From eb0f7f7549611adab5d8737827fefe55a4fba0b8 Mon Sep 17 00:00:00 2001
From: Omer Zuarets <omer@permit.io>
Date: Mon, 6 Jan 2025 10:24:11 +0200
Subject: [PATCH] prevent returning resource_instance on local role assignments
 for top level roles

---
 horizon/local/schemas.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/horizon/local/schemas.py b/horizon/local/schemas.py
index 2c47e289..d38f7e2e 100644
--- a/horizon/local/schemas.py
+++ b/horizon/local/schemas.py
@@ -97,8 +97,11 @@ def tenant(self) -> str:
         return self.attributes.get("tenant", "")
 
     @property
-    def resource_instance(self) -> str:
-        return self.attributes.get("resource", "")
+    def resource_instance(self) -> str | None:
+        resource = self.attributes.get("resource", "")
+        if not resource or resource.startswith("__tenant:"):
+            return None
+        return resource
 
     def into_role_assignment(self) -> RoleAssignment:
         return RoleAssignment(