fixup! lib,permission: add permission.drop

RafaelGSS · RafaelGSS · commit f36bd6633c38 · 2026-04-10T13:24:24.000-03:00
diff --git a/doc/api/process.md b/doc/api/process.md
@@ -4660,7 +4660,6 @@ cases:
 [`ChildProcess.disconnect()`]: child_process.md#subprocessdisconnect
 [`ChildProcess.send()`]: child_process.md#subprocesssendmessage-sendhandle-options-callback
 [`ChildProcess`]: child_process.md#class-childprocess
-[`ERR_ACCESS_DENIED`]: errors.md#err_access_denied
 [`Error`]: errors.md#class-error
 [`EventEmitter`]: events.md#class-eventemitter
 [`NODE_OPTIONS`]: cli.md#node_optionsoptions
diff --git a/src/permission/addon_permission.cc b/src/permission/addon_permission.cc
@@ -15,8 +15,8 @@ void AddonPermission::Apply(Environment* env,
 }
 
 void AddonPermission::Drop(Environment* env,
-                            PermissionScope scope,
-                            const std::string_view& param) {
+                           PermissionScope scope,
+                           const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc
@@ -16,8 +16,8 @@ void ChildProcessPermission::Apply(Environment* env,
 }
 
 void ChildProcessPermission::Drop(Environment* env,
-                                   PermissionScope scope,
-                                   const std::string_view& param) {
+                                  PermissionScope scope,
+                                  const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/fs_permission.cc b/src/permission/fs_permission.cc
@@ -155,8 +155,8 @@ void FSPermission::Apply(Environment* env,
 }
 
 void FSPermission::Drop(Environment* env,
-                         PermissionScope scope,
-                         const std::string_view& param) {
+                        PermissionScope scope,
+                        const std::string_view& param) {
   if (param.empty()) {
     // Drop all access for this scope
     if (scope == PermissionScope::kFileSystemRead ||
@@ -192,19 +192,18 @@ void FSPermission::Drop(Environment* env,
   }
 }
 
-void FSPermission::RevokeAccess(PermissionScope perm,
-                                 const std::string& res) {
+void FSPermission::RevokeAccess(PermissionScope perm, const std::string& res) {
   const std::string path = WildcardIfDir(res);
   if (perm == PermissionScope::kFileSystemRead) {
-    auto it = std::find(granted_paths_in_.begin(),
-                        granted_paths_in_.end(), path);
+    auto it =
+        std::find(granted_paths_in_.begin(), granted_paths_in_.end(), path);
     if (it != granted_paths_in_.end()) {
       granted_paths_in_.erase(it);
       RebuildTree(PermissionScope::kFileSystemRead);
     }
   } else if (perm == PermissionScope::kFileSystemWrite) {
-    auto it = std::find(granted_paths_out_.begin(),
-                        granted_paths_out_.end(), path);
+    auto it =
+        std::find(granted_paths_out_.begin(), granted_paths_out_.end(), path);
     if (it != granted_paths_out_.end()) {
       granted_paths_out_.erase(it);
       RebuildTree(PermissionScope::kFileSystemWrite);
diff --git a/src/permission/inspector_permission.cc b/src/permission/inspector_permission.cc
@@ -15,8 +15,8 @@ void InspectorPermission::Apply(Environment* env,
 }
 
 void InspectorPermission::Drop(Environment* env,
-                                PermissionScope scope,
-                                const std::string_view& param) {
+                               PermissionScope scope,
+                               const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/net_permission.cc b/src/permission/net_permission.cc
@@ -14,8 +14,8 @@ void NetPermission::Apply(Environment* env,
 }
 
 void NetPermission::Drop(Environment* env,
-                          PermissionScope scope,
-                          const std::string_view& param) {
+                         PermissionScope scope,
+                         const std::string_view& param) {
   allow_net_ = false;
 }
 
