Fix restrict-access to not restrict within same package (#11014)

dbt-labs · Nov 21, 2024 · ae95759 · ae95759
1 parent f080346
commit ae95759
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 1 deletion.
diff --git a/.changes/unreleased/Fixes-20241119-162338.yaml b/.changes/unreleased/Fixes-20241119-162338.yaml
@@ -0,0 +1,6 @@
+kind: Fixes
+body: Fix restrict-access to not apply within a package
+time: 2024-11-19T16:23:38.144589-05:00
+custom:
+  Author: gshank
+  Issue: "10134"
diff --git a/core/dbt/contracts/graph/manifest.py b/core/dbt/contracts/graph/manifest.py
@@ -1505,8 +1505,10 @@ def is_invalid_private_ref(
         return is_private_ref and (
             not hasattr(node, "group")
             or not node.group
+            # Invalid reference because group does not match
             or node.group != target_model.group
-            or restrict_package_access
+            # Or, invalid because these are different namespaces (project/package) and restrict-access is enforced
+            or (node.package_name != target_model.package_name and restrict_package_access)
         )
 
     def is_invalid_protected_ref(

diff --git a/tests/functional/access/test_access.py b/tests/functional/access/test_access.py
@@ -470,3 +470,48 @@ def test_dbt_project_access_config(self, project):
         assert model_two.access == AccessType.Private
         assert model_three.group == "marts"
         assert model_three.access == AccessType.Public
+
+
+models_yml = """
+models:
+  - name: accounts
+    description: >
+      All accounts with whom we have done business. This is a very sensitive asset.
+    access: private
+    group: sales
+
+    columns:
+      - name: name
+        description: Name of the account.
+        tests:
+          - not_null
+          - unique
+
+groups:
+  - name: sales
+    owner:
+      name: sales_owner
+"""
+
+accounts_sql = """
+select 'Jane' as name
+"""
+
+
+class TestGenericTestRestrictAccess:
+    @pytest.fixture(scope="class")
+    def models(self):
+        return {
+            "models.yml": models_yml,
+            "accounts.sql": accounts_sql,
+        }
+
+    @pytest.fixture(scope="class")
+    def project_config_update(self):
+        return {
+            "restrict-access": True,
+        }
+
+    def test_generic_tests(self, project):
+        run_dbt(["run"])
+        run_dbt(["test"])