fix: exclude personal team roles from check_any_team RBAC aggregation#2900
Merged
crivetimihai merged 1 commit intomainfrom Feb 13, 2026
Merged
fix: exclude personal team roles from check_any_team RBAC aggregation#2900crivetimihai merged 1 commit intomainfrom
crivetimihai merged 1 commit intomainfrom
Conversation
Every user gets a personal team with team_admin role auto-assigned. When check_any_team=True aggregated ALL team-scoped roles, it picked up team_admin from personal teams, granting every authenticated user full mutate permissions (servers.create, tools.create, etc.) and making RBAC ineffective for create/update/delete operations. Filter out personal team roles (EmailTeam.is_personal=True) from the include_all_teams query in _get_user_roles(). Direct team_id queries are unaffected, so users retain full team_admin on their personal team when operating within it explicitly. Closes #2883 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
crivetimihai
added a commit
that referenced
this pull request
Feb 13, 2026
Closes #2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including #2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
3 tasks
crivetimihai
added a commit
that referenced
this pull request
Feb 13, 2026
* test: add comprehensive RBAC regression test suite (373 tests) Closes #2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including #2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add Playwright E2E tests for RBAC on tools, resources, prompts, and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes #2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: resolve Playwright RBAC test failures for prompts, teams, and API - Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: use Apache-2.0 license identifier consistently across all test files Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
suciu-daniel
pushed a commit
that referenced
this pull request
Feb 16, 2026
* test: add comprehensive RBAC regression test suite (373 tests) Closes #2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including #2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add Playwright E2E tests for RBAC on tools, resources, prompts, and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes #2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: resolve Playwright RBAC test failures for prompts, teams, and API - Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: use Apache-2.0 license identifier consistently across all test files Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
vishu-bh
pushed a commit
that referenced
this pull request
Feb 18, 2026
…#2900) Every user gets a personal team with team_admin role auto-assigned. When check_any_team=True aggregated ALL team-scoped roles, it picked up team_admin from personal teams, granting every authenticated user full mutate permissions (servers.create, tools.create, etc.) and making RBAC ineffective for create/update/delete operations. Filter out personal team roles (EmailTeam.is_personal=True) from the include_all_teams query in _get_user_roles(). Direct team_id queries are unaffected, so users retain full team_admin on their personal team when operating within it explicitly. Closes #2883 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Vishu Bhatnagar <vishu.bhatnagar@ibm.com>
vishu-bh
pushed a commit
that referenced
this pull request
Feb 18, 2026
* test: add comprehensive RBAC regression test suite (373 tests) Closes #2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including #2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add Playwright E2E tests for RBAC on tools, resources, prompts, and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes #2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: resolve Playwright RBAC test failures for prompts, teams, and API - Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: use Apache-2.0 license identifier consistently across all test files Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Vishu Bhatnagar <vishu.bhatnagar@ibm.com>
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
…IBM#2900) Every user gets a personal team with team_admin role auto-assigned. When check_any_team=True aggregated ALL team-scoped roles, it picked up team_admin from personal teams, granting every authenticated user full mutate permissions (servers.create, tools.create, etc.) and making RBAC ineffective for create/update/delete operations. Filter out personal team roles (EmailTeam.is_personal=True) from the include_all_teams query in _get_user_roles(). Direct team_id queries are unaffected, so users retain full team_admin on their personal team when operating within it explicitly. Closes IBM#2883 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
) * test: add comprehensive RBAC regression test suite (373 tests) Closes IBM#2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including IBM#2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add Playwright E2E tests for RBAC on tools, resources, prompts, and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes IBM#2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: resolve Playwright RBAC test failures for prompts, teams, and API - Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: use Apache-2.0 license identifier consistently across all test files Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
team_adminrole, which includes full mutate permissions (servers.create,tools.create, etc.)check_any_team=True(session tokens without explicitteam_id),_get_user_roles()aggregated ALL team-scoped roles including personal team rolesFix: Filter out roles scoped to personal teams (
EmailTeam.is_personal=True) from theinclude_all_teamsquery in_get_user_roles(). Direct team_id queries are unaffected — users retain fullteam_adminon their personal team when operating within it explicitly.Test plan