tenseleyflow/shithub / c9d4831

+//

+// New web-layer code should prefer UserActorFromCurrentUser, which

+// also propagates the impersonation pair so admin viewing-as flows

+// don't silently leak write permission. UserActor is preserved for

+// callers that don't have a CurrentUser handy (SSH/HTTP git, worker

+// jobs, tests).

+

+// CurrentUserView is the minimal view of the request-bound user that

+// UserActorFromCurrentUser needs. The web's middleware.CurrentUser

+// satisfies this implicitly — keeping the type local avoids a

+// policy → middleware import cycle.

+type CurrentUserView struct {

+	ID                 int64

+	Username           string

+	IsSuspended        bool

+	IsSiteAdmin        bool

+	ImpersonatedUserID int64

+	RealActorID        int64

+	ImpersonateWriteOK bool

+}

+

+// UserActorFromCurrentUser is the canonical web-layer constructor.

+// Beyond UserActor, it propagates the impersonation pair so the

+// "read-only by default" promise on policy.go's impersonation gate

+// is actually enforced — and so audit rows can be tagged with the

+// real actor ID when impersonating.

+//

+// Convention: every handler that can run for an impersonating admin

+// should construct the actor through this constructor. Any callsite

+// still on plain UserActor with IsSiteAdmin=false hardcoded is a

+// silent permission leak (audit 2026-05-10 C1/C2).

+func UserActorFromCurrentUser(v CurrentUserView) Actor {

+	return Actor{

+		UserID:             v.ID,

+		Username:           v.Username,

+		IsSuspended:        v.IsSuspended,

+		IsSiteAdmin:        v.IsSiteAdmin,

+		Impersonating:      v.ImpersonatedUserID != 0,

+		ImpersonateWriteOK: v.ImpersonateWriteOK,

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package policy

+

+import "testing"

+

+// TestUserActorFromCurrentUser_PropagatesAllFlags pins the SR2 C1+C2

+// fix: the constructor used by the web layer must carry IsSuspended,

+// IsSiteAdmin, Impersonating, and ImpersonateWriteOK into the Actor.

+//

+// Before SR2, every web mutation handler used UserActor(...) with

+// `false` literals for site-admin/impersonation, so:

+//   - C1: an impersonating admin could write as the target user

+//     because Impersonating was never true at the actor level.

+//   - C2: a site admin could not read private repos they didn't

+//     collaborate on because IsSiteAdmin never propagated to Actor.

+//

+// This test fails LOUD on regressions of either path.

+func TestUserActorFromCurrentUser_PropagatesAllFlags(t *testing.T) {

+	t.Parallel()

+

+	cases := []struct {

+		name string

+		view CurrentUserView

+		want Actor

+	}{

+		{

+			name: "plain logged-in user",

+			view: CurrentUserView{ID: 7, Username: "alice"},

+			want: Actor{UserID: 7, Username: "alice"},

+		},

+		{

+			name: "suspended user",

+			view: CurrentUserView{ID: 7, Username: "alice", IsSuspended: true},

+			want: Actor{UserID: 7, Username: "alice", IsSuspended: true},

+		},

+		{

+			name: "site admin (not impersonating)",

+			view: CurrentUserView{ID: 7, Username: "alice", IsSiteAdmin: true},

+			want: Actor{UserID: 7, Username: "alice", IsSiteAdmin: true},

+		},

+		{

+			name: "impersonating admin, read-only-by-default",

+			view: CurrentUserView{

+				ID:                 99, // viewer.ID is the impersonated user

+				Username:           "target",

+				ImpersonatedUserID: 99,

+				RealActorID:        1,

+				ImpersonateWriteOK: false,

+			},

+			want: Actor{

+				UserID:        99,

+				Username:      "target",

+				Impersonating: true,

+				// ImpersonateWriteOK stays false — the policy gate on

+				// policy.go for write actions denies. This is the

+				// guarantee C1 was leaking.

