You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(BA-6859): bind app_config fragments to their RBAC scope on write (repository layer)
Run the app_config_fragment repository on RBACOpsProvider and make every
fragment write flow through the RBAC scope machinery, branch-free:
- The shared RBAC creator/unbinder now model *global-scoped* entities:
RBACEntityCreator.scope_ref and RBACScopeEntityUnbinder.scope_ref accept
None, meaning the entity lives outside the RBAC scope hierarchy and carries
no scope association (executors skip the association rows).
- AppConfigScopeType.to_rbac_element_type() maps a fragment scope to its RBAC
scope element (public -> None), next to its to_rbac_scope_type sibling.
- create binds a user/domain fragment to its scope via
association_scopes_entities in the same tx; purge unbinds it via the
canonical scope unbinder (AppConfigFragmentScopeUnbinder), deleting the row
and its association atomically. A public fragment takes the same single code
path with scope_ref=None.
- Registers APP_CONFIG_FRAGMENT as an owner-accessible RBAC resource type.
- Repository/db_source create now takes AppConfigFragmentCreatorSpec directly.
Data-layer foundation for RBAC-gating fragment writes; service-layer
validators + DI registration follow (BA-6860).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bind AppConfig fragments to their RBAC scope on write (repository layer): a `user` / `domain` fragment is associated to its RBAC scope on create and unbound on purge (`public` maps to GLOBAL and carries none), so fragment write authorization can be enforced by RBAC. The allow list becomes a read allowlist (registration + `rank`) while writes move to RBAC (BEP-1052).
0 commit comments