fix: also deny clear_completed under tasks:manage

Addresses CodeRabbit review — clear_completed is destructive and should be blocked alongside delete at the manage permission level. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 16:21:51 +11:00
parent 377791080c
commit 0fce7c78b6
2 changed files with 9 additions and 1 deletions
--- a/auth/permissions.py
+++ b/auth/permissions.py
@@ -138,7 +138,7 @@ SERVICE_PERMISSION_LEVELS: Dict[str, List[Tuple[str, List[str]]]] = {
 # Levels not listed here (or services without entries) deny nothing.
 SERVICE_DENIED_ACTIONS: Dict[str, Dict[str, FrozenSet[str]]] = {
    "tasks": {
-        "manage": frozenset({"delete"}),
+        "manage": frozenset({"delete", "clear_completed"}),
    },
 }