From e6286c5d128d5a7a349ec8fd76450f4a92fea9c9 Mon Sep 17 00:00:00 2001
From: Damien Garros <dgarros@gmail.com>
Date: Sat, 16 Nov 2024 17:44:38 +0100
Subject: [PATCH] Enforce permission edit_default_branch when loading schema

---
 backend/infrahub/api/schema.py | 11 +++++++++++
 changelog/4958.fixed.md        |  1 +
 2 files changed, 12 insertions(+)
 create mode 100644 changelog/4958.fixed.md

diff --git a/backend/infrahub/api/schema.py b/backend/infrahub/api/schema.py
index 32fbdaa83f..f0f1e693c6 100644
--- a/backend/infrahub/api/schema.py
+++ b/backend/infrahub/api/schema.py
@@ -260,6 +260,17 @@ async def load_schema(
         ):
             raise PermissionDeniedError("You are not allowed to manage the schema")
 
+        if branch.name in (GLOBAL_BRANCH_NAME, registry.default_branch) and not await permission_backend.has_permission(
+            db=db,
+            account_session=account_session,
+            permission=GlobalPermission(
+                action=GlobalPermissions.EDIT_DEFAULT_BRANCH.value,
+                decision=PermissionDecision.ALLOW_DEFAULT.value,
+            ),
+            branch=branch,
+        ):
+            raise PermissionDeniedError("You are not allowed to edit the schema in the default branch")
+
     service: InfrahubServices = request.app.state.service
     log.info("schema_load_request", branch=branch.name)
 
diff --git a/changelog/4958.fixed.md b/changelog/4958.fixed.md
new file mode 100644
index 0000000000..8ba1fd2e0c
--- /dev/null
+++ b/changelog/4958.fixed.md
@@ -0,0 +1 @@
+Permission edit_default_branch is now enforced properly when loading a schema
\ No newline at end of file