Skip to content

Beta helper #5450

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 26, 2025
Merged

Beta helper #5450

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1486f86
AIGOV-135 process create/delete for AImodels (#5430)
rashi-j Sep 26, 2025
43b9d72
Merge branch 'master' into beta-helper
nikhilbonte21 Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions addons/static/templates/policy_cache_transformer_persona.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1169,7 +1169,7 @@
"relationship-type:*",
"end-one-entity-type:AIModel",
"end-one-entity-classification:*",
"end-one-entity:{entity}",
"end-one-entity:*",
"end-one-entity:{entity}/*",

"end-two-entity-type:Catalog",
Expand Down Expand Up @@ -1199,7 +1199,7 @@

"end-two-entity-type:AIModel",
"end-two-entity-classification:*",
"end-two-entity:{entity}",
"end-two-entity:*",
Copy link

@cursor cursor bot Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Redundant Wildcard Patterns in Policies

Several policy definitions now include both a broad wildcard * and a more specific {entity}/* pattern for the same entity type. This makes the {entity}/* pattern redundant, as the * wildcard already covers all entities, leading to an inconsistent resource specification.

Fix in Cursor Fix in Web

"end-two-entity:{entity}/*"
],
"actions": ["add-relationship", "remove-relationship"]
Expand All @@ -1209,7 +1209,7 @@
"policyType": "ACCESS",
"description": "Create/delete process to update datasets for this AIModel",
"resources": [
"entity:default/ai/dataset/*",
"entity:*",
Copy link

@cursor cursor bot Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Policy Pattern Inconsistency Causes Access Issues

Policy resource patterns were inconsistently broadened from specific entities (e.g., default/ai/dataset/*, {entity}) to global wildcards (*). This grants overly broad access for relationship and entity operations. It also creates logical inconsistencies by including both * and {entity}/* patterns within the same policy, making it confusing and redundant.

Fix in Cursor Fix in Web

Copy link

@cursor cursor bot Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Access Control Policy Too Permissive

The access control policy for entity create/delete operations is overly permissive. The resource changed from entity:default/ai/dataset/* to entity:*, allowing creation/deletion of any entity instead of only AI dataset processes. This grants unintended elevated privileges.

Fix in Cursor Fix in Web

"entity-type:Process",
"entity-classification:*"
],
Expand Down
Loading