Skip to content

bump dev/ci tools#182

Merged
bdewilde merged 8 commits intodevelopfrom
bump-dev-tools
Jan 10, 2026
Merged

bump dev/ci tools#182
bdewilde merged 8 commits intodevelopfrom
bump-dev-tools

Conversation

@bdewilde
Copy link
Copy Markdown
Member

@bdewilde bdewilde commented Jan 10, 2026
edited by cursor bot
Loading

changes

  • bumps ty from v0.0.7 to v0.0.11, and fixes a handful of typing issues now flagged
  • bumps setup-uv in ci from v7.1 to v7.2, and tweaks its config
  • sets types and style checks to run in both PY3.11 and PY3.12

context

just some dev cleanup

questions

Note

Dev/CI updates

  • Update .github/actions/setup-python-env to astral-sh/setup-uv@v7.2.0, pass python-version, enable caching, and keep uv sync install flow
  • Expand checks.yml matrices for style and type jobs to Python 3.11 and 3.12 (Ubuntu), and use shared setup action
  • Bump ty to 0.0.11 in pyproject.toml and uv.lock

Code typing cleanups (non-functional)

  • Remove assorted # type: ignore and add light guards (e.g., getattr(review, "status", None) in authz.user_is_allowed_for_review)
  • Minor typing/annotation touch-ups across API routes, models, tasks, and fileio/ris.py

Written by Cursor Bugbot for commit f07cd4d. This will update automatically on new commits. Configure here.

@bdewilde bdewilde marked this pull request as ready for review January 10, 2026 16:47
@bdewilde bdewilde merged commit 0907644 into develop Jan 10, 2026
7 checks passed
@bdewilde bdewilde deleted the bump-dev-tools branch January 10, 2026 16:47
cursor[bot]
cursor bot reviewed Jan 10, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

colandr/api/v1/authz.py
)
# allowed is conditional on review being frozen or not
and (if_frozen is True or review.status != "frozen") # type: ignore
and (if_frozen is True or getattr(review, "status", None) != "frozen")
Copy link
Copy Markdown

@cursor cursor bot Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authorization returns True for non-existent reviews

Medium Severity

The change from review.status to getattr(review, "status", None) alters authorization behavior when the review doesn't exist. When db.session.get() returns None (non-existent review), getattr(None, "status", None) returns None, and None != "frozen" evaluates to True. This causes user_is_allowed_for_review to return True for admin users accessing non-existent reviews, where previously it would raise an AttributeError. The function semantically indicates a user is "allowed" for a review that doesn't exist, which could lead to confusing downstream behavior or information leakage through 403/404 response differences.

🔬 Verification Test

Why verification test was not possible: This is a Flask application with database dependencies (SQLAlchemy, PostgreSQL). Testing would require setting up the full application context, database fixtures, and mocking the Flask extensions. The logic error is apparent from tracing the code: when review is None, getattr(None, "status", None) returns None, and None != "frozen" is True, so an admin user passes all authorization checks for a non-existent review.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdewilde