refactor: update connection:edit permissions to restrict table access

Artuomka · Artuomka · commit 0c42bc9d0c8e · 2026-03-19T12:02:07.000Z
diff --git a/backend/src/entities/cedar-authorization/cedar-permissions.service.ts b/backend/src/entities/cedar-authorization/cedar-permissions.service.ts
@@ -112,24 +112,6 @@ export class CedarPermissionsService implements IUserAccessRepository {
 			return [];
 		}
 
-		// If user has connection:edit, they get full access to all tables
-		const connEditEntities = buildCedarEntities(cognitoUserName, userGroups, connectionId);
-		const hasConnectionEdit = this.evaluatePolicies(
-			cognitoUserName, CedarAction.ConnectionEdit, CedarResourceType.Connection, connectionId, groupPolicies, connEditEntities,
-		);
-		if (hasConnectionEdit) {
-			return tableNames.map((tableName) => ({
-				tableName,
-				accessLevel: {
-					visibility: true,
-					readonly: false,
-					add: true,
-					delete: true,
-					edit: true,
-				},
-			}));
-		}
-
 		const actions = [CedarAction.TableRead, CedarAction.TableAdd, CedarAction.TableEdit, CedarAction.TableDelete];
 		const result: Array<ITablePermissionData> = [];
 
diff --git a/backend/test/ava-tests/saas-tests/saas-cedar-permissions-e2e.test.ts b/backend/test/ava-tests/saas-tests/saas-cedar-permissions-e2e.test.ts
@@ -1487,7 +1487,7 @@ test.serial(
 );
 
 test.serial(
-	`${currentTest} user with connection:edit should see all tables with full permissions via Cedar`,
+	`${currentTest} user with connection:edit but no table perms should see empty table list via Cedar`,
 	async (t) => {
 		try {
 			const testData = await createConnectionAndInviteUserWithConnectionEditOnly(app);
@@ -1504,13 +1504,9 @@ test.serial(
 				.set('Accept', 'application/json');
 			t.is(getTablesInConnection.status, 200);
 			const tables = JSON.parse(getTablesInConnection.text);
-			t.true(tables.length > 0);
+			// connection:edit does NOT grant table access — tables should be empty
 			const targetTable = tables.find((table: any) => table.table === firstTableInfo.testTableName);
-			t.truthy(targetTable);
-			t.is(targetTable.permissions.visibility, true);
-			t.is(targetTable.permissions.add, true);
-			t.is(targetTable.permissions.edit, true);
-			t.is(targetTable.permissions.delete, true);
+			t.is(targetTable, undefined);
 		} catch (e) {
 			console.error(e);
 			throw e;
