From cd7a5c66e021f5c228cb62c9be14ef003cc404a6 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 23 Jan 2026 16:51:00 -0300 Subject: [PATCH] auth: allow account access without group claims --- ariadne/app.py | 2 ++ tests/test_app.py | 13 ++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ariadne/app.py b/ariadne/app.py index d625ddf..a3c3ea7 100644 --- a/ariadne/app.py +++ b/ariadne/app.py @@ -129,6 +129,8 @@ def _require_admin(ctx: AuthContext) -> None: def _require_account_access(ctx: AuthContext) -> None: if not settings.account_allowed_groups: return + if not ctx.groups: + return if set(ctx.groups).intersection(settings.account_allowed_groups): return raise HTTPException(status_code=403, detail="forbidden") diff --git a/tests/test_app.py b/tests/test_app.py index 3af8e4a..b13f6c8 100644 --- a/tests/test_app.py +++ b/tests/test_app.py @@ -89,7 +89,7 @@ def test_forbidden_admin(monkeypatch) -> None: def test_account_access_denied(monkeypatch) -> None: - ctx = AuthContext(username="alice", email="", groups=[], claims={}) + ctx = AuthContext(username="alice", email="", groups=["guest"], claims={}) client = _client(monkeypatch, ctx) resp = client.post( @@ -99,6 +99,17 @@ def test_account_access_denied(monkeypatch) -> None: assert resp.status_code == 403 +def test_account_access_allows_missing_groups(monkeypatch) -> None: + ctx = AuthContext(username="alice", email="", groups=[], claims={}) + client = _client(monkeypatch, ctx) + + resp = client.post( + "/api/account/firefly/reset", + headers={"Authorization": "Bearer token"}, + ) + assert resp.status_code != 403 + + def test_metrics_endpoint(monkeypatch) -> None: ctx = AuthContext(username="", email="", groups=[], claims={}) client = _client(monkeypatch, ctx)