version 0.1.3.16 Do not override deeper Permit's

.github/workflows/haskell-ci.yml

@@ -8,9 +8,9 @@
 #
 # For more information, see https://github.com/haskell-CI/haskell-ci
 #
-# version: 0.16.3
+# version: 0.19.20250315
 #
-# REGENDATA ("0.16.3",["github","cabal.project"])
+# REGENDATA ("0.19.20250315",["github","cabal.project"])
 #
 name: Haskell-CI
 on:
@@ -23,28 +23,33 @@ on:
 jobs:
   linux:
     name: Haskell-CI - Linux - ${{ matrix.compiler }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes:
       60
     container:
-      image: buildpack-deps:bionic
+      image: buildpack-deps:jammy
     continue-on-error: ${{ matrix.allow-failure }}
     strategy:
       matrix:
         include:
-          - compiler: ghc-9.6.2
+          - compiler: ghc-9.8.4
             compilerKind: ghc
-            compilerVersion: 9.6.2
+            compilerVersion: 9.8.4
             setup-method: ghcup
             allow-failure: true
-          - compiler: ghc-9.4.5
+          - compiler: ghc-9.6.6
             compilerKind: ghc
-            compilerVersion: 9.4.5
+            compilerVersion: 9.6.6
             setup-method: ghcup
             allow-failure: true
-          - compiler: ghc-9.2.7
+          - compiler: ghc-9.4.8
             compilerKind: ghc
-            compilerVersion: 9.2.7
+            compilerVersion: 9.4.8
+            setup-method: ghcup
+            allow-failure: true
+          - compiler: ghc-9.2.8
+            compilerKind: ghc
+            compilerVersion: 9.2.8
             setup-method: ghcup
             allow-failure: true
           - compiler: ghc-9.0.2
@@ -59,15 +64,29 @@ jobs:
             allow-failure: false
       fail-fast: false
     steps:
-      - name: apt
+      - name: apt-get install
         run: |
           apt-get update
           apt-get install -y --no-install-recommends gnupg ca-certificates dirmngr curl git software-properties-common libtinfo5
+      - name: Install GHCup
+        run: |
           mkdir -p "$HOME/.ghcup/bin"
-          curl -sL https://downloads.haskell.org/ghcup/0.1.19.2/x86_64-linux-ghcup-0.1.19.2 > "$HOME/.ghcup/bin/ghcup"
+          curl -sL https://downloads.haskell.org/ghcup/0.1.40.0/x86_64-linux-ghcup-0.1.40.0 > "$HOME/.ghcup/bin/ghcup"
           chmod a+x "$HOME/.ghcup/bin/ghcup"
+      - name: Install cabal-install
+        run: |
+          "$HOME/.ghcup/bin/ghcup" install cabal 3.12.1.0 || (cat "$HOME"/.ghcup/logs/*.* && false)
+          echo "CABAL=$HOME/.ghcup/bin/cabal-3.12.1.0 -vnormal+nowrap" >> "$GITHUB_ENV"
+      - name: Install GHC (GHCup)
+        if: matrix.setup-method == 'ghcup'
+        run: |
           "$HOME/.ghcup/bin/ghcup" install ghc "$HCVER" || (cat "$HOME"/.ghcup/logs/*.* && false)
-          "$HOME/.ghcup/bin/ghcup" install cabal 3.10.1.0 || (cat "$HOME"/.ghcup/logs/*.* && false)
+          HC=$("$HOME/.ghcup/bin/ghcup" whereis ghc "$HCVER")
+          HCPKG=$(echo "$HC" | sed 's#ghc$#ghc-pkg#')
+          HADDOCK=$(echo "$HC" | sed 's#ghc$#haddock#')
+          echo "HC=$HC" >> "$GITHUB_ENV"
+          echo "HCPKG=$HCPKG" >> "$GITHUB_ENV"
+          echo "HADDOCK=$HADDOCK" >> "$GITHUB_ENV"
         env:
           HCKIND: ${{ matrix.compilerKind }}
           HCNAME: ${{ matrix.compiler }}
@@ -78,19 +97,12 @@ jobs:
           echo "LANG=C.UTF-8" >> "$GITHUB_ENV"
           echo "CABAL_DIR=$HOME/.cabal" >> "$GITHUB_ENV"
           echo "CABAL_CONFIG=$HOME/.cabal/config" >> "$GITHUB_ENV"
-          HCDIR=/opt/$HCKIND/$HCVER
-          HC=$HOME/.ghcup/bin/$HCKIND-$HCVER
-          echo "HC=$HC" >> "$GITHUB_ENV"
-          echo "HCPKG=$HOME/.ghcup/bin/$HCKIND-pkg-$HCVER" >> "$GITHUB_ENV"
-          echo "HADDOCK=$HOME/.ghcup/bin/haddock-$HCVER" >> "$GITHUB_ENV"
-          echo "CABAL=$HOME/.ghcup/bin/cabal-3.10.1.0 -vnormal+nowrap" >> "$GITHUB_ENV"
           HCNUMVER=$(${HC} --numeric-version|perl -ne '/^(\d+)\.(\d+)\.(\d+)(\.(\d+))?$/; print(10000 * $1 + 100 * $2 + ($3 == 0 ? $5 != 1 : $3))')
           echo "HCNUMVER=$HCNUMVER" >> "$GITHUB_ENV"
           echo "ARG_TESTS=--enable-tests" >> "$GITHUB_ENV"
           echo "ARG_BENCH=--enable-benchmarks" >> "$GITHUB_ENV"
           echo "HEADHACKAGE=false" >> "$GITHUB_ENV"
           echo "ARG_COMPILER=--$HCKIND --with-compiler=$HC" >> "$GITHUB_ENV"
-          echo "GHCJSARITH=0" >> "$GITHUB_ENV"
         env:
           HCKIND: ${{ matrix.compilerKind }}
           HCNAME: ${{ matrix.compiler }}
@@ -140,7 +152,7 @@ jobs:
           chmod a+x $HOME/.cabal/bin/cabal-plan
           cabal-plan --version
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: source
       - name: initial cabal.project for sdist
@@ -175,15 +187,10 @@ jobs:
             location: https://github.com/biocad/bcd-log
             tag:      16808faa4db0d3d94ff4006c5ca88691551ebe40
 
