fix(security): correct @AccessControl resourceId in ExecutorApi.getExecutor (#6471)#6517
fix(security): correct @AccessControl resourceId in ExecutorApi.getExecutor (#6471)#6517RomuDeuxfois with Copilot wants to merge 2 commits into
Conversation
…ecutorId in ExecutorApi.getExecutor (#6471)
There was a problem hiding this comment.
Pull request overview
This PR fixes a security-critical copy/paste error in ExecutorApi.getExecutor() where @AccessControl.resourceId referenced a non-existent #collectorId parameter, causing the resource-level RBAC check to evaluate with a null resource ID and effectively bypass the intended per-resource authorization.
Changes:
- Update
@AccessControl(resourceId = ...)onExecutorApi.getExecutor()to reference#executorId(the actual path variable). - Restore correct resource-level RBAC enforcement for executor retrieval.
Codecov Report✅ All modified and coverable lines are covered by tests. ❌ Your project check has failed because the head coverage (2.88%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #6517 +/- ##
============================================
+ Coverage 44.22% 44.24% +0.01%
+ Complexity 7432 7431 -1
============================================
Files 2310 2310
Lines 63914 63914
Branches 8498 8498
============================================
+ Hits 28265 28276 +11
+ Misses 33850 33837 -13
- Partials 1799 1801 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Copy-paste error in
ExecutorApi.getExecutor():@AccessControlreferenced#collectorId— a non-existent parameter — causing the resource-level RBAC check to evaluate with a null resource ID, effectively bypassing it.Change