feat(BA-6834): AppConfig allow_list read/write access levels (model + migration)#12755
Merged
jopemachine merged 0 commit intoJul 13, 2026
Conversation
This was referenced Jul 10, 2026
faca98f to
aa3b9d6
Compare
aa3b9d6 to
a148eed
Compare
a148eed
into
feat/BA-6556-app-config-rest-v2
0 of 2 checks passed
55e7e44 to
e906bcd
Compare
Member
Author
|
GitHub auto-marked this PR "merged" during a stack reorder: the read/write access-level work was moved to the base of the AppConfig stack (below #12359), so this branch's commits became contained in its old base ( The identical work now lives in #12794 ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
read_access/write_accessaccess-level columns toapp_config_allow_list(BA-6834, BEP-1052 / epic BA-5781), decoupling read-enablement from write-authorization. Until now the allow-list row's mere existence doubled as the write gate (the FKWriteNotAllowedcheck) while it also carried the mergerank(the read side) — conflating two orthogonal concerns and forcing the REST API to gate every fragment write to superadmin. These admin-owned tiers make who-may-read and who-may-write explicit; the row's existence now only registers a config layer.Access levels
AppConfigAccessLevel, least → most privileged:public<authenticated<owner<admin.owneris resolved relative to the fragment's scope (the user itself foruserscope, the domain admin fordomain);admin(superadmin) always satisfies any tier.Default policy per
scope_typepublicadminauthenticatedadminownerownerLayers
AppConfigAccessLevel+AppConfigScopeType.default_read_access()/default_write_access()read_access/write_accessonAppConfigAllowListDataand the ORM row (StrEnumType,NOT NULL)3e7b1d9c4a25: add nullable → backfill byscope_type→NOT NULL(mirrors therankmigration)Notes
alembic upgrade headagainst this branch's halfstack to verify.📚 Stacked PRs
Part of the AppConfigFragment / AppConfig stack under BEP-1052 (epic BA-5781). Merge in order:
feat(BA-6552): app_config_fragments DB model and Alembic migrationfeat(BA-6553): repository layerrefactor(BA-6619): consolidate AppConfigScopeType into common.datarefactor(BA-6620): ExistsQuerier + AppConfigAllowList.existsfeat(BA-6554): AppConfigFragment service layerfeat(BA-6702): move fragment rank to the allow list with scope defaultsfeat(BA-6701): expose allow-list rank on the v2 API surfacefeat(BA-6704): cascade app config subtree deletion from the definitionfeat(BA-6626): app_config_fragment bulk repository layerfeat(BA-6618): app_config_fragment bulk CRUD service layerfeat(BA-6810): AppConfigFragment visible-fragments query (repository layer)feat(BA-6555): AppConfig merge engine + resolve service (service layer)feat(BA-6556): AppConfig REST v2 APIfeat(BA-6834): AppConfig allow_list read/write access levels (model + migration)← you are herefeat(BA-6835): expose read/write access level on the allow_list v2 APIfeat(BA-6836): authorize fragment writes via allow_list write_access tierfeat(BA-6837): authorize fragment reads via allow_list read_access tierAppConfig is treated as RBAC-Global with no RBAC validator;
app_config_allow_list's access tiers are AppConfig's standalone authorization system.