indigo
/
LinkDesk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
LinkDesk/backend/docs/shot-access-403-fix.md

3.1 KiB
Raw Permalink Blame History

Shot Access 403 Error Fix

Problem

Admin users were getting 403 Forbidden errors when trying to access shot details, even though they should have access to all shots.

Root Cause

The check_episode_access() function in backend/routers/shots.py was using implicit logic:

  • It only checked if the user was an artist
  • If not an artist, it assumed access was granted
  • However, this logic failed because it didn't explicitly handle the case where a user has is_admin=True

The original code:

# Check project access for artists
if current_user.role == UserRole.ARTIST:
    member = db.query(ProjectMember).filter(
        ProjectMember.project_id == episode.project_id,
        ProjectMember.user_id == current_user.id
    ).first()
    if not member:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Access denied to this project"
        )

return episode

Solution

Added explicit checks for admins and coordinators at the beginning of the function:

# Admins and coordinators have access to all episodes
if current_user.is_admin or current_user.role == UserRole.COORDINATOR:
    return episode

# Check project access for artists and other roles
if current_user.role == UserRole.ARTIST:
    member = db.query(ProjectMember).filter(
        ProjectMember.project_id == episode.project_id,
        ProjectMember.user_id == current_user.id
    ).first()
    if not member:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Access denied to this project"
        )

return episode

Changes Made

File: backend/routers/shots.py Function: check_episode_access() (lines 44-72)

Before

  • Implicit access for non-artists
  • No explicit admin check

After

  • Explicit early return for admins (is_admin=True)
  • Explicit early return for coordinators (role=COORDINATOR)
  • Clear access control logic

Testing

Test Script

Created backend/test_admin_shot_access.py to verify:

  • ✓ Admins can access any episode
  • ✓ Coordinators can access any episode
  • ✓ Artists can only access episodes in their projects

Manual Testing

  1. Login as admin
  2. Navigate to any project
  3. Click on any shot
  4. Shot detail panel should open without 403 error

Impact

Fixed

  • Admins can now access all shot details
  • Coordinators can access all shot details
  • No more 403 errors for privileged users

Unchanged

  • Artists still require project membership
  • Security model remains intact
  • No breaking changes to API

Related Files

  • backend/routers/shots.py - Main fix
  • backend/test_admin_shot_access.py - Test script
  • frontend/src/components/shot/ShotDetailPanel.vue - Frontend component (no changes needed)

Deployment Notes

  • No database migration required
  • No frontend changes required
  • Backend restart required to apply fix
  • Backward compatible

Prevention

This issue occurred because the access control logic relied on implicit behavior. Future improvements:

  1. Always use explicit checks for privileged roles
  2. Add comprehensive access control tests
  3. Document access control logic clearly

Date

November 17, 2025