+			},

+		},

+		{

+			name: "impersonating admin with write-mode opted in",

+			view: CurrentUserView{

+				ID:                 99,

+				Username:           "target",

+				ImpersonatedUserID: 99,

+				RealActorID:        1,

+				ImpersonateWriteOK: true,

+			},

+			want: Actor{

+				UserID:             99,

+				Username:           "target",

+				Impersonating:      true,

+				ImpersonateWriteOK: true,

+			},

+		},

+	}

+

+	for _, tc := range cases {

+		t.Run(tc.name, func(t *testing.T) {

+			t.Parallel()

+			got := UserActorFromCurrentUser(tc.view)

+			if got != tc.want {

+				t.Fatalf("UserActorFromCurrentUser:\n got=%+v\nwant=%+v", got, tc.want)

+			}

+		})

+	}

+}

+

+// TestUserActorFromCurrentUser_SiteAdminReadsPrivateRepo pins C2:

+// before SR2, IsSiteAdmin never reached the Actor on the read path,

+// so policy.go's "site admin reads anything" branch was unreachable

+// from the web layer. With the constructor migrated, the override

+// works as documented.

+func TestUserActorFromCurrentUser_ImpersonatingDoesNotEscalateAdmin(t *testing.T) {

+	t.Parallel()

+

+	// While impersonating, the wrapping middleware forces IsSiteAdmin

+	// to false on the impersonated identity. The constructor must

+	// honor that — never silently re-grant admin powers to the

+	// impersonated session.

+	view := CurrentUserView{

+		ID:                 99,

+		Username:           "target",

+		IsSiteAdmin:        false, // middleware enforced

+		ImpersonatedUserID: 99,

+		RealActorID:        1,

+	}

+	got := UserActorFromCurrentUser(view)

+	if got.IsSiteAdmin {

+		t.Fatal("UserActorFromCurrentUser must not set IsSiteAdmin while impersonating; got true")

+	}

+	if !got.Impersonating {

+		t.Fatal("UserActorFromCurrentUser must set Impersonating when ImpersonatedUserID is non-zero")

+	}

+}

+

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+// PolicyActor builds a policy.Actor that propagates suspension,

+// site-admin, and the impersonation pair. Use this everywhere the

+// web layer needs an actor — the alternative (plain

+// policy.UserActor) silently drops impersonation/site-admin and

+// re-introduces the C1/C2 leaks the SR2 sprint fixed.

+func (u CurrentUser) PolicyActor() policy.Actor {

+	return policy.UserActorFromCurrentUser(policy.CurrentUserView{

+		ID:                 u.ID,

+		Username:           u.Username,

+		IsSuspended:        u.IsSuspended,

+		IsSiteAdmin:        u.IsSiteAdmin,

+		ImpersonatedUserID: u.ImpersonatedUserID,

+		RealActorID:        u.RealActorID,

+		ImpersonateWriteOK: u.ImpersonateWriteOK,

+	})

+}

+

+// AuditActor returns the (actor_id, augmented meta) pair to record

+// for an audit row. During an impersonated session, the real admin

+// is the actor and the impersonated user_id is stashed in meta.

+// Outside impersonation, returns u.ID and meta unchanged.

+//

+// Use this anywhere a handler builds an audit row so impersonation

+// trails are uniform across admin and non-admin surfaces (SR2 H2).

+//

+// Most callers want the higher-level RecordAudit helper instead;

+// AuditActor is exposed for the rare case where the recorder/db

+// pair isn't readily threaded through.

+func (u CurrentUser) AuditActor(meta map[string]any) (int64, map[string]any) {

+	if u.RealActorID == 0 {

+		return u.ID, meta

+	}

+	if meta == nil {

+		meta = map[string]any{}

+	}

+	meta["impersonated_user_id"] = u.ImpersonatedUserID

+	return u.RealActorID, meta

+}

+