fix(api): correct testsets router to use VIEW_TESTSETS for read operations

mmabrouk · claude · mmabrouk · commit b7a2acb9d522 · 2026-01-10T23:21:41.000+01:00
The testsets router was incorrectly using EDIT_EVALUATORS permission for all
operations including read-only endpoints. This prevented viewers from accessing
testsets, testset variants, and testset revisions.

Fixed the following endpoints to use VIEW_TESTSETS instead:
- fetch_testset
- query_testsets
- fetch_testset_variant
- query_testset_variants
- retrieve_testset_revision
- fetch_testset_revision
- query_testset_revisions
- log_testset_revisions

Write operations (create, edit, archive, commit) continue to use EDIT_EVALUATORS
which correctly prevents viewers from modifying content.

Co-Authored-By: Claude Haiku 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/api/oss/src/apis/fastapi/testsets/router.py b/api/oss/src/apis/fastapi/testsets/router.py
@@ -555,7 +555,7 @@ async def fetch_testset(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
@@ -671,7 +671,7 @@ async def query_testsets(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
@@ -738,7 +738,7 @@ async def fetch_testset_variant(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
@@ -854,7 +854,7 @@ async def query_testset_variants(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
@@ -890,7 +890,7 @@ async def retrieve_testset_revision(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
@@ -977,7 +977,7 @@ async def fetch_testset_revision(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
@@ -1183,7 +1183,7 @@ async def query_testset_revisions(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
@@ -1260,7 +1260,7 @@ async def log_testset_revisions(
             if not await check_action_access(  # type: ignore
                 user_uid=request.state.user_id,
                 project_id=request.state.project_id,
-                permission=Permission.EDIT_EVALUATORS,  # type: ignore
+                permission=Permission.VIEW_TESTSETS,  # type: ignore
             ):
                 raise FORBIDDEN_EXCEPTION  # type: ignore
 
