ApplicationsController::requirePermission() / listMine() build the authorised set with collectAuthorisedGroups() (flatten permissions.owners ∪ editors ∪ viewers) and intersect it with getUserGroupIds($user) (the caller's group GIDs). The two collections live in the same string namespace, so an Application whose permissions.owners contains the literal username "admin" is, by coincidence, also satisfied by anyone in the admin group — and the audited admin-bypass branch (REQ-OBRBAC-006) is never reached for that app.
The seeded hello-world Application has permissions.owners = ["admin"], so in the openbuilt-rbac Newman suite step 3.3 ("admin gets 200 via the bypass") actually returns 200 via the owner match, and step 3.4's rbac.admin_bypass audit row never gets written. The collection now treats that row as informational and links here.
Likely fix: namespace the principals (e.g. group:openbuilt-rbac-editors vs user:alice, or keep owners/editors/viewers as user lists and check membership distinctly from group ACLs), or at minimum document that owners/editors/viewers are group GIDs only and never bare usernames.
Found while fixing the Newman chain collections (#33).
ApplicationsController::requirePermission()/listMine()build the authorised set withcollectAuthorisedGroups()(flattenpermissions.owners ∪ editors ∪ viewers) and intersect it withgetUserGroupIds($user)(the caller's group GIDs). The two collections live in the same string namespace, so an Application whosepermissions.ownerscontains the literal username"admin"is, by coincidence, also satisfied by anyone in theadmingroup — and the audited admin-bypass branch (REQ-OBRBAC-006) is never reached for that app.The seeded
hello-worldApplication haspermissions.owners = ["admin"], so in theopenbuilt-rbacNewman suite step 3.3 ("admin gets 200 via the bypass") actually returns 200 via the owner match, and step 3.4'srbac.admin_bypassaudit row never gets written. The collection now treats that row as informational and links here.Likely fix: namespace the principals (e.g.
group:openbuilt-rbac-editorsvsuser:alice, or keep owners/editors/viewers as user lists and check membership distinctly from group ACLs), or at minimum document thatowners/editors/viewersare group GIDs only and never bare usernames.Found while fixing the Newman chain collections (#33).