`2fad8e4`

C3: locked-issue gate uses real collab role via policy.HasRoleAtLeast

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 5 days ago

SHA: 2fad8e457d3bdc3b66a7975d6cb5dff5584c2a31
Parents: 0996131
Tree: 955d1ff

3 changed files

Status	File	+	-
M	`internal/auth/policy/policy.go`	41	0
M	`internal/issues/issues_test.go`	38	0
M	`internal/web/handlers/repo/issues.go`	24	6

internal/auth/policy/policy.gomodified

  		return deny(DenyDBError, "role lookup failed: "+err.Error())
+ 	}
 +	// 6a. Author-self-close on issues and PRs. The author of an issue or
 +	//     PR is allowed to close (and reopen — same Action) their own
 +	//     thread regardless of their collaborator role. Handlers populate
 +	//     `repo.AuthorUserID` on the close path; everywhere else the
 +	//     field is zero and this branch is dead. Suspension and archived
 +	//     gates above still apply — they ran before this. Note: we do NOT
 +	//     extend this to `ActionIssueLabel`/`ActionIssueAssign`; only the
 +	//     close action is author-self by design (matches GitHub).
 +	if (action == ActionIssueClose || action == ActionPullClose) &&
 +		repo.AuthorUserID != 0 && repo.AuthorUserID == actor.UserID {
 +		return allow("author of thread")
 +	}
++
  	// 7. Archived repos: writes denied even for owners. Reads still go
  	//    through the role check above. (We could short-circuit reads
  	//    earlier but keeping the flow uniform makes the matrix readable.)
  // errBadAction is returned by Can when a caller passes a value that
  // doesn't match any registered Action. Reserved for tests.
  var errBadAction = errors.New("policy: unregistered action")
++
 +// EffectiveRole returns the actor's resolved role on repo, taking
 +// owner-equals-admin into account and consulting the per-request cache.
 +//
 +// Use this when a handler needs to ask "is this actor at least X" for a
 +// rule that doesn't map cleanly to an Action — for example, the
 +// locked-issue gate which lets triage+ comment despite the lock without
 +// granting them any other write permission.
 +//
 +// Returns RoleNone for anonymous actors and on any DB error; callers
 +// should treat RoleNone as "no permissions."
 +func EffectiveRole(ctx context.Context, d Deps, actor Actor, repo RepoRef) Role {
 +	if actor.IsAnonymous {
 +		return RoleNone
 +	}
 +	r, err := effectiveRole(ctx, d, actor, repo)
 +	if err != nil {
 +		return RoleNone
 +	}
 +	return r
 +}
++
 +// HasRoleAtLeast is the convenience shorthand for the common case:
 +// "does this actor hold at least `want` on this repo?" Wraps
 +// EffectiveRole + RoleAtLeast.
 +func HasRoleAtLeast(ctx context.Context, d Deps, actor Actor, repo RepoRef, want Role) bool {
 +	return RoleAtLeast(EffectiveRole(ctx, d, actor, repo), want)
 +}

internal/issues/issues_test.gomodified

+ 	}
+ }
 +// TestAddComment_LockedAllowsCollab is the positive companion to the
 +// previous test: when the orchestrator is told `IsCollab=true` the
 +// locked gate must yield. This guards the policy contract — a triage+
 +// collaborator is allowed to post past a lock so they can wrap up
 +// drive-by spam threads. (S00-S25 audit, finding C3.)
 +func TestAddComment_LockedAllowsCollab(t *testing.T) {
 +	pool, deps, uid, rid := setup(t)
 +	ctx := context.Background()
 +	row, err := issues.Create(ctx, deps, issues.CreateParams{
 +		RepoID: rid, AuthorUserID: uid, Title: "lock-me", Body: "",
 +	})
 +	if err != nil {
 +		t.Fatalf("Create: %v", err)
 +	}
 +	if err := issues.SetLock(ctx, deps, uid, row.ID, true, "spam"); err != nil {
 +		t.Fatalf("SetLock: %v", err)
 +	}
 +	uq := usersdb.New()
 +	collab, err := uq.CreateUser(ctx, pool, usersdb.CreateUserParams{
 +		Username: "tessie", DisplayName: "Tessie", PasswordHash: fixtureHash,
 +	})
 +	if err != nil {
 +		t.Fatalf("CreateUser: %v", err)
 +	}
 +	c, err := issues.AddComment(ctx, deps, issues.CommentCreateParams{
 +		IssueID:      row.ID,
 +		AuthorUserID: collab.ID,
 +		Body:         "wrapping up the thread",
 +		IsCollab:     true,
 +	})
 +	if err != nil {
 +		t.Fatalf("expected lock bypass for collab, got %v", err)
 +	}
 +	if c.ID == 0 {
 +		t.Errorf("returned comment had zero ID")
 +	}
 +}
++
  func TestSetState_EmitsEvent(t *testing.T) {
  	pool, deps, uid, rid := setup(t)
  	ctx := context.Background()

internal/web/handlers/repo/issues.gomodified

  		Pool:    h.d.Pool,
  		Limiter: h.d.Limiter,
  		Logger:  h.d.Logger,
 +		Audit:   h.d.Audit,
+ 	}
+ }
  	viewer := middleware.CurrentUserFromContext(r.Context())
  	body := r.PostFormValue("body")
 -	// IsCollab — for v1 only the repo owner counts as collaborator
 -	// (S15 attaches collaborators table; lookup deferred for the
 -	// locked-issue gate). Owners always pass.
 -	isCollab := row.OwnerUserID.Valid && row.OwnerUserID.Int64 == viewer.ID
 +	// IsCollab is the locked-issue bypass: triage+ on the repo can comment
 +	// past a `locked=true` flag (the gate exists to silence drive-by
 +	// posters). We resolve the *real* role via the policy package — owner
 +	// is implicit admin, and any explicit collaborator with role >= triage
 +	// passes. Read fails (DB miss, unknown role) fail closed via RoleNone.
 +	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	isCollab := policy.HasRoleAtLeast(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.NewRepoRefFromRepo(row), policy.RoleTriage)
  	_, err := issues.AddComment(r.Context(), h.issuesDeps(), issues.CommentCreateParams{
  		IssueID:      issue.ID,
+ }
  func (h *Handlers) issueSetState(w http.ResponseWriter, r *http.Request) {
 -	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionIssueClose)
 +	// Two-pass authorization: read access first, then ActionIssueClose
 +	// with `repo.AuthorUserID = issue.AuthorUserID` set so the policy
 +	// engine grants author-self-close. Without the second pass, an
 +	// issue's reporter who isn't a triage collaborator couldn't close
 +	// their own thread — which the audit flagged (S00-S25, H1).
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionIssueRead)
  	if !ok {
  		return
+ 	}
  	if !ok {
  		return
+ 	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	repoRef := policy.NewRepoRefFromRepo(row)
 +	if issue.AuthorUserID.Valid {
 +		repoRef.AuthorUserID = issue.AuthorUserID.Int64
 +	}
 +	if dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionIssueClose, repoRef); !dec.Allow {
 +		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, repoRef, actor), "")
 +		return
 +	}
  	state := strings.TrimSpace(r.PostFormValue("state"))
  	reason := strings.TrimSpace(r.PostFormValue("reason"))
 -	viewer := middleware.CurrentUserFromContext(r.Context())
  	if err := issues.SetState(r.Context(), h.issuesDeps(), viewer.ID, issue.ID, state, reason); err != nil {
  		h.handleIssueWriteError(w, r, owner.Username, row, issue, err)
  		return