• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

jtschladen / lemur / 26921906730
61%
main: 61%

Build:
Build:
LAST BUILD BRANCH: jschladen/fix-test-failures-post-ghsa
DEFAULT BRANCH: main
Ran 04 Jun 2026 12:32AM UTC
Jobs 1
Files 13
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

04 Jun 2026 12:26AM UTC coverage: 60.861%. First build
26921906730

push

github

jtschladen
fix: block read-only users from write ops without requiring admin/operator

The GHSA-qcqw-jwxc-2hqg fix changed LEMUR_STRICT_ROLE_ENFORCEMENT to
default True, which correctly closed the empty-needs Flask-Principal
bypass but broke normal cert issuance, uploads, and notification
management for users with custom group roles.

The actual vulnerability was read-only users bypassing write checks.
Fix StrictRolePermission.allows() to explicitly deny identities with
the read-only role when strict mode is off, rather than requiring
admin/operator for all write operations. Revert the default back to
False and apply the same default revert in users/service.py.

ADMIN_ONLY_AUTHORITY_CREATION remains True — authority creation is
genuinely an admin action.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

594 of 976 relevant lines covered (60.86%)

0.61 hits per line

Jobs
ID Job ID Ran Files Coverage
1 Python 3.11 Postgres 17 OS ubuntu-22.04 - 26921906730.1 04 Jun 2026 12:32AM UTC 13
60.86
GitHub Action Run
Source Files on build 26921906730
  • Tree
  • List 13
  • Changed 0
  • Source Changed 0
  • Coverage Changed 0
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #26921906730
  • 293c7579 on github
  • Next Build on jschladen/fix-test-user-service-lint (#26923379791)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc