list(result.scalars().all())
|
||||||
|
|
||||||
|
|
||||||
async def _enforce_api_access_gate(
|
async def _enforce_api_access_gate(
|
||||||
session: AsyncSession,
|
session: AsyncSession,
|
||||||
auth: AuthContext,
|
auth: AuthContext,
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,16 @@ AUTOMATION_RUN_COLS = [
|
||||||
"created_at",
|
"created_at",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
AUTOMATION_COLS = [
|
||||||
|
"id",
|
||||||
|
"search_space_id",
|
||||||
|
]
|
||||||
|
|
||||||
|
NEW_CHAT_THREAD_COLS = [
|
||||||
|
"id",
|
||||||
|
"search_space_id",
|
||||||
|
]
|
||||||
|
|
||||||
# Enough to drive the lifecycle UI by push: status, the reviewable brief, and
|
# Enough to drive the lifecycle UI by push: status, the reviewable brief, and
|
||||||
# its version. The bulky source_content and transcript are deliberately excluded
|
# its version. The bulky source_content and transcript are deliberately excluded
|
||||||
# and fetched over REST when a gate opens.
|
# and fetched over REST when a gate opens.
|
||||||
|
|
@ -73,10 +83,12 @@ ZERO_PUBLICATION: Mapping[str, Sequence[str] | None] = {
|
||||||
"documents": DOCUMENT_COLS,
|
"documents": DOCUMENT_COLS,
|
||||||
"folders": None,
|
"folders": None,
|
||||||
"search_source_connectors": None,
|
"search_source_connectors": None,
|
||||||
|
"new_chat_threads": NEW_CHAT_THREAD_COLS,
|
||||||
"new_chat_messages": None,
|
"new_chat_messages": None,
|
||||||
"chat_comments": None,
|
"chat_comments": None,
|
||||||
"chat_session_state": None,
|
"chat_session_state": None,
|
||||||
"user": USER_COLS,
|
"user": USER_COLS,
|
||||||
|
"automations": AUTOMATION_COLS,
|
||||||
"automation_runs": AUTOMATION_RUN_COLS,
|
"automation_runs": AUTOMATION_RUN_COLS,
|
||||||
"podcasts": PODCAST_COLS,
|
"podcasts": PODCAST_COLS,
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue