shreemaan-abhishek opened a new pull request, #13410: URL: https://github.com/apache/apisix/pull/13410
### Description When the `authz-keycloak` plugin is configured with `http_method_as_scope` enabled together with a static `permissions` list, the request method was appended onto `conf.permissions` in place. Because the plugin configuration object is reused across requests, the appended method scope accumulated on each subsequent request (e.g. `course_resource#GET` became `course_resource#GET, GET`, then `course_resource#GET, GET, GET`, and so on). This change copies the permissions list with `core.table.clone` before deriving the per-request method scope, so the shared plugin config is left untouched. The `else` branch (`permission = conf.permissions`) is unchanged. A regression test (`t/plugin/authz-keycloak5.t`) is added that sends two requests through the same configured route and asserts the derived scope does not accumulate. #### Which issue(s) this PR fixes: <!-- *Automatically closes linked issue when PR is merged. Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`. --> Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
