From 2b994f300565aa3f8a8a5afc8a3755b4f83786d1 Mon Sep 17 00:00:00 2001
From: Timothy Messier <tim.messier@gmail.com>
Date: Tue, 13 Sep 2022 19:46:18 -0400
Subject: [PATCH] fix(perms): Properly resolve "only self" for permissions
 (#2448)

When generating permissions from the grants, if a single grant was
limited to the set of "self" actions, the permission would be marked as
only self, even if additional grants were given for non-self actions.
This would result in the generated permissions being more limiting then
they should be based on the grants. This only impacts the sessions list
endpoint. It would result in users that have been granted access to list
other user's sessions to be unable to see these results in the list
results.
---
 internal/perms/acl.go      |  3 ++-
 internal/perms/acl_test.go | 10 +++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/internal/perms/acl.go b/internal/perms/acl.go
index d64cf9a265..5141a201ce 100644
--- a/internal/perms/acl.go
+++ b/internal/perms/acl.go
@@ -241,6 +241,7 @@ func (a ACL) ListPermissions(requestedScopes map[string]*scopes.ScopeInfo, reque
 			ScopeId:  scopeId,
 			Resource: requestedType,
 			Action:   action.List,
+			OnlySelf: true, // default to only self to be restrictive
 		}
 
 		// Get grants for a specific scope id from the source of truth.
@@ -275,7 +276,7 @@ func (a ACL) ListPermissions(requestedScopes map[string]*scopes.ScopeInfo, reque
 					excludeList = append(excludeList, aa)
 				}
 			}
-			p.OnlySelf = excludeList.OnlySelf()
+			p.OnlySelf = p.OnlySelf && excludeList.OnlySelf()
 
 			switch grant.id {
 			case "*":
diff --git a/internal/perms/acl_test.go b/internal/perms/acl_test.go
index 4419306104..21cbbaf066 100644
--- a/internal/perms/acl_test.go
+++ b/internal/perms/acl_test.go
@@ -619,18 +619,18 @@ func TestACL_ListPermissions(t *testing.T) {
 				{
 					scope: "o_1",
 					grants: []string{
-						"id=*;type=session;actions=read:self",
-						"id=*;type=*;actions=list,read",
+						"id=*;type=*;actions=*",
+						"id=*;type=session;actions=cancel:self,list,read:self",
 					},
 				},
 			},
 			scopes:       map[string]*scopes.ScopeInfo{"o_1": nil},
-			resourceType: resource.Target,
-			actionSet:    action.ActionSet{action.List, action.Read},
+			resourceType: resource.Session,
+			actionSet:    action.ActionSet{action.NoOp, action.Read, action.ReadSelf, action.Cancel, action.CancelSelf},
 			expPermissions: []Permission{
 				{
 					ScopeId:     "o_1",
-					Resource:    resource.Target,
+					Resource:    resource.Session,
 					Action:      action.List,
 					ResourceIds: nil,
 					OnlySelf:    false,