jason/google-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: also deny clear_completed under tasks:manage

Browse Source 
Addresses CodeRabbit review — clear_completed is destructive and should
be blocked alongside delete at the manage permission level.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
mickey-mikey
2026-03-04 16:21:51 +11:00
parent 377791080c
commit 0fce7c78b6
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
auth/permissions.py
View File

@@ -138,7 +138,7 @@ SERVICE_PERMISSION_LEVELS: Dict[str, List[Tuple[str, List[str]]]] = {
# Levels not listed here (or services without entries) deny nothing.
SERVICE_DENIED_ACTIONS: Dict[str, Dict[str, FrozenSet[str]]] = {
"tasks": {
"manage": frozenset({"delete"}),
"manage": frozenset({"delete", "clear_completed"}),
},
}

8
tests/test_permissions.py
View File

@@ -163,6 +163,14 @@ class TestIsActionDenied:
set_permissions({"tasks": "manage"})
assert is_action_denied("tasks", "move") is False
def test_tasks_manage_denies_clear_completed(self):
set_permissions({"tasks": "manage"})
assert is_action_denied("tasks", "clear_completed") is True
def test_tasks_full_allows_clear_completed(self):
set_permissions({"tasks": "full"})
assert is_action_denied("tasks", "clear_completed") is False
def test_service_not_in_permissions_allows_all(self):
set_permissions({"gmail": "readonly"})
assert is_action_denied("tasks", "delete") is False