From 0fce7c78b62aeb69bbdf1e8f1a6dbf44c0327704 Mon Sep 17 00:00:00 2001
From: mickey-mikey <149929346+mickey-mikey@users.noreply.github.com>
Date: Wed, 4 Mar 2026 16:21:51 +1100
Subject: [PATCH] fix: also deny clear_completed under tasks:manage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses CodeRabbit review — clear_completed is destructive and should
be blocked alongside delete at the manage permission level.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 auth/permissions.py       | 2 +-
 tests/test_permissions.py | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/auth/permissions.py b/auth/permissions.py
index abd0686..1a5b419 100644
--- a/auth/permissions.py
+++ b/auth/permissions.py
@@ -138,7 +138,7 @@ SERVICE_PERMISSION_LEVELS: Dict[str, List[Tuple[str, List[str]]]] = {
 # Levels not listed here (or services without entries) deny nothing.
 SERVICE_DENIED_ACTIONS: Dict[str, Dict[str, FrozenSet[str]]] = {
     "tasks": {
-        "manage": frozenset({"delete"}),
+        "manage": frozenset({"delete", "clear_completed"}),
     },
 }
 
diff --git a/tests/test_permissions.py b/tests/test_permissions.py
index 764b49f..c1877f8 100644
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@@ -163,6 +163,14 @@ class TestIsActionDenied:
         set_permissions({"tasks": "manage"})
         assert is_action_denied("tasks", "move") is False
 
+    def test_tasks_manage_denies_clear_completed(self):
+        set_permissions({"tasks": "manage"})
+        assert is_action_denied("tasks", "clear_completed") is True
+
+    def test_tasks_full_allows_clear_completed(self):
+        set_permissions({"tasks": "full"})
+        assert is_action_denied("tasks", "clear_completed") is False
+
     def test_service_not_in_permissions_allows_all(self):
         set_permissions({"gmail": "readonly"})
         assert is_action_denied("tasks", "delete") is False