Skip to content

fix(security): add RBAC permission checks to PubChem enrichment endpoints#362

Closed
robotlearning123 wants to merge 4 commits intomainfrom
fix/product-pubchem-missing-auth
Closed

fix(security): add RBAC permission checks to PubChem enrichment endpoints#362
robotlearning123 wants to merge 4 commits intomainfrom
fix/product-pubchem-missing-auth

Conversation

@robotlearning123
Copy link
Copy Markdown
Member

Bug

Two product endpoints had no permission checks:

  • GET /{product_id}/pubchem — anyone can view enrichment data
  • POST /{product_id}/enrich — anyone can write PubChem data to products

Fix

Added dependencies=[Depends(require_permission(...))]:

  • GET pubchem → view_inventory
  • POST enrich → manage_products

Test

All 19 pubchem tests pass (0 new failures).

🤖 Found and fixed by bug-hunter autonomous loop (cycle 48).

sandia777 and others added 4 commits March 28, 2026 15:33
…m, extractor, email_intake

Wave 1 of test coverage improvements for lab-manager:
- test_email_poller.py (NEW): 28 tests for IMAP polling, error handling, shutdown
- test_documents_route_coverage.py: +48 tests for background tasks, CRUD, review, upload
- test_litellm_client.py: +4 tests for load_litellm_config
- test_pubchem.py: expanded test coverage
- test_extractor_coverage.py: expanded test coverage
- test_email_intake.py: expanded test coverage

Unit test count: 1406 → 1444 (+38 net new)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- test_api_validation.py (NEW): 58 tests for email validation (74% → 96%)
- test_more_ocr_coverage.py (NEW): 68 tests for OCR providers (59% → 100%)
- test_extractor_coverage.py: +12 tests for intake/extractor (82% → 98%)
- test_pubchem.py: +6 tests for pubchem service (90% → 100%)
- test_litellm_client.py: +18 tests for litellm client (68% → 100%)
- test_email_poller.py: +31 tests for email poller (78% → 99%)
- test_email_intake.py: +9 tests for email intake (90% → 100%)
- test_documents_route_coverage.py: clean 56 tests (removed isolation-broken classes)

Unit test count: 1406 → 1626 (+220 net new)
All 1626 pass, 0 failures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GET /{product_id}/pubchem and POST /{product_id}/enrich had no
permission checks. Any user could view enrichment data and
overwrite product chemistry fields.

Fix: view_inventory for GET, manage_products for POST.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@robotlearning123 robotlearning123 force-pushed the fix/product-pubchem-missing-auth branch from de59c03 to a9153c9 Compare March 28, 2026 19:35
@github-actions github-actions bot added the ci-verified All required CI checks have passed label Mar 28, 2026
@robotlearning123
Copy link
Copy Markdown
Member Author

Closing: heavy conflicts. Will re-apply the 2-line PubChem RBAC fix as a fresh PR from main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci-verified All required CI checks have passed python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants