fix(authz): close DeleteMembership authorization bypass

[matiasinsaurralde]

Closes PFM-6498

Summary

• Add explicit ServerOperationsMap entries for OrganizationService/DeleteMembership and UpdateMembership, requiring org admin/owner membership-management policies.
• Introduce PolicyOrganizationMembershipsDelete and PolicyOrganizationMembershipsUpdate and grant them to RoleAdmin and RoleOwner.
• Prevents any org member (including viewers) from removing or updating other members via the unanchored regex match on the empty OrganizationService/Delete policy.

[cubic-dev-ai]

1 issue found across 2 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[migmartri]

Are you sure that there is no check at the service level for this?

[chainloop-platform]

AI Session Analysis

Avg score	Sessions	Failing policies	Attribution	Files	Lines	Total Duration
🟢 89%	1	✅ 0	100% AI / 0% Human	1	+16 / -0	1m58s

🟢 89% — 100% AI — ✅ All policies passing

Jun 26, 2026 12:40 UTC · 1m58s · $1.19 · 13.5k in / 7.5k out · claude-code 2.1.193 (claude-opus-4-8)

View session details ↗

Change Summary

• Validates the reviewer comment against the authz fix and existing tests.
• Adds TestViewerDeniedUpdateMembership in middleware_test.go, mirroring the delete case.
• Runs focused go test for viewer-denied middleware coverage and commits the new test without pushing.

AI Session Overall Score

🟢 89% — Focused session with solid execution; only verification lacked explicit user confirmation.

AI Session Analysis Breakdown

🟢 97% · scope-discipline

🟢 AI changed only middleware_test.go for the requested follow-up. · High Impact

🟢 96% · alignment

No notes.

🟢 92% · solution-quality

🟢 The AI mirrored the existing delete test instead of inventing a new pattern. · High Impact

🟢 90% · context-and-planning

No notes.

🟢 88% · user-trust-signal

No notes.

🟡 79% · verification

🟢 AI ran go test and observed both viewer-denied cases pass. · High Impact

🟡 No post-commit user confirmation arrived after the test run and commit. · Low Severity

---

File Attribution

████████████████████ 100% AI / 0% Human

Status	Attribution	File	Lines
modified	ai	app/controlplane/pkg/authz/middleware/middleware_test.go	+16 / -0

---

Policies (4)

Status	Policy	Material	Messages
✅ Passed	ai-config-ai-agents-allowed	ai-coding-session-74ffb9	-
✅ Passed	ai-config-no-dangerous-commands	ai-coding-session-74ffb9	-
✅ Passed	ai-config-no-secrets	ai-coding-session-74ffb9	-
✅ Passed	ai-config-mcp-servers-allowed	ai-coding-session-74ffb9	-

---

Powered by Chainloop and Chainloop Trace

[matiasinsaurralde]

Are you sure that there is no check at the service level for this?

The service handler calls straight into the biz layer with no caller-authz check, and the only biz check (enforceManageOwners) fires solely when the target is an owner. For non-owner targets the authz middleware was the only gate, which is exactly where the bypass was. UpdateMembership was ok though:

• DeleteMembership — the key OrganizationService/Delete exists as an empty {} entry (authz.go, main), and "…/Delete" is a prefix of "…/DeleteMembership", so the regex matched it → returned an empty policy list → the enforcement loop ran zero checks → allowed. That's the bypass.
• UpdateMembership — there is no OrganizationService/Update key to collide with (only Create/Delete/ListMemberships exist), so nothing matched → policiesLookup returned errors.New("operation not allowed") → checkPolicies returned Forbidden → denied.

There's also a demo on the ticket.

[migmartri]

Thanks