feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration)#12794
Closed
jopemachine wants to merge 3 commits into
Closed
feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration)#12794jopemachine wants to merge 3 commits into
jopemachine wants to merge 3 commits into
Conversation
This was referenced Jul 13, 2026
Add a single `permission` (ro/rw) column to app_config_allow_list, decoupling write-authorization from the allow-list row's existence. `rw` lets the scope owner write the layer, `ro` restricts writes to superadmins; reads keep following scope visibility. Defaults per scope_type: public/domain=ro, user=rw. Migration backfills existing rows. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
a148eed to
00160af
Compare
Reflect the single `permission` (ro/rw) column: the allow-list row's presence registers a layer and carries rank/read-order, while `permission` decides write authorization (rw = scope owner may write, ro = superadmin-only) — presence no longer *is* the write grant. Read stays scope-visibility with no permission check. Updates Overview, Design Principles, the allow_list table, Integrity, the Write model, and admin scenarios. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Member
Author
|
Closing — the design was finalized to not add a permission column. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a single VFolder-style
permission(ro/rw) column toapp_config_allow_list(BA-6834, BEP-1052 / epic BA-5781) — the foundation of the AppConfig write policy, sitting at the base of the stack so every layer above builds on it.Semantics
rw— the layer's owner may write it;ro— only a superadmin may write. Reading is not gated bypermission; it follows scope-visibility (public→everyone, domain→members, user→owner).Default
permissionperscope_typero(admin-managed)ro(admin-managed)rw(owner self-service)Layers
AppConfigPermission(ro/rw) +AppConfigScopeType.default_permission()permissioncolumn (StrEnumType,NOT NULL)3e7b1d9c4a25(down_revision= current main head): addpermission, backfill (public/domain→ro, user→rw)📚 Stacked PRs
Part of the AppConfigFragment / AppConfig stack under BEP-1052 (epic BA-5781). Merge in order:
feat(BA-6552): app_config_fragments DB model and Alembic migrationfeat(BA-6553): repository layerrefactor(BA-6619): consolidate AppConfigScopeType into common.datarefactor(BA-6620): ExistsQuerier + AppConfigAllowList.existsfeat(BA-6554): AppConfigFragment service layerfeat(BA-6702): move fragment rank to the allow list with scope defaultsfeat(BA-6701): expose allow-list rank on the v2 API surfacefeat(BA-6704): cascade app config subtree deletion from the definitionfeat(BA-6626): app_config_fragment bulk repository layerfeat(BA-6618): app_config_fragment bulk CRUD service layerfeat(BA-6810): AppConfigFragment visible-fragments query (repository layer)feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration)— permission foundation ← you are herefeat(BA-6555): AppConfig merge engine + resolve service (service layer)feat(BA-6556): AppConfig REST v2 APIfeat(BA-6835): expose the allow_list permission on the v2 APIfeat(BA-6836): authorize fragment writes via allow_list permission (ro/rw)AppConfig is treated as RBAC-Global with no RBAC validator; the allow-list's single
permission(ro/rw) column is AppConfig's standalone write policy — it sits at the base so every layer above builds on it. Reads use the existing scope-visibility (no read column; the former read-authz PR #12764 was dropped).