fix(domain): make Editor capability policy fail-closed (exhaustive match)

2026-06-02 14:32:13 +02:00
parent 74b2cf65ed
commit 9597a42eeb
1 changed files with 11 additions and 1 deletions
@@ -88,10 +88,20 @@ impl Role {
    }

    /// The authorization policy: whether this role may perform `capability`.
+    ///
+    /// The `Editor` arm is an exhaustive `match` on purpose: adding a new
+    /// [`Capability`] variant is a compile error here until its Editor access is
+    /// decided explicitly, so the policy fails closed rather than silently granting
+    /// new capabilities to Editors.
    pub fn allows(self, capability: Capability) -> bool {
        match self {
            Role::Admin => true,
-            Role::Editor => !matches!(capability, Capability::ManageUsers),
+            Role::Editor => match capability {
+                Capability::EditCatalogue
+                | Capability::PublishObjects
+                | Capability::ViewInternal => true,
+                Capability::ManageUsers => false,
+            },
        }
    }
 }