Remove todos around queries/run authorization tests (#3992)

server/authz/policy.rego

@@ -312,8 +312,10 @@ allow {
   subject.global_role == maintainer
   action = run_new
 }
+
 # Team admin and maintainer running a non-observers_can_run query must have the targets
-# filtered to only teams that they maintain
+# filtered to only teams that they maintain. That check is not validated by this rego
+# file, it is a filter that is applied at the datastore level (in HostIDsInTargets).
 allow {
   object.type == "query"
   # If role is maintainer on any team
@@ -337,7 +339,8 @@ allow {
 	action = run
 }
 # Team observer running a observers_can_run query must have the targets
-# filtered to only teams that they observe
+# filtered to only teams that they observe. That check is not validated by this rego
+# file, it is a filter that is applied at the datastore level (in HostIDsInTargets).
 allow {
 	object.type == "query"
 	object.observer_can_run == true
@@ -454,4 +457,4 @@ allow {
   not is_null(subject)
   object.type == "software"
   action == read
-}
+}

server/service/campaigns_test.go

@@ -128,7 +128,11 @@ func TestLiveQueryAuth(t *testing.T) {
 			false,
 			false,
 		},
-		// TODO(mna): I don't think this is properly validated by rego, see https://github.com/fleetdm/fleet/issues/3950
+		// NOTE: this specific case is not covered by the rego authorization policy,
+		// it is at the datastore level that a filter is applied to only consider
+		// hosts that the user can see (that is, a fleet.TeamFilter is passed to
+		// ds.HostIDsInTargets and that call applies the filter to return only
+		// allowed hosts).
 		/*
 			{
 				"team admin, target not set to own team",
@@ -147,7 +151,7 @@ func TestLiveQueryAuth(t *testing.T) {
 			false,
 			false,
 		},
-		// TODO(mna): I don't think this is properly validated by rego, see https://github.com/fleetdm/fleet/issues/3950
+		// NOTE: same as the note above.
 		/*
 			{
 				"team observer, target not set to own team",