Skip to content

fix(security): correct @AccessControl resourceId in ExecutorApi.getExecutor (#6471)#6517

Open
RomuDeuxfois with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-executorapi-accesscontrol
Open

fix(security): correct @AccessControl resourceId in ExecutorApi.getExecutor (#6471)#6517
RomuDeuxfois with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-executorapi-accesscontrol

Conversation

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Copy-paste error in ExecutorApi.getExecutor(): @AccessControl referenced #collectorId — a non-existent parameter — causing the resource-level RBAC check to evaluate with a null resource ID, effectively bypassing it.

Change

// Before
@AccessControl(
    resourceId = "#collectorId",  // parameter doesn't exist → null → RBAC bypassed
    actionPerformed = Action.READ,
    resourceType = ResourceType.ASSET)
public Executor getExecutor(@PathVariable String executorId)

// After
@AccessControl(
    resourceId = "#executorId",
    actionPerformed = Action.READ,
    resourceType = ResourceType.ASSET)
public Executor getExecutor(@PathVariable String executorId)

Copilot AI changed the title [WIP] Fix resourceId in ExecutorApi.getExecutor annotation fix(security): correct @AccessControl resourceId in ExecutorApi.getExecutor (#6471) Jul 1, 2026
Copilot AI requested a review from RomuDeuxfois July 1, 2026 12:30
@RomuDeuxfois RomuDeuxfois marked this pull request as ready for review July 1, 2026 12:42
Copilot AI review requested due to automatic review settings July 1, 2026 12:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security-critical copy/paste error in ExecutorApi.getExecutor() where @AccessControl.resourceId referenced a non-existent #collectorId parameter, causing the resource-level RBAC check to evaluate with a null resource ID and effectively bypass the intended per-resource authorization.

Changes:

  • Update @AccessControl(resourceId = ...) on ExecutorApi.getExecutor() to reference #executorId (the actual path variable).
  • Restore correct resource-level RBAC enforcement for executor retrieval.

@Seb-MIGUEL Seb-MIGUEL self-requested a review July 1, 2026 12:52
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.24%. Comparing base (208d9ef) to head (81db22a).
⚠️ Report is 1 commits behind head on main.

❌ Your project check has failed because the head coverage (2.88%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files
@@             Coverage Diff              @@
##               main    #6517      +/-   ##
============================================
+ Coverage     44.22%   44.24%   +0.01%     
+ Complexity     7432     7431       -1     
============================================
  Files          2310     2310              
  Lines         63914    63914              
  Branches       8498     8498              
============================================
+ Hits          28265    28276      +11     
+ Misses        33850    33837      -13     
- Partials       1799     1801       +2     
Flag Coverage Δ
backend 66.69% <ø> (-0.02%) ⬇️
e2e 19.05% <ø> (+0.68%) ⬆️
frontend 2.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(backend): ExecutorApi.getExecutor @AccessControl uses wrong resourceId (#collectorId instead of #executorId)

3 participants