test(#462): cover native RBAC personal scope intersection

2026-06-24 16:41:11 -05:00
parent 9ba79e58c4
commit a648c8c64d
2 changed files with 28 additions and 4 deletions
--- a/apps/gateway/src/federation/server/tests/scope.service.spec.ts
+++ b/apps/gateway/src/federation/server/tests/scope.service.spec.ts
@@ -8,6 +8,7 @@
 *  - invalid requested limit deny
 *  - native RBAC deny as subjectUserId
 *  - scope/native filter intersection for personal and team rows
+ *  - native RBAC personal deny wins over scope include_personal allow/default
 *  - max_rows_per_query cap
 */

@@ -122,6 +123,29 @@ describe('FederationScopeService', () => {
    });
  });

+  it('does not leak personal rows when scope allows personal but native RBAC denies personal', async () => {
+    const result = await service.evaluateAccess({
+      context: makeContext({
+        resources: ['tasks'],
+        filters: { tasks: { include_personal: true } },
+        max_rows_per_query: 25,
+      }),
+      resource: 'tasks',
+      nativeRbac: makeNativeRbac({
+        allowed: true,
+        access: { includePersonal: false, teamIds: ['team-1'] },
+      }),
+    });
+
+    expect(result).toMatchObject({
+      allowed: true,
+      filter: {
+        includePersonal: false,
+        teamIds: ['team-1'],
+      },
+    });
+  });
+
  it('does not widen native RBAC when scope includes teams the user cannot access', async () => {
    const result = await service.evaluateAccess({
      context: makeContext({