Fix restrict-access to not restrict within same package (#11014)

2024-11-20 19:05:54 -05:00
parent f080346227
commit ae957599e1
3 changed files with 54 additions and 1 deletions
--- a/.changes/unreleased/Fixes-20241119-162338.yaml
+++ b/.changes/unreleased/Fixes-20241119-162338.yaml
@@ -0,0 +1,6 @@
+kind: Fixes
+body: Fix restrict-access to not apply within a package
+time: 2024-11-19T16:23:38.144589-05:00
+custom:
+  Author: gshank
+  Issue: "10134"
--- a/core/dbt/contracts/graph/manifest.py
+++ b/core/dbt/contracts/graph/manifest.py
@@ -1505,8 +1505,10 @@ class Manifest(MacroMethods, dbtClassMixin):
        return is_private_ref and (
            not hasattr(node, "group")
            or not node.group
+            # Invalid reference because group does not match
            or node.group != target_model.group
-            or restrict_package_access
+            # Or, invalid because these are different namespaces (project/package) and restrict-access is enforced
+            or (node.package_name != target_model.package_name and restrict_package_access)
        )

    def is_invalid_protected_ref(
--- a/tests/functional/access/test_access.py
+++ b/tests/functional/access/test_access.py
@@ -470,3 +470,48 @@ class TestAccessDbtProjectConfig:
        assert model_two.access == AccessType.Private
        assert model_three.group == "marts"
        assert model_three.access == AccessType.Public
+
+
+models_yml = """
+models:
+  - name: accounts
+    description: >
+      All accounts with whom we have done business. This is a very sensitive asset.
+    access: private
+    group: sales
+
+    columns:
+      - name: name
+        description: Name of the account.
+        tests:
+          - not_null
+          - unique
+
+groups:
+  - name: sales
+    owner:
+      name: sales_owner
+"""
+
+accounts_sql = """
+select 'Jane' as name
+"""
+
+
+class TestGenericTestRestrictAccess:
+    @pytest.fixture(scope="class")
+    def models(self):
+        return {
+            "models.yml": models_yml,
+            "accounts.sql": accounts_sql,
+        }
+
+    @pytest.fixture(scope="class")
+    def project_config_update(self):
+        return {
+            "restrict-access": True,
+        }
+
+    def test_generic_tests(self, project):
+        run_dbt(["run"])
+        run_dbt(["test"])