Fix omission of groups from authorization check

Signed-off-by: Ada <[email protected]>
globus · Dec 11, 2023 · 1b5123c · 1b5123c
1 parent d08f34d
commit 1b5123c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/changelog.d/20231211_124332_ada_fix_groups_membership_check_bug.rst b/changelog.d/20231211_124332_ada_fix_groups_membership_check_bug.rst
@@ -0,0 +1,4 @@
+Bugfixes
+--------
+
+- Groups were not being properly considered in authorization checks.
diff --git a/globus_action_provider_tools/authentication.py b/globus_action_provider_tools/authentication.py
@@ -331,25 +331,23 @@ def check_authorization(
         allow_public: bool = False,
         allow_all_authenticated_users: bool = False,
     ) -> bool:
-        allowed_set = frozenset(allowed_principals)
+        allowed_set = set(allowed_principals)
         all_principals = self.identities
         # We only need to merge in the groups values to the principals list if there are
         # group principals in the list. Can save a round trip to the Groups service if
         # there's no need to check for group membership.
         if AuthState.group_in_principal_list(allowed_set):
-            allowed_principals = set(allowed_principals).union(self.groups)
-        if (
+            allowed_set = allowed_set.union(self.groups)
+
+        return (
             (allow_public and "public" in allowed_set)
-            or (allowed_set.intersection(all_principals))
+            or bool(allowed_set.intersection(all_principals))
             or (
                 allow_all_authenticated_users
                 and "all_authenticated_users" in allowed_set
                 and len(self.identities) > 0
             )
-        ):
-            return True
-        else:
-            return False
+        )
 
 
 class TokenChecker: