AAP-54119 Fix per-attribute ANY semantics & empty attribute handling #846
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…andling When a user attribute has multiple values, _process_user_value now evaluates them with ANY semantics (short-circuit on first match) and joins the result once via has_access_with_join. Previously we folded each element into has_access on every iteration, which effectively behaved like an AND across values and produced false negatives. Also treat empty/falsey user_value as no match and log a debug line, then join False for the attribute. This aligns attribute-level behavior with expected trigger semantics. Tests: update the explicit 'and' + list case to expect ALLOW on single match; add regression cases for cross-attribute AND/OR (cn contains 'ldap', employeeType contains 'manager'). Signed-off-by: yyuki <[email protected]>
|
DVCS PR Check Results: PR appears valid (JIRA key(s) found) |
AlanCoding
reviewed
Sep 29, 2025
| optional-dependencies.oauth2_provider = { file = [ "requirements/requirements_oauth2_provider.in" ] } | ||
| optional-dependencies.resource_registry = { file = [ "requirements/requirements_resource_registry.in" ] } | ||
| optional-dependencies.feature_flags = { file = [ "requirements/requirements_feature_flags.in" ] } | ||
| optional-dependencies.dev = { file = [ "requirements/requirements_dev.txt" ] } |
There was a problem hiding this comment.
interesting. I don't think this is a bad idea.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Linked issue: #845
What is being changed?
_process_user_value:False.optional-dependencies.devinpyproject.toml.test_claims.pyexpectations and add regression cases.Why is this change needed?
The previous implementation folded each value into
has_access_with_joiniteratively, effectively resulting in AND semantics, which caused false negatives when only one match should allow access.Also, empty attributes were not properly handled.
How does this change address the issue?
Type of Change
Testing Instructions
Prerequisites
rye sync --features "rbac,feature_flags,testing,dev"DJANGO_SETTINGS_MODULE=test_app.sqlite3settingsSteps to Test
Set up the test environment.
Run the following tests:
Verify that all tests pass.
Expected Results
SKIP).cn/employeeTypewith AND/OR conditions) behave as expected.Additional Context
Required Actions
In version 2.5 this field indicates what will happen if the source system returns a list of attributes instead of a single value. For example, if the source system returns multiple emails for a user and Operation was set to and, all of the given emails must match the Comparison for the trigger to be True.