Add comments and another test to ACL fix

2025-04-05 14:07:39 +03:00 · 2023-11-18 21:50:01 -05:00 · 2023-11-18 21:50:01 -05:00 · 7d755ce604
commit 7d755ce604
parent f64dbcb6b2
2 changed files with 21 additions and 3 deletions
--- a/user/manager_test.go
+++ b/user/manager_test.go
@ -98,7 +98,7 @@ func TestManager_FullScenario_Default_DenyAll(t *testing.T) {
 	require.Nil(t, a.Authorize(ben, "announcements", PermissionRead))
 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "announcements", PermissionWrite))

-	// user john should have
+	// User john should have
 	//  "deny" to mytopic_deny*,
 	//    "ro" to mytopic_ro*,
 	//    "rw" to mytopic*,
@ -129,6 +129,22 @@ func TestManager_FullScenario_Default_DenyAll(t *testing.T) {
 	require.Nil(t, a.Authorize(nil, "up5678", PermissionWrite))
 }

+func TestManager_Access_Order_LengthWriteRead(t *testing.T) {
+	// This test validates issue #914 / #917, i.e. that write permissions are prioritized over read permissions,
+	// and longer ACL rules are prioritized as well.
+
+	a := newTestManagerFromFile(t, filepath.Join(t.TempDir(), "user.db"), "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
+	require.Nil(t, a.AddUser("ben", "ben", RoleUser))
+	require.Nil(t, a.AllowAccess("ben", "test*", PermissionReadWrite))
+	require.Nil(t, a.AllowAccess("ben", "*", PermissionRead))
+
+	ben, err := a.Authenticate("ben", "ben")
+	require.Nil(t, err)
+	require.Nil(t, a.Authorize(ben, "any-topic-can-be-read", PermissionRead))
+	require.Nil(t, a.Authorize(ben, "this-too", PermissionRead))
+	require.Nil(t, a.Authorize(ben, "test123", PermissionWrite))
+}
+
 func TestManager_AddUser_Invalid(t *testing.T) {
 	a := newTestManager(t, PermissionDenyAll)
 	require.Equal(t, ErrInvalidArgument, a.AddUser("  invalid  ", "pass", RoleAdmin))