Permissions not respected

[mkimberlin]

Describe the bug
Something broke permissions. They aren't being respected when calls are made to the controllers.

To Reproduce
Steps to reproduce the behavior:

1. Remove any permission
2. Attempt to perform a related capability
3. Notice that it works regardless of the lack of permission

Expected behavior
I would expect unauthorized errors to be thrown

Screenshots
Case 1:

Case 2:

Case 3:

Additional context
This is currently happening in the development environment

[ZacharyKlein]

The issue is that we are currently checking permissions (in PermissionSecurityRule) via the permissions claim on the user's JWT authentication. However, this claim is not updated when permissions are updated for a given role. Nor is there any way to update the token when permission/role assignments are changed (since this is a stateless auth flow).

What's happening now is that the updated permissions do take affect, after the user logs in again. So permissions are respected, but any flow that keys off of the JWT (as the PermissionSecurityRule annotation does) is going to have to wait until the user's next login for that to take affect.

I see two potential routes to improve this behavior:
1 - Programmatically force a re-login whenever a permission assignment changes for a role.
2 - Update the flows that currently inspect the JWT for permissions, to instead use the user's role (like before), and then query the database for the current permission assignments for that role.

I think #2 is the superior approach. It has a major downside in that it means we would be querying the database every time a secured route is accessed, however this could be minimized with smart caching of role/permission assignments, with explicit clearing of the cache whenever role/permission assignements are updated. I think if done correctly we can minimize the database interactions to basically once per role, until an update is made.

[mkimberlin]

@ZacharyKlein That makes sense. I was wondering why our tests didn't show this behavior...this explains it.

I concur with your assessment. I would go ahead and start down that path.