ZDDC
3ac53fe894
authorizeAction walked `probe` up from the target's parent to the nearest EXISTING directory before computing the ACL chain. For a create deep under a not-yet-materialised canonical path — e.g. mkdir working/<party>/<name> when working/ and working/<party>/ don't exist on disk yet — that walk skipped the virtual working/ level and landed on the project root, where the embedded grant is only `document_controller: rw` (no `c`). Result: a bona-fide document_controller got 403 missing_verb=c creating in working/ (and party registration would fail the same way on a fresh project where ssr/ doesn't exist yet). EffectivePolicy is virtual-path-aware — the paths: cascade resolves per-folder behaviour for directories that don't exist on disk — so the chain must be evaluated at filepath.Dir(absPath) directly. This applies the correct per-peer grant (working/ → document_controller rwcda, project_team cr; ssr/ → document_controller rwc) regardless of what's been physically created. Ancestor restrictions (WORM zones, inherit:false fences) still apply because they cascade through EffectivePolicy, so this is strictly more correct, never more permissive than the cascade intends. Regression test: a document_controller (role member, not admin, un-elevated) registers a party and mkdirs under working/<party>/. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| apps | ||
| archive | ||
| auth | ||
| cache | ||
| config | ||
| convert | ||
| fs | ||
| handler | ||
| jsonschema | ||
| listing | ||
| policy | ||
| tlsutil | ||
| zddc | ||
| zipfs | ||