Enforce permission edit_default_branch when loading schema

opsmill · Nov 16, 2024 · e6286c5 · e6286c5
1 parent 699f998
commit e6286c5
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/backend/infrahub/api/schema.py b/backend/infrahub/api/schema.py
@@ -260,6 +260,17 @@ async def load_schema(
         ):
             raise PermissionDeniedError("You are not allowed to manage the schema")
 
+        if branch.name in (GLOBAL_BRANCH_NAME, registry.default_branch) and not await permission_backend.has_permission(
+            db=db,
+            account_session=account_session,
+            permission=GlobalPermission(
+                action=GlobalPermissions.EDIT_DEFAULT_BRANCH.value,
+                decision=PermissionDecision.ALLOW_DEFAULT.value,
+            ),
+            branch=branch,
+        ):
+            raise PermissionDeniedError("You are not allowed to edit the schema in the default branch")
+
     service: InfrahubServices = request.app.state.service
     log.info("schema_load_request", branch=branch.name)
 

diff --git a/changelog/4958.fixed.md b/changelog/4958.fixed.md
@@ -0,0 +1 @@
+Permission edit_default_branch is now enforced properly when loading a schema
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Permission edit_default_branch is now enforced properly when loading a schema