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
@@ -300,8 +300,8 @@ void Permission::Apply(Environment* env,
 }
 
 void Permission::Drop(Environment* env,
-                       PermissionScope scope,
-                       const std::string_view& param) {
+                      PermissionScope scope,
+                      const std::string_view& param) {
   auto permission = nodes_.find(scope);
   if (permission != nodes_.end()) {
     permission->second->Drop(env, scope, param);
diff --git a/src/permission/wasi_permission.cc b/src/permission/wasi_permission.cc
@@ -16,8 +16,8 @@ void WASIPermission::Apply(Environment* env,
 }
 
 void WASIPermission::Drop(Environment* env,
-                           PermissionScope scope,
-                           const std::string_view& param) {
+                          PermissionScope scope,
+                          const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc
@@ -16,8 +16,8 @@ void WorkerPermission::Apply(Environment* env,
 }
 
 void WorkerPermission::Drop(Environment* env,
-                             PermissionScope scope,
-                             const std::string_view& param) {
+                            PermissionScope scope,
+                            const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/test/parallel/test-permission-drop-fs-granted-path.js b/test/parallel/test-permission-drop-fs-granted-path.js
@@ -1,6 +1,6 @@
 'use strict';
 
-// Tests that drop() only revokes the exact resource that was explicitly granted.
+require('../common');
 
 const { spawnSync } = require('child_process');
 const assert = require('assert');
@@ -9,8 +9,6 @@ const { isMainThread } = require('worker_threads');
 if (!isMainThread) {
   process.exit(0);
 }
-
-require('../common');
 const tmpdir = require('../common/tmpdir');
 const fs = require('fs');
 const path = require('path');
@@ -45,7 +43,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 1 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 1 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Grant a directory, drop the same directory - should revoke all access
@@ -69,7 +67,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 2 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 2 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Grant two directories, drop one - the other remains accessible
@@ -105,7 +103,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 3 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 3 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Grant a directory and a file inside it separately, drop the file
@@ -132,7 +130,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 4 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 4 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Drop entire scope without reference - revokes everything
@@ -156,5 +154,5 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 5 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 5 failed');
+  assert.strictEqual(child.status, 0);
 }
diff --git a/test/parallel/test-permission-drop-fs-specific-path.js b/test/parallel/test-permission-drop-fs-specific-path.js
@@ -1,14 +1,14 @@
 'use strict';
 
+require('../common');
+
 const { spawnSync } = require('child_process');
 const assert = require('assert');
 const { isMainThread } = require('worker_threads');
 
 if (!isMainThread) {
   process.exit(0);
 }
-
-const common = require('../common');
 const tmpdir = require('../common/tmpdir');
 const fs = require('fs');
 const path = require('path');
@@ -57,4 +57,4 @@ if (child.status !== 0) {
   console.error('stdout:', child.stdout?.toString());
   console.error('stderr:', child.stderr?.toString());
 }
-assert.strictEqual(child.status, 0, 'Child process should exit with code 0');
+assert.strictEqual(child.status, 0);
diff --git a/test/parallel/test-permission-drop-fs-write.js b/test/parallel/test-permission-drop-fs-write.js
@@ -9,7 +9,6 @@ if (!isMainThread) {
 }
 
 const assert = require('assert');
-const fs = require('fs');
 
 {
   assert.ok(process.permission.has('fs.write'));

Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,8 @@ void AddonPermission::Apply(Environment* env,`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`void AddonPermission::Drop(Environment* env,`
`18`		`- PermissionScope scope,`
`19`		`- const std::string_view& param) {`
	`18`	`+ PermissionScope scope,`
	`19`	`+ const std::string_view& param) {`
`20`	`20`	`deny_all_ = true;`
`21`	`21`	`}`
`22`	`22`
Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,8 @@ void ChildProcessPermission::Apply(Environment* env,`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`void ChildProcessPermission::Drop(Environment* env,`
`19`		`- PermissionScope scope,`
`20`		`- const std::string_view& param) {`
	`19`	`+ PermissionScope scope,`
	`20`	`+ const std::string_view& param) {`
`21`	`21`	`deny_all_ = true;`
`22`	`22`	`}`
`23`	`23`
Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,8 @@ void InspectorPermission::Apply(Environment* env,`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`void InspectorPermission::Drop(Environment* env,`
`18`		`- PermissionScope scope,`
`19`		`- const std::string_view& param) {`
	`18`	`+ PermissionScope scope,`
	`19`	`+ const std::string_view& param) {`
`20`	`20`	`deny_all_ = true;`
`21`	`21`	`}`
`22`	`22`
Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,8 @@ void NetPermission::Apply(Environment* env,`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`void NetPermission::Drop(Environment* env,`
`17`		`- PermissionScope scope,`
`18`		`- const std::string_view& param) {`
	`17`	`+ PermissionScope scope,`
	`18`	`+ const std::string_view& param) {`
`19`	`19`	`allow_net_ = false;`
`20`	`20`	`}`
`21`	`21`
Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,8 @@ void WASIPermission::Apply(Environment* env,`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`void WASIPermission::Drop(Environment* env,`
`19`		`- PermissionScope scope,`
`20`		`- const std::string_view& param) {`
	`19`	`+ PermissionScope scope,`
	`20`	`+ const std::string_view& param) {`
`21`	`21`	`deny_all_ = true;`
`22`	`22`	`}`
`23`	`23`
Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,8 @@ void WorkerPermission::Apply(Environment* env,`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`void WorkerPermission::Drop(Environment* env,`
`19`		`- PermissionScope scope,`
`20`		`- const std::string_view& param) {`
	`19`	`+ PermissionScope scope,`
	`20`	`+ const std::string_view& param) {`
`21`	`21`	`deny_all_ = true;`
`22`	`22`	`}`
`23`	`23`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`'use strict';`
`2`	`2`
`3`		`-// Tests that drop() only revokes the exact resource that was explicitly granted.`
	`3`	`+require('../common');`
`4`	`4`
`5`	`5`	`const { spawnSync } = require('child_process');`
`6`	`6`	`const assert = require('assert');`
`@@ -9,8 +9,6 @@ const { isMainThread } = require('worker_threads');`
`9`	`9`	`if (!isMainThread) {`
`10`	`10`	`process.exit(0);`
`11`	`11`	`}`
`12`		`-`
`13`		`-require('../common');`
`14`	`12`	`const tmpdir = require('../common/tmpdir');`
`15`	`13`	`const fs = require('fs');`
`16`	`14`	`const path = require('path');`
`@@ -45,7 +43,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');`
`45`	`43`	`if (child.status !== 0) {`
`46`	`44`	`console.error('Case 1 stderr:', child.stderr?.toString());`
`47`	`45`	`}`
`48`		`- assert.strictEqual(child.status, 0, 'Case 1 failed');`
	`46`	`+ assert.strictEqual(child.status, 0);`
`49`	`47`	`}`
`50`	`48`
`51`	`49`	`// Grant a directory, drop the same directory - should revoke all access`
`@@ -69,7 +67,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');`
`69`	`67`	`if (child.status !== 0) {`
`70`	`68`	`console.error('Case 2 stderr:', child.stderr?.toString());`
`71`	`69`	`}`
`72`		`- assert.strictEqual(child.status, 0, 'Case 2 failed');`
	`70`	`+ assert.strictEqual(child.status, 0);`
`73`	`71`	`}`
`74`	`72`
`75`	`73`	`// Grant two directories, drop one - the other remains accessible`
`@@ -105,7 +103,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');`
`105`	`103`	`if (child.status !== 0) {`
`106`	`104`	`console.error('Case 3 stderr:', child.stderr?.toString());`
`107`	`105`	`}`
`108`		`- assert.strictEqual(child.status, 0, 'Case 3 failed');`
	`106`	`+ assert.strictEqual(child.status, 0);`
`109`	`107`	`}`
`110`	`108`
`111`	`109`	`// Grant a directory and a file inside it separately, drop the file`
`@@ -132,7 +130,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');`
`132`	`130`	`if (child.status !== 0) {`
`133`	`131`	`console.error('Case 4 stderr:', child.stderr?.toString());`
`134`	`132`	`}`
`135`		`- assert.strictEqual(child.status, 0, 'Case 4 failed');`
	`133`	`+ assert.strictEqual(child.status, 0);`
`136`	`134`	`}`
`137`	`135`
`138`	`136`	`// Drop entire scope without reference - revokes everything`
`@@ -156,5 +154,5 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');`
`156`	`154`	`if (child.status !== 0) {`
`157`	`155`	`console.error('Case 5 stderr:', child.stderr?.toString());`
`158`	`156`	`}`
`159`		`- assert.strictEqual(child.status, 0, 'Case 5 failed');`
	`157`	`+ assert.strictEqual(child.status, 0);`
`160`	`158`	`}`