Fix/rbac create sibling hardening

[bhudevbhanpuriya]

Summary

This PR is a follow-up to the sensor-create RBAC hardening work and extends the same authorization pattern to sibling create endpoints for consistency.

It ensures that all related create routes enforce explicit RBAC checks at the API layer before entering write flows.

---

Previous Work

This change builds on the prior PR:

• Sensor create RBAC hardening (fix/rbac-sensor-create-hardening)

---

Why This Follow-up

The previous PR fixed the primary access control gap for sensor creation.

However, similar create endpoints could still allow inconsistent behavior if not explicitly protected.
This PR applies the same deny-first RBAC model across sibling endpoints to prevent bypass via alternate write paths.

---

What this do Actually

sequenceDiagram
    title Follow-up RBAC Hardening Across Create Endpoints

    participant U as User (Viewer)
    participant Sensor as Sensor Endpoint (Fixed in previous PR)
    participant Others as Other Create Endpoints (Datastream / FoI / etc.)
    participant RBAC as RBAC Check
    participant DB as Database

    U->>Sensor: POST /Sensors
    Sensor->>RBAC: Check CREATE_SENSOR
    RBAC-->>Sensor: Denied
    Sensor-->>U: 403 Forbidden ✅

    Note over Others: Before this PR\nNo consistent RBAC enforcement

    U->>Others: POST /Datastream / FoI / etc.
    Others->>DB: Insert Entity
    Others-->>U: 201 Created ❌

    Note over Others: After this PR\nSame RBAC pattern applied

    U->>Others: POST /Datastream / FoI / etc.
    Others->>RBAC: Check CREATE permission
    RBAC-->>Others: Denied
    Others-->>U: 403 Forbidden ✅

Loading

---

Changes

• Added API-layer deny checks for low-privilege roles (e.g., viewer) on sibling create endpoints
• Enforced early authorization before any role-switch or database write logic
• Applied a consistent deny-first RBAC pattern across related handlers
• Added regression tests for both deny and allow scenarios

Updated Endpoints

• datastream.py
• observed_property.py
• feature_of_interest.py
• sensor.py

New Tests

• test_create_sibling_rbac.py

---

Security Impact

• Prevents low-privilege users from accessing create write paths on sibling endpoints
• Eliminates inconsistencies in RBAC enforcement across related routes
• Strengthens defense-in-depth by enforcing authorization at the API layer in addition to DB-level controls

---

Testing

• Added focused regression tests covering:
  • viewer role → denied
  • permitted roles → allowed
• Verified modified code paths compile cleanly
• Note: local test execution requires pytest

---

Compatibility

• No API schema changes
• No impact on authorized users
• Unauthorized viewer behavior is now consistently denied earlier in the request lifecycle

---

Reviewer Notes

This PR is intentionally scoped as a stacked follow-up to the sensor-create RBAC fix to:

• keep changes focused
• simplify review
• ensure incremental hardening of RBAC across endpoints

---

Solves #119 with improvisation

[ClaudioPrimerano]

Hi @bhudevbhanpuriya, this looks incomplete to me. The new DENIED_CREATOR_ROLES check has been added here, but the same endpoint-level authorization gap may still exist for other creator endpoints/entities as well, such as Thing, Observation, etc. If this PR is meant to fix the broader access control issue, those paths should probably be updated too.

[bhudevbhanpuriya]

hi @ClaudioPrimerano, thanks for the thorough review!

you're absolutely right , Thing, Observation , and any other creator endpoints with the same pattern should receive the same hardening. This PR was intentionally scoped as an incremental step (stacked on top of #120) to keep each change reviewable in isolation, but I should have been clearer that it doesn't claim to be a complete fix.

[bhudevbhanpuriya]

i’ve addressed this in the latest push (commit 23b4ce1).
the PR now extends the RBAC checks across all create endpoints, including Sensors, Datastreams, FeaturesOfInterest, ObservedProperties, Things, Observations, Locations, Networks, HistoricalLocations, and bulk/create observation flows.

also added:
DENIED_CREATOR_ROLES = {"viewer"} in rbac_roles.py
check_create_permission() helper for consistent enforcement
Unit tests in test_rbac_roles.py

all create paths now enforce role checks before entering write transactions.

this PR was initially scoped as an incremental step, but i’ve now expanded it to cover all create endpoints.

let me know if anything still needs adjustment.