Skip to content

fix: discover-tools usa permissao read + erros honestos (nao 503 mascarado)#23

Merged
gomessguii merged 1 commit into
developfrom
fix/mcp-discover-perm-and-honest-errors
Jul 10, 2026
Merged

fix: discover-tools usa permissao read + erros honestos (nao 503 mascarado)#23
gomessguii merged 1 commit into
developfrom
fix/mcp-discover-perm-and-honest-errors

Conversation

@DavidsonGomes

@DavidsonGomes DavidsonGomes commented Jul 10, 2026

Copy link
Copy Markdown
Member

Dois bugs que travavam criar Servidor MCP Personalizado (500):

  1. Permissao inexistente: custom-mcp-servers/discover-tools exigia ai_custom_mcp_servers.discover, que NAO existe no catalogo (resource_actions_config so tem read/create/update/delete/test) -> 403 pra todos, inclusive super_admin. discover-tools e uma LEITURA -> usa read.
  2. Erro mascarado: exception handlers chamavam error_response() sem o arg obrigatorio request -> TypeError pego pelo except Exception do middleware -> 503 generico escondendo o 403 real. Passa request.

Provado end-to-end: 503 -> 403 honesto -> 200.

Summary by Sourcery

Align custom MCP server tool discovery permissions with existing read action and fix error handling to return accurate HTTP errors instead of generic 503 responses.

Bug Fixes:

  • Use the existing ai_custom_mcp_servers read permission for the discover-tools endpoint to avoid invalid action 403s.
  • Pass the request object into exception handlers so HTTP and BaseAPI exceptions surface their real status codes instead of being masked as 503 errors.

…request

- custom-mcp-servers/discover-tools exigia a action 'discover' que NÃO existe no
  catálogo (resource_actions_config só tem read/create/update/delete/test) →
  403 pra TODOS, inclusive super_admin. discover-tools é uma LEITURA (enumera as
  tools) → usa 'read'.
- exception_handlers (http_exception_handler + base_api_exception_handler)
  chamavam error_response() SEM o 1º arg obrigatório 'request' → TypeError, que o
  EvoAuthMiddleware pegava no except Exception e convertia num 503 genérico,
  mascarando o 403/erro real. Passa request (já no escopo do handler).

Provado: discover-tools 503→403→200 end-to-end.
@sourcery-ai

sourcery-ai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adjusts authorization for the custom MCP server discover-tools endpoint to use an existing read action and fixes exception handlers so HTTP/BaseAPI errors return accurate responses instead of being masked as generic 503s.

Sequence diagram for discover_tools authorization and error handling

sequenceDiagram
    actor User
    participant API as custom_mcp_servers_routes
    participant Auth as RequirePermission
    participant EH as http_exception_handler
    participant ER as error_response

    User->>API: POST create_discover_tools
    API->>Auth: RequirePermission(ai_custom_mcp_servers, read)
    alt permission granted
        Auth-->>API: None
        API-->>User: 200 DiscoverToolsResponse
    else permission denied
        Auth-->>API: raise HTTPException(status_code=403)
        API-->>EH: HTTPException
        EH->>ER: error_response(request, code, message, details)
        ER-->>User: 403 JSONResponse
    end
Loading

File-Level Changes

Change Details Files
Align discover-tools endpoint permission with existing read action so it no longer relies on a non-existent discover action.
  • Change RequirePermission action for ai_custom_mcp_servers discover-tools from a non-existent discover action to the existing read action.
  • Document in comments that discover-tools is a read operation and that the discover action is not present in resource_actions_config, explaining rationale and consistency with sibling endpoints.
src/api/custom_mcp_servers_routes.py
Fix exception handlers to pass the request object into error_response, preventing TypeError and ensuring correct HTTP error propagation.
  • Update http_exception_handler to pass the FastAPI Request object into error_response.
  • Update base_api_exception_handler to pass the FastAPI Request object into error_response.
  • By fixing the call signature, avoid TypeError being caught by middleware and turning specific errors (e.g., 403) into generic 503 responses.
src/core/exception_handlers.py

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Now that error_response requires a request, double-check other callers to ensure they’re updated as well, or consider enforcing this via a typed interface to avoid future TypeErrors.
  • The new inline comments in create_discover_tools are in Portuguese; consider standardizing to the project’s primary language (likely English) for consistency and easier maintenance.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Now that `error_response` requires a `request`, double-check other callers to ensure they’re updated as well, or consider enforcing this via a typed interface to avoid future TypeErrors.
- The new inline comments in `create_discover_tools` are in Portuguese; consider standardizing to the project’s primary language (likely English) for consistency and easier maintenance.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@gomessguii gomessguii merged commit cf3510d into develop Jul 10, 2026
4 checks passed
@gomessguii gomessguii deleted the fix/mcp-discover-perm-and-honest-errors branch July 10, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants