fix: proposals._guard_repo_owner must allow write/admin collaborators
aaronrene (a write collaborator, and the proposal's own author) got a 403 trying to assign gabriel as reviewer on his own MP. Root cause: proposals.py had its own, weaker, sync-only _guard_repo_owner that only checked literal ownership -- unlike issues.py's collaborator-aware version, which already correctly allows the owner OR an accepted write/admin collaborator.
This guard is shared by three endpoints: request reviewers, remove reviewer, and merge proposal. All three now consistently allow write/admin collaborators, matching the permission model already established in issues.py and matching what a write collaborator is already trusted to do elsewhere (push branches, open proposals, comment).
TDD: added TestProposalsGuardRepoOwner to tests/test_auth_authorization.py (4 tests, red-first -- the sync 2-arg signature couldn't even be awaited) plus a missing test_write_collaborator_allowed case for issues.py's own guard (pre-existing gap: that suite only tested the no-collaborator path).
Full regression: 335 passed across the proposal test suites, no other callers affected.
Semantic Changes
13 symbols
0 comments
muse hub commit comment sha256:72d67593a767709c51c82c02adf59cd71e7dcf3c818b5b4f55b53566f0f829b9 --body "your comment"
No comments yet. Be the first to start the discussion.