Beta helper #5450
Beta helper #5450
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "description": "Create/delete process to update datasets for this AIModel", | ||
| "resources": [ | ||
| "entity:default/ai/dataset/*", | ||
| "entity:*", |
There was a problem hiding this comment.
Bug: Policy Pattern Inconsistency Causes Access Issues
Policy resource patterns were inconsistently broadened from specific entities (e.g., default/ai/dataset/*, {entity}) to global wildcards (*). This grants overly broad access for relationship and entity operations. It also creates logical inconsistencies by including both * and {entity}/* patterns within the same policy, making it confusing and redundant.
| "description": "Create/delete process to update datasets for this AIModel", | ||
| "resources": [ | ||
| "entity:default/ai/dataset/*", | ||
| "entity:*", |
There was a problem hiding this comment.
Bug: Access Control Policy Too Permissive
The access control policy for entity create/delete operations is overly permissive. The resource changed from entity:default/ai/dataset/* to entity:*, allowing creation/deletion of any entity instead of only AI dataset processes. This grants unintended elevated privileges.
| "end-two-entity-type:AIModel", | ||
| "end-two-entity-classification:*", | ||
| "end-two-entity:{entity}", | ||
| "end-two-entity:*", |
There was a problem hiding this comment.
Bug: Redundant Wildcard Patterns in Policies
Several policy definitions now include both a broad wildcard * and a more specific {entity}/* pattern for the same entity type. This makes the {entity}/* pattern redundant, as the * wildcard already covers all entities, leading to an inconsistent resource specification.
No description provided.