-          source-repository-package
-            type:     git
-            location: https://github.com/biocad/openid-connect.git
-            tag:      fd2a7dd8cf518bfa90ea5111e09d88069630563a
-
           source-repository-package
             type:     git
             location: https://github.com/maksbotan/generic-override.git
-            tag:      a91ca0b369a668db71a22c118f4b0e546c4cb8d2
+            tag:      79432eaa084705d6ac3f5b877287a74815a8eb71
             subdir:   generic-override
 
           source-repository-package
@@ -192,15 +199,15 @@ jobs:
             tag:      79432eaa084705d6ac3f5b877287a74815a8eb71
             subdir:   generic-override-aeson
           EOF
-          $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: $_ installed\n" unless /^(web-template)$/; }' >> cabal.project.local
+          $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: any.$_ installed\n" unless /^(web-template)$/; }' >> cabal.project.local
           cat cabal.project
           cat cabal.project.local
       - name: dump install plan
         run: |
           $CABAL v2-build $ARG_COMPILER $ARG_TESTS $ARG_BENCH --dry-run all
           cabal-plan
       - name: restore cache
-        uses: actions/cache/restore@v3
+        uses: actions/cache/restore@v4
         with:
           key: ${{ runner.os }}-${{ matrix.compiler }}-${{ github.sha }}
           path: ~/.cabal/store
@@ -227,8 +234,8 @@ jobs:
           rm -f cabal.project.local
           $CABAL v2-build $ARG_COMPILER --disable-tests --disable-benchmarks all
       - name: save cache
-        uses: actions/cache/save@v3
         if: always()
+        uses: actions/cache/save@v4
         with:
           key: ${{ runner.os }}-${{ matrix.compiler }}-${{ github.sha }}
           path: ~/.cabal/store

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.3.16] - 2025-03-27
+### Changed
+- `Permit` does not overwrite 403 response description of deeper layers.
+
 ## [0.1.3.15] - 2023-11-20
 ### Changed
 - `WithDescription` does not clash between different fields with the same type.

