Fix field access control for default values

compose/service/record.go

@@ -493,7 +493,7 @@ func (svc record) create(ctx context.Context, new *types.Record) (rec *types.Rec
 		}
 	}
 
-	new.Values = RecordValueDefaults(m, new.Values)
+	new.Values = RecordValueDefaults(ctx, svc.ac, m, new.Values)
 
 	// Handle payload from automation scripts
 	if rve = svc.procCreate(ctx, svc.store, invokerID, m, new); !rve.IsValid() {
@@ -670,14 +670,20 @@ func RecordPreparer(ctx context.Context, s store.Storer, ss recordValuesSanitize
 	return nil
 }
 
-func RecordValueDefaults(m *types.Module, vv types.RecordValueSet) (out types.RecordValueSet) {
+func RecordValueDefaults(ctx context.Context, ac recordValueAccessController, m *types.Module, vv types.RecordValueSet) (out types.RecordValueSet) {
 	out = vv
 
 	for _, f := range m.Fields {
+		// ignore fields without default values
 		if f.DefaultValue == nil {
 			continue
 		}
 
+		// ignore fields where we don't have permissions
+		if ac != nil && !ac.CanUpdateRecordValue(ctx, f) {
+			continue
+		}
+
 		for i, dv := range f.DefaultValue {
 			// Default values on field are (might be) without field name and place
 			if !out.Has(f.Name, uint(i)) {
@@ -1305,7 +1311,7 @@ func (svc record) Iterator(ctx context.Context, f types.RecordFilter, fn eventbu
 					recordableAction = RecordActionIteratorClone
 
 					// Assign defaults (only on missing values)
-					rec.Values = RecordValueDefaults(m, rec.Values)
+					rec.Values = RecordValueDefaults(ctx, svc.ac, m, rec.Values)
 
 					// Handle payload from automation scripts
 					if rve := svc.procCreate(ctx, svc.store, invokerID, m, rec); !rve.IsValid() {

compose/service/record_test.go

@@ -84,7 +84,7 @@ func TestDefaultValueSetting(t *testing.T) {
 		}
 	)
 
-	out := RecordValueDefaults(mod, nil)
+	out := RecordValueDefaults(context.Background(), nil, mod, nil)
 	chk(out, "single", 0, "s")
 	chk(out, "multi", 0, "m1")
 	chk(out, "multi", 1, "m2")