@cubejs-backend/testing 1.6.55 → 1.6.57

package/birdbox-fixtures/rbac/cube.js

@@ -279,6 +279,44 @@ module.exports = {
         },
       };
     }
+    // User matching only the full-access policy (with a row filter) on a cube
+    // that also has a separate, group-scoped masking policy the user is NOT in.
+    if (user === 'single_policy_measure_user') {
+      if (password && password !== 'single_policy_measure_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'single_policy_measure_user',
+            userAttributes: {},
+            roles: [],
+            groups: ['spm_full_group'],
+          },
+        },
+      };
+    }
+    // User belonging to two groups whose access policies grant different
+    // members (member-level union across groups, no row_level filters).
+    if (user === 'multi_group_user') {
+      if (password && password !== 'multi_group_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'multi_group_user',
+            userAttributes: {},
+            roles: [],
+            groups: ['mg_group_a', 'mg_group_c'],
+          },
+        },
+      };
+    }
     throw new Error(`User "${user}" doesn't exist`);
   }
 };

package/birdbox-fixtures/rbac/model/cubes/multi_group_test.yaml

@@ -0,0 +1,59 @@
+# Test view for validating multi-group member-level access union (CUB-2758).
+#
+# Two access policies, each matched by a different group, grant member-level
+# access to DIFFERENT members. Neither policy has a row_level filter, so row
+# access defaults to allow-all.
+#
+# A user that belongs to BOTH groups should see the UNION of member access:
+# querying member_a (granted by group mg_group_a) together with member_c
+# (granted by group mg_group_c) must return data.
+#
+# Before the fix, member-level access required a single policy to cover ALL
+# queried members, so a cross-policy query returned an empty (denied) result.
+
+cubes:
+  - name: multi_group_base
+    sql_table: public.line_items
+
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+
+      # Granted only by group mg_group_a
+      - name: member_a
+        sql: order_id
+        type: number
+
+      # Granted only by group mg_group_c
+      - name: member_c
+        sql: quantity
+        type: number
+
+    measures:
+      - name: count
+        type: count
+
+views:
+  - name: multi_group_test
+    cubes:
+      - join_path: multi_group_base
+        includes: "*"
+
+    access_policy:
+      # Group A: member_a (no row_level filter => allow-all rows)
+      - group: mg_group_a
+        member_level:
+          includes:
+            - id
+            - count
+            - member_a
+
+      # Group C: member_c (no row_level filter => allow-all rows)
+      - group: mg_group_c
+        member_level:
+          includes:
+            - id
+            - count
+            - member_c

package/birdbox-fixtures/rbac/model/cubes/single_policy_measure_test.yaml

@@ -0,0 +1,57 @@
+# Smoke test for: a single matching policy granting full (unmasked) access to a
+# measure, with a row-level filter, and NO group by.
+#
+# Two policies are defined:
+#   - spm_mask_group  → masks all members (member_masking)
+#   - spm_full_group  → full member access + row filter product_id <= 3
+#
+# The test user (single_policy_measure_user) belongs ONLY to spm_full_group, so
+# only the full-access policy matches. Because no matching policy masks the
+# measure, the masked measure must render its REAL aggregated value, and the
+# full-access policy's row-level filter must still be applied — even for a
+# measure-only query with no GROUP BY.
+
+cubes:
+  - name: single_policy_measure_test
+    sql_table: public.line_items
+
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+
+      - name: product_id
+        sql: product_id
+        type: number
+
+    measures:
+      # Carries a mask, but it is only masked when a masking policy matches.
+      - name: total_quantity
+        sql: quantity
+        type: sum
+        mask: -1
+
+      # Used to assert the row-level filter is applied (max <= 3 when filtered).
+      - name: max_product_id
+        sql: product_id
+        type: max
+
+    access_policy:
+      # Masking policy — targets a group the test user is NOT in.
+      - group: spm_mask_group
+        member_level:
+          includes: []
+        member_masking:
+          includes: "*"
+
+      # Full-access policy with a row filter — the test user IS in this group.
+      - group: spm_full_group
+        member_level:
+          includes: "*"
+        row_level:
+          filters:
+            - member: product_id
+              operator: lte
+              values:
+                - "3"

package/birdbox-fixtures/rbac/model/views/views.yaml

@@ -35,3 +35,22 @@ views:
           includes: "*"
         row_level:
           allow_all: true
+
+  # Two-layer row-level filtering: the underlying `orders` cube restricts rows
+  # to id IN {1, 10, 11} (role "*" → id = 1, role admin → id = 10 OR id = 11),
+  # while this view adds its own row filter id < 11. A row must satisfy BOTH
+  # the cube policy AND the view policy, so the result is id IN {1, 10}.
+  - name: orders_two_layer_test
+    cubes:
+      - join_path: orders
+        includes: "*"
+    access_policy:
+      - role: "*"
+        member_level:
+          includes: "*"
+        row_level:
+          filters:
+            - member: id
+              operator: lt
+              values:
+                - "11"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cubejs-backend/testing",
-  "version": "1.6.55",
+  "version": "1.6.57",
   "description": "Cube.js e2e tests",
   "author": "Cube Dev, Inc.",
   "repository": {
@@ -102,15 +102,15 @@
     "birdbox-fixtures"
   ],
   "dependencies": {
-    "@cubejs-backend/cubestore-driver": "1.6.55",
+    "@cubejs-backend/cubestore-driver": "1.6.57",
     "@cubejs-backend/dotenv": "^9.0.2",
-    "@cubejs-backend/ksql-driver": "1.6.55",
-    "@cubejs-backend/postgres-driver": "1.6.55",
-    "@cubejs-backend/query-orchestrator": "1.6.55",
-    "@cubejs-backend/schema-compiler": "1.6.55",
-    "@cubejs-backend/shared": "1.6.55",
-    "@cubejs-backend/testing-shared": "1.6.55",
-    "@cubejs-client/ws-transport": "1.6.55",
+    "@cubejs-backend/ksql-driver": "1.6.57",
+    "@cubejs-backend/postgres-driver": "1.6.57",
+    "@cubejs-backend/query-orchestrator": "1.6.57",
+    "@cubejs-backend/schema-compiler": "1.6.57",
+    "@cubejs-backend/shared": "1.6.57",
+    "@cubejs-backend/testing-shared": "1.6.57",
+    "@cubejs-client/ws-transport": "1.6.57",
     "dedent": "^0.7.0",
     "fs-extra": "^8.1.0",
     "http-proxy": "^1.18.1",
@@ -121,8 +121,8 @@
   },
   "devDependencies": {
     "@4tw/cypress-drag-drop": "^1.6.0",
-    "@cubejs-backend/linter": "1.6.55",
-    "@cubejs-client/core": "1.6.55",
+    "@cubejs-backend/linter": "1.6.57",
+    "@cubejs-client/core": "1.6.57",
     "@jest/globals": "^29",
     "@types/dedent": "^0.7.0",
     "@types/http-proxy": "^1.17.5",
@@ -148,5 +148,5 @@
   "eslintConfig": {
     "extends": "../cubejs-linter"
   },
-  "gitHead": "0d6393b29b6b348a9ab2527d6c5b72203f14dad1"
+  "gitHead": "5f4674f6536b0e2e82f4445bfbc5f47450266256"
 }