cabal.project

@@ -10,18 +10,12 @@ source-repository-package
   tag: 16808faa4db0d3d94ff4006c5ca88691551ebe40
   --sha256: E/VW3Xb7Nvefle2QkTckuWn8QB2YhbBCEBVO2y/xcbo=
 
-source-repository-package
-  type: git
-  location: https://github.com/biocad/openid-connect.git
-  tag: fd2a7dd8cf518bfa90ea5111e09d88069630563a
-  --sha256: 1yz04a0y88652dfd1rgswf2qm7g3wxvc52931d0l60xy4awjj536
-
 source-repository-package
   type: git
   location: https://github.com/maksbotan/generic-override.git
-  tag: a91ca0b369a668db71a22c118f4b0e546c4cb8d2
+  tag: 79432eaa084705d6ac3f5b877287a74815a8eb71
   subdir: generic-override
-  --sha256: 0bhqnz36l8a1fyh63r5fr1v6mav7ri1s7xsysvdjlm0qq7mndpgf
+  --sha256: 1qqb39lw71q7637bh2xpdcxrkyh9r6r55z2xmkgcgbwvx0wi5l9l
 
 source-repository-package
   type: git

src/Web/Template/Servant/Auth.hs

@@ -5,6 +5,9 @@
 {-# LANGUAGE ScopedTypeVariables #-}
 {-# LANGUAGE TemplateHaskell     #-}
 
+-- unregisteredClaims is deprecated in jose, we don't want to fix that now.
+{-# OPTIONS_GHC -Wno-deprecations #-}
+
 module Web.Template.Servant.Auth
   ( CbdAuth
   , OIDCAuth
@@ -54,7 +57,7 @@ import           Data.OpenApi.Internal          (ApiKeyLocation (..), ApiKeyPara
                                                  SecurityRequirement (..), SecurityScheme (..),
                                                  SecuritySchemeType (..))
 import           Data.OpenApi.Lens              (components, description, security, securitySchemes)
-import           Data.OpenApi.Operation         (allOperations, setResponse)
+import           Data.OpenApi.Operation         (allOperations, setResponse, setResponseWith)
 import qualified Data.Text                      as T
 import           Data.Time.Clock                (NominalDiffTime, UTCTime, addUTCTime, diffUTCTime,
                                                  getCurrentTime, nominalDiffTimeToSeconds)
@@ -370,7 +373,10 @@ instance ( HasOpenApi api
          , KnownSymbols roles
          ) => HasOpenApi (Permit roles :> api) where
   toOpenApi _ = toOpenApi @api Proxy
-    & setResponse 403 (return $ mempty & description .~ descr)
+    -- If there is already 'Permit' on deeper API levels with 403 response,
+    -- we should not override it. It may have stricter restrictions, that
+    -- need to be represented in Swagger.
+    & setResponseWith const 403 (return $ mempty & description .~ descr)
     where
       descr = "Action not permitted. Allowed for: "
         <> intercalate ", " (symbolsVal (Proxy :: Proxy roles))
@@ -406,7 +412,11 @@ unauth500 = delayedFailFatal $ err500
   }
 
 swaggerUiIndexBCDTemplate :: Text
+#if MIN_VERSION_file_embed_lzma(0,1,0)
+swaggerUiIndexBCDTemplate = $$(embedText "index.html.tmpl")
+#else
 swaggerUiIndexBCDTemplate = $(embedText "index.html.tmpl")
+#endif
 
 -- | Version of 'Servant.Swagger.UI.swaggerSchemaUIServer' that uses
 -- our @index.html@ template to enable PKCE auth flow and prefill

web-template.cabal

@@ -1,5 +1,5 @@
 name:                web-template
-version:             0.1.3.15
+version:             0.1.3.16
 synopsis:            Web template
 description:
             Web template includes:
@@ -22,9 +22,10 @@ cabal-version:       >=1.10
 tested-with:
   GHC ==8.10.7
    || ==9.0.2
-   || ==9.2.7
-   || ==9.4.5
-   || ==9.6.2
+   || ==9.2.8
+   || ==9.4.8
+   || ==9.6.6
+   || ==9.8.4
 
 library
   hs-source-dirs:      src