Merge pull request #1600 from Lifto/feat/action-responses

tisnik · web-flow · commit 2ee5f84a45db · 2026-04-27T20:39:01.000+02:00
feat: add Action.RESPONSES for /responses endpoint authorization
diff --git a/src/app/endpoints/responses.py b/src/app/endpoints/responses.py
@@ -204,7 +204,7 @@ def _queue_responses_splunk_event(  # pylint: disable=too-many-arguments,too-man
     response_model=None,
     summary="Responses Endpoint Handler",
 )
-@authorize(Action.QUERY)
+@authorize(Action.RESPONSES)
 async def responses_endpoint_handler(
     request: Request,
     responses_request: ResponsesRequest,
diff --git a/src/models/config.py b/src/models/config.py
@@ -991,6 +991,9 @@ class Action(str, Enum):
     # Access the query endpoint
     QUERY = "query"
 
+    # Access the responses endpoint
+    RESPONSES = "responses"
+
     # Access the streaming query endpoint
     STREAMING_QUERY = "streaming_query"
 
diff --git a/tests/unit/app/endpoints/test_responses.py b/tests/unit/app/endpoints/test_responses.py
@@ -164,7 +164,7 @@ def _patch_handle_non_streaming_common(
 def dummy_request_fixture() -> Request:
     """Minimal FastAPI Request with authorized_actions for responses endpoint."""
     req = Request(scope={"type": "http", "headers": []})
-    req.state.authorized_actions = {Action.QUERY, Action.READ_OTHERS_CONVERSATIONS}
+    req.state.authorized_actions = {Action.RESPONSES, Action.READ_OTHERS_CONVERSATIONS}
     return req
 
 
@@ -636,6 +636,40 @@ async def test_tool_choice_none_without_tools_does_not_load_server_tools(
         assert call_kwargs["request"].tools is None
         assert call_kwargs["request"].tool_choice is None
 
+    @pytest.mark.asyncio
+    async def test_responses_endpoint_rejects_without_responses_action(
+        self,
+        mocker: MockerFixture,
+    ) -> None:
+        """Verify that requests lacking Action.RESPONSES are rejected with 403.
+
+        Constructs a request whose authorized_actions includes Action.QUERY and
+        Action.READ_OTHERS_CONVERSATIONS but NOT Action.RESPONSES, then asserts
+        the @authorize(Action.RESPONSES) decorator raises HTTPException 403.
+        """
+        req = Request(scope={"type": "http", "headers": []})
+        req.state.authorized_actions = {Action.QUERY, Action.READ_OTHERS_CONVERSATIONS}
+
+        mock_role_resolver = mocker.AsyncMock()
+        mock_role_resolver.resolve_roles = mocker.AsyncMock(return_value=set())
+
+        mock_access_resolver = mocker.Mock()
+        mock_access_resolver.check_access.return_value = False
+
+        mocker.patch(
+            "authorization.middleware.get_authorization_resolvers",
+            return_value=(mock_role_resolver, mock_access_resolver),
+        )
+
+        with pytest.raises(HTTPException) as exc_info:
+            await responses_endpoint_handler(
+                request=req,
+                responses_request=ResponsesRequest(input="Hello"),
+                auth=MOCK_AUTH,
+                mcp_headers={},
+            )
+        assert exc_info.value.status_code == 403
+
 
 class TestHandleNonStreamingResponse:
     """Unit tests for handle_non_streaming_response."""

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ def _queue_responses_splunk_event( # pylint: disable=too-many-arguments,too-man`
`204`	`204`	`response_model=None,`
`205`	`205`	`summary="Responses Endpoint Handler",`
`206`	`206`	`)`
`207`		`-@authorize(Action.QUERY)`
	`207`	`+@authorize(Action.RESPONSES)`
`208`	`208`	`async def responses_endpoint_handler(`
`209`	`209`	`request: Request,`
`210`	`210`	`responses_request: ResponsesRequest,`