From 009754ee6786b532ae7ee19f406d11a4a38a90e0 Mon Sep 17 00:00:00 2001
From: Pedro <pedro_fernandes@live.com>
Date: Thu, 30 May 2024 16:06:32 +0100
Subject: [PATCH] Basic Auth bug fix & test fixes. (#266)

**Description:**
Basic Auth bug fix & test fix.

`request.url.path` would return the absolute path f.e.:
`/collections/test-collection`
`request.scope.get("route").path` returns `/collections/{collection_id}`
which is correct for matching permissions


**PR Checklist:**

- [x] Code is formatted and linted (run `pre-commit run --all-files`)
- [x] Tests pass (run `make test`)
- [x] Documentation has been updated to reflect changes, if applicable
- [x] Changes are added to the changelog

---------

Co-authored-by: Jonathan Healy <jonathan.d.healy@gmail.com>
---
 CHANGELOG.md                                      | 1 +
 stac_fastapi/core/stac_fastapi/core/basic_auth.py | 2 +-
 stac_fastapi/tests/basic_auth/test_basic_auth.py  | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9656f5bf..a88e32a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
 
 - API sort extension tests [#264](https://github.com/stac-utils/stac-fastapi-elasticsearch-opensearch/pull/264)
+- Basic auth permission fix for checking route path instead of absolute path [#266](https://github.com/stac-utils/stac-fastapi-elasticsearch-opensearch/pull/266)
 
 ## [v3.0.0a1]
 
diff --git a/stac_fastapi/core/stac_fastapi/core/basic_auth.py b/stac_fastapi/core/stac_fastapi/core/basic_auth.py
index c504978d..e9964b62 100644
--- a/stac_fastapi/core/stac_fastapi/core/basic_auth.py
+++ b/stac_fastapi/core/stac_fastapi/core/basic_auth.py
@@ -61,7 +61,7 @@ def has_access(
         )
 
     permissions = user.get("permissions", [])
-    path = request.url.path
+    path = request.scope.get("route").path
     method = request.method
 
     if permissions == "*":
diff --git a/stac_fastapi/tests/basic_auth/test_basic_auth.py b/stac_fastapi/tests/basic_auth/test_basic_auth.py
index 0515364b..95be59ee 100644
--- a/stac_fastapi/tests/basic_auth/test_basic_auth.py
+++ b/stac_fastapi/tests/basic_auth/test_basic_auth.py
@@ -74,7 +74,7 @@ async def test_delete_resource_insufficient_permissions(app_client_basic_auth, c
 
     assert response.status_code == 403
     assert response.json() == {
-        "detail": "Insufficient permissions for [DELETE /collections/test-collection]"
+        "detail": "Insufficient permissions for [DELETE /collections/{collection_id}]"
     }