fix(auth): scope path-like name args by command
Build and Push Docker Container / build-and-push (push) Successful in 4m41s

- Stop treating property names as vault paths during policy checks.
- Keep rename name targets protected by path restrictions.
- Add regression coverage for property:set name=from.
- Add regression coverage for blocked rename targets.
- Bump package version to 1.0.4 for the Docker image tag.
This commit is contained in:
2026-06-24 13:41:50 +02:00
parent 4a159cffe8
commit e8e31add11
4 changed files with 35 additions and 4 deletions
+24
View File
@@ -157,6 +157,30 @@ def test_token_policy_restricts_path(monkeypatch):
assert response.status_code == 403
assert response.json()["detail"].startswith("token is not allowed to access path: Private/Secret.md")
def test_property_set_name_is_not_treated_as_path(monkeypatch):
token = use_jwt_auth(monkeypatch, {"sub": "journal", "commands": ["property:set"], "vaults": ["*"], "paths": ["00. Journal/"]})
response = client.post(
"/commands",
headers={"Authorization": f"Bearer {token}"},
json={"args": ["property:set", "path=00. Journal/Note.md", "name=from", "value=Daniel", "type=text"]},
)
assert response.status_code == 200
assert response.json()["command"] == ["python", "property:set", "path=00. Journal/Note.md", "name=from", "value=Daniel", "type=text"]
def test_rename_name_is_treated_as_path(monkeypatch):
token = use_jwt_auth(monkeypatch, {"sub": "journal", "commands": ["rename"], "vaults": ["*"], "paths": ["00. Journal/"]})
response = client.post(
"/commands",
headers={"Authorization": f"Bearer {token}"},
json={"args": ["rename", "path=00. Journal/Old.md", "name=Private/New.md"]},
)
assert response.status_code == 403
assert response.json()["detail"].startswith("token is not allowed to access path: Private/New.md")
def test_token_policy_allows_allowed_path(monkeypatch):
token = use_jwt_auth(monkeypatch, {"sub": "inbox", "commands": ["read"], "vaults": ["*"], "paths": ["Inbox/"]})