vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-26 16:41:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gateway: allow operator admin scope for pairing and approvals

Browse Source
This commit is contained in:
Vignesh Natarajan
2026-02-21 19:37:04 -08:00
parent 68cb4fc8a1
commit 55d492b4cd
3 changed files with 34 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/shared/operator-scope-compat.test.ts
View File

@@ -43,6 +43,33 @@ describe("roleScopesAllow", () => {
).toBe(true);
});
it("treats operator.approvals/operator.pairing as satisfied by operator.admin", () => {
expect(
roleScopesAllow({
role: "operator",
requestedScopes: ["operator.approvals"],
allowedScopes: ["operator.admin"],
}),
).toBe(true);
expect(
roleScopesAllow({
role: "operator",
requestedScopes: ["operator.pairing"],
allowedScopes: ["operator.admin"],
}),
).toBe(true);
});
it("does not treat operator.admin as satisfying non-operator scopes", () => {
expect(
roleScopesAllow({
role: "operator",
requestedScopes: ["system.run"],
allowedScopes: ["operator.admin"],
}),
).toBe(false);
});
it("uses strict matching for non-operator roles", () => {
expect(
roleScopesAllow({

12
src/shared/operator-scope-compat.ts
View File

@@ -2,6 +2,7 @@ const OPERATOR_ROLE = "operator";
const OPERATOR_ADMIN_SCOPE = "operator.admin";
const OPERATOR_READ_SCOPE = "operator.read";
const OPERATOR_WRITE_SCOPE = "operator.write";
const OPERATOR_SCOPE_PREFIX = "operator.";
function normalizeScopeList(scopes: readonly string[]): string[] {
const out = new Set<string>();
@@ -15,15 +16,14 @@ function normalizeScopeList(scopes: readonly string[]): string[] {
}
function operatorScopeSatisfied(requestedScope: string, granted: Set<string>): boolean {
if (granted.has(OPERATOR_ADMIN_SCOPE) && requestedScope.startsWith(OPERATOR_SCOPE_PREFIX)) {
return true;
}
if (requestedScope === OPERATOR_READ_SCOPE) {
return (
granted.has(OPERATOR_READ_SCOPE) ||
granted.has(OPERATOR_WRITE_SCOPE) ||
granted.has(OPERATOR_ADMIN_SCOPE)
);
return granted.has(OPERATOR_READ_SCOPE) || granted.has(OPERATOR_WRITE_SCOPE);
}
if (requestedScope === OPERATOR_WRITE_SCOPE) {
return granted.has(OPERATOR_WRITE_SCOPE) || granted.has(OPERATOR_ADMIN_SCOPE);
return granted.has(OPERATOR_WRITE_SCOPE);
}
return granted.has(requestedScope);
}