vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-22 03:51:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 20

fix(gateway): keep exec approvals policy admin scoped

Browse source
This commit is contained in:
Peter Steinberger 2026-05-15 11:23:26 +01:00
parent 373f709130
commit 3bedce151e
2 changed files with 23 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/gateway/method-scopes.test.ts
View file

@ -69,6 +69,10 @@ describe("method scope resolution", () => {
["nativeHook.invoke", ["operator.admin"]],
["wizard.start", ["operator.admin"]],
["update.run", ["operator.admin"]],
["exec.approvals.get", ["operator.admin"]],
["exec.approvals.set", ["operator.admin"]],
["exec.approvals.node.get", ["operator.admin"]],
["exec.approvals.node.set", ["operator.admin"]],
])("resolves least-privilege scopes for %s", (method, expected) => {
expect(resolveLeastPrivilegeOperatorScopesForMethod(method)).toEqual(expected);
});
@ -293,6 +297,21 @@ describe("operator scope authorization", () => {
},
);
it.each([
"exec.approvals.get",
"exec.approvals.set",
"exec.approvals.node.get",
"exec.approvals.node.set",
])("requires admin scope for exec approval policy method %s", (method) => {
expect(authorizeOperatorScopesForMethod(method, ["operator.approvals"])).toEqual({
allowed: false,
missingScope: "operator.admin",
});
expect(authorizeOperatorScopesForMethod(method, ["operator.admin"])).toEqual({
allowed: true,
});
});
it.each([
"plugin.approval.list",
"plugin.approval.request",

8
src/gateway/methods/core-descriptors.ts
View file

@ -48,10 +48,10 @@ export const CORE_GATEWAY_METHOD_SPECS: readonly CoreGatewayMethodSpec[] = [
{ name: "config.patch", scope: "operator.admin", controlPlaneWrite: true },
{ name: "config.schema", scope: "operator.read" },
{ name: "config.schema.lookup", scope: "operator.read" },
{ name: "exec.approvals.get", scope: "operator.approvals" },
{ name: "exec.approvals.set", scope: "operator.approvals" },
{ name: "exec.approvals.node.get", scope: "operator.approvals" },
{ name: "exec.approvals.node.set", scope: "operator.approvals" },
{ name: "exec.approvals.get", scope: "operator.admin" },
{ name: "exec.approvals.set", scope: "operator.admin" },
{ name: "exec.approvals.node.get", scope: "operator.admin" },
{ name: "exec.approvals.node.set", scope: "operator.admin" },
{ name: "exec.approval.get", scope: "operator.approvals" },
{ name: "exec.approval.list", scope: "operator.approvals" },
{ name: "exec.approval.request", scope: "operator.approvals" },