Fix predefined catalog visibility and port security must-know guidance

2026-03-01 21:15:12 -03:00
parent 32b4589b28
commit 874597e40b
4 changed files with 275 additions and 26 deletions
--- a/backend/app/api/routes_documents.py
+++ b/backend/app/api/routes_documents.py
@@ -50,6 +50,31 @@ def _scope_document_statement_for_auth_context(statement, auth_context: AuthCont
    return statement.where(Document.owner_user_id == auth_context.user_id)


+def _is_predefined_entry_visible_to_auth_context(entry: dict[str, object], auth_context: AuthContext) -> bool:
+    """Returns whether one predefined catalog entry is visible to the active caller role."""
+
+    if auth_context.role == UserRole.ADMIN:
+        return True
+    return bool(entry.get("global_shared", False))
+
+
+def _collect_visible_predefined_values(
+    entries: list[dict[str, object]],
+    *,
+    auth_context: AuthContext,
+) -> set[str]:
+    """Collects normalized predefined values visible for the active caller role."""
+
+    visible_values: set[str] = set()
+    for entry in entries:
+        if not _is_predefined_entry_visible_to_auth_context(entry, auth_context):
+            continue
+        normalized = str(entry.get("value", "")).strip()
+        if normalized:
+            visible_values.add(normalized)
+    return visible_values
+
+
 def _ensure_document_access(document: Document, auth_context: AuthContext) -> None:
    """Enforces owner-level access for non-admin users and raises not-found on violations."""

@@ -397,9 +422,10 @@ def list_tags(
    rows = session.execute(statement).scalars().all()
    tags = {tag for row in rows for tag in row if tag}
    tags.update(
-        str(item.get("value", "")).strip()
-        for item in read_predefined_tags_settings()
-        if str(item.get("value", "")).strip()
+        _collect_visible_predefined_values(
+            read_predefined_tags_settings(),
+            auth_context=auth_context,
+        )
    )
    tags = sorted(tags)
    return {"tags": tags}
@@ -421,9 +447,10 @@ def list_paths(
    rows = session.execute(statement).scalars().all()
    paths = {row for row in rows if row}
    paths.update(
-        str(item.get("value", "")).strip()
-        for item in read_predefined_paths_settings()
-        if str(item.get("value", "")).strip()
+        _collect_visible_predefined_values(
+            read_predefined_paths_settings(),
+            auth_context=auth_context,
+        )
    )
    paths = sorted(paths)
    return {"paths": paths}