Check read permissions for regressor sensors when triggering forecasts

[Copilot]

The POST /<sensor>/forecasts/trigger endpoint checked create-children permissions for the target sensor but silently skipped read permission checks for regressor sensors (future-regressors, past-regressors, regressors in config), allowing users to reference sensors they shouldn't be able to see.

Changes

• Permission check (api/v3_0/sensors.py): In trigger_forecast, after loading the raw JSON payload and before dispatching the job, collect all regressor sensor IDs from config and call check_access(regressor, "read") for each. The schema already guarantees these IDs resolve to existing sensors, so no None guard is needed — any violation raises Forbidden (403) or Unauthorized (401).

config = parameters.get("config", {})
regressor_ids = set(
    config.get("future-regressors", [])
    + config.get("past-regressors", [])
    + config.get("regressors", [])
)
for regressor_id in regressor_ids:
    regressor = db.session.get(Sensor, regressor_id)
    check_access(regressor, "read")

• Tests (api/v3_0/tests/test_forecasting_api.py): Added test_trigger_forecast_with_unreadable_regressor_returns_403, parametrized over all three regressor fields. Creates a target sensor on the requesting user's account (has create-children) and a regressor sensor on a different account (no read access), asserts 403.

[read-the-docs-community]

Documentation build overview

📚 flexmeasures | 🛠️ Build #32200062 | 📁 Comparing a526466 against latest (82b4605)

  🔍 Preview build  

Show files changed (1 files in total): 📝 1 modified | ➕ 0 added | ➖ 0 deleted

File	Status
api/v3_0.html	📝 modified