Skip to content

feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration)#12794

Closed
jopemachine wants to merge 3 commits into
mainfrom
feat/BA-6834-app-config-allow-list-access-columns
Closed

feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration)#12794
jopemachine wants to merge 3 commits into
mainfrom
feat/BA-6834-app-config-allow-list-access-columns

Conversation

@jopemachine

@jopemachine jopemachine commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

Adds a single VFolder-style permission (ro / rw) column to app_config_allow_list (BA-6834, BEP-1052 / epic BA-5781) — the foundation of the AppConfig write policy, sitting at the base of the stack so every layer above builds on it.

Replaces #12755 (phantom-merged during a stack reorder). An earlier iteration used two read_access/write_access tier columns; per review it was simplified to one permission column — reads use the existing scope-visibility, so there is no read-policy column.

Semantics

  • rw — the layer's owner may write it; ro — only a superadmin may write. Reading is not gated by permission; it follows scope-visibility (public→everyone, domain→members, user→owner).

Default permission per scope_type

scope_type permission
public ro (admin-managed)
domain ro (admin-managed)
user rw (owner self-service)

Layers

  • typesAppConfigPermission (ro/rw) + AppConfigScopeType.default_permission()
  • data / model — single permission column (StrEnumType, NOT NULL)
  • repository — creator defaults per scope; updater can re-policy
  • migration3e7b1d9c4a25 (down_revision = current main head): add permission, backfill (public/domain→ro, user→rw)

📚 Stacked PRs

Part of the AppConfigFragment / AppConfig stack under BEP-1052 (epic BA-5781). Merge in order:

  1. feat(BA-6552): add app_config_fragments DB model and Alembic migration #12306feat(BA-6552): app_config_fragments DB model and Alembic migration
  2. feat(BA-6553): add app_config_fragments repository layer #12307feat(BA-6553): repository layer
  3. refactor(BA-6619): consolidate AppConfigScopeType into common.data (single definition) #12403refactor(BA-6619): consolidate AppConfigScopeType into common.data
  4. refactor(BA-6620): ExistsQuerier ops primitive + AppConfigAllowList.exists #12405refactor(BA-6620): ExistsQuerier + AppConfigAllowList.exists
  5. feat(BA-6554): add app_config_fragment service layer #12358feat(BA-6554): AppConfigFragment service layer
  6. feat(BA-6702): move fragment rank to the allow list with scope defaults #12516feat(BA-6702): move fragment rank to the allow list with scope defaults
  7. feat(BA-6701): expose allow-list rank on the v2 API surface #12517feat(BA-6701): expose allow-list rank on the v2 API surface
  8. feat(BA-6704): cascade app config subtree deletion from the definition #12518feat(BA-6704): cascade app config subtree deletion from the definition
  9. feat(BA-6626): app_config_fragment bulk repository layer #12426feat(BA-6626): app_config_fragment bulk repository layer
  10. feat(BA-6618): app_config_fragment bulk CRUD service layer #12401feat(BA-6618): app_config_fragment bulk CRUD service layer
  11. feat(BA-6810): AppConfigFragment visible-fragments query (repository layer) #12706feat(BA-6810): AppConfigFragment visible-fragments query (repository layer)
  12. 👉 feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration) #12794feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration) — permission foundation ← you are here
  13. feat(BA-6555): AppConfig merge engine + resolve service (service layer) #12359feat(BA-6555): AppConfig merge engine + resolve service (service layer)
  14. feat(BA-6556): AppConfig REST v2 API (raw fragments and merged read/update) #12377feat(BA-6556): AppConfig REST v2 API
  15. feat(BA-6835): expose the allow_list permission on the v2 API #12756feat(BA-6835): expose the allow_list permission on the v2 API
  16. feat(BA-6860): RBAC-gate app_config fragment writes at the processors #12759feat(BA-6836): authorize fragment writes via allow_list permission (ro/rw)

AppConfig is treated as RBAC-Global with no RBAC validator; the allow-list's single permission (ro/rw) column is AppConfig's standalone write policy — it sits at the base so every layer above builds on it. Reads use the existing scope-visibility (no read column; the former read-authz PR #12764 was dropped).

jopemachine and others added 2 commits July 13, 2026 13:55
Add a single `permission` (ro/rw) column to app_config_allow_list, decoupling
write-authorization from the allow-list row's existence. `rw` lets the scope
owner write the layer, `ro` restricts writes to superadmins; reads keep
following scope visibility. Defaults per scope_type: public/domain=ro,
user=rw. Migration backfills existing rows.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jopemachine jopemachine force-pushed the feat/BA-6834-app-config-allow-list-access-columns branch from a148eed to 00160af Compare July 13, 2026 05:13
@jopemachine jopemachine changed the title feat(BA-6834): AppConfig allow_list read/write access levels (model + migration) feat(BA-6834): AppConfig allow_list permission column (ro/rw, model + migration) Jul 13, 2026
Reflect the single `permission` (ro/rw) column: the allow-list row's
presence registers a layer and carries rank/read-order, while `permission`
decides write authorization (rw = scope owner may write, ro = superadmin-only)
— presence no longer *is* the write grant. Read stays scope-visibility with no
permission check. Updates Overview, Design Principles, the allow_list table,
Integrity, the Write model, and admin scenarios.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jopemachine

Copy link
Copy Markdown
Member Author

Closing — the design was finalized to not add a permission column. app_config_allow_list keeps its existing shape (existence registers a readable layer + rank); write authorization is a fixed per-scope rule (a user may write only their own user-scope fragment; a superadmin writes the rest), which needs no schema change. That fixed-scope write authz lives in #12759. No model change is required, so this PR is dropped.

@jopemachine jopemachine deleted the feat/BA-6834-app-config-allow-list-access-columns branch July 13, 2026 06:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:common Related to Common component comp:manager Related to Manager component require:db-migration Automatically set when alembic migrations are added or updated size:L 100~500 LoC

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant