From 43e910025a978fece6e2897b68ea186b350cbdbc Mon Sep 17 00:00:00 2001 From: kolaente Date: Sat, 30 May 2026 22:55:09 +0200 Subject: [PATCH] fix(models): validate API token permissions against v1+v2 route union PermissionsAreValid only consulted apiTokenRoutes, so a v2-only resource (no v1 counterpart) could never be granted as a token scope even though CanDoAPIRoute already authorises against both tables. Validate against the union so the v1+v2 authorization and validation paths agree. --- pkg/models/api_routes.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/models/api_routes.go b/pkg/models/api_routes.go index e601515ab..2264a5121 100644 --- a/pkg/models/api_routes.go +++ b/pkg/models/api_routes.go @@ -422,15 +422,20 @@ func CanDoAPIRoute(c *echo.Context, token *APIToken) (can bool) { func PermissionsAreValid(permissions APIPermissions) (err error) { for key, methods := range permissions { - routes, has := apiTokenRoutes[key] - if !has { + // A permission is valid if the group exists in either table. v2-only + // resources (no v1 counterpart) live solely in apiTokenRoutesV2, so + // validating against the union lets tokens grant them. CanDoAPIRoute + // already consults both tables when authorising. + v1Routes := apiTokenRoutes[key] + v2Routes := apiTokenRoutesV2[key] + if v1Routes == nil && v2Routes == nil { return &ErrInvalidAPITokenPermission{ Group: key, } } for _, method := range methods { - if routes[method] == nil { + if v1Routes[method] == nil && v2Routes[method] == nil { return &ErrInvalidAPITokenPermission{ Group: key, Permission: method,