Add missing relations to vote_response FGA type

[bramwelt]

Summary

Adds project, writer, and viewer relations to the vote_response OpenFGA type to match what the voting-service sends via lfx.fga-sync.update_access.

Problem

vote_response was missing three relations that the voting-service writes as FGA tuples:

Relation	Error
vote_response#project	relation 'vote_response#project' not found
vote_response#viewer	relation 'vote_response#viewer' not found
vote_response#writer	relation 'vote_response#writer' not found

This caused 2,658 failed batch writes per 24h in production. The entire batch failed, leaving affected vote_response objects with no FGA tuples.

Change

 type vote_response
   relations
     define vote: [vote]
+    define project: [project]
     # owner is the user who cast this response
     define owner: [user]
-    # we don't need to create a "writer" relation that is defined as just "owner":
-    # we just use the "owner" relation in our access checks!
+    define writer: [user] or owner
     define auditor: owner or auditor from vote
+    define viewer: [user:*, user] or auditor

Consistent with the vote and survey type patterns.

Related

• LFXV2-1555 — this issue
• LFXV2-1554 — fga-sync batch write retry fix (handles validation errors gracefully until this model change is deployed)
• Skip invalid tuples and retry batch writes lfx-v2-fga-sync#44 — retry logic in fga-sync

Closes LFXV2-1555

[coderabbitai]

Warning

Rate limit exceeded

@bramwelt has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 21 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 9 minutes and 21 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ca7edfa-0466-4b96-9b25-371d1c612dc3

📥 Commits

Reviewing files that changed from the base of the PR and between 1cc8e30 and 05fa20c.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml

Walkthrough

Updated the OpenFGA authorization model (minor version bump) for the vote_response type: added project relation, explicitly defined writer: [user] or owner, and added viewer: [user, user:*] or auditor.

Changes

Cohort / File(s)	Summary
OpenFGA Authorization Model charts/lfx-platform/templates/openfga/model.yaml	Bumped model minor version (major: 10, minor: 1, patch: 0). In type vote_response added define project: [project], added explicit define writer: [user] or owner (replacing prior comment guidance), and added define viewer: [user, user:*] or auditor.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding missing relations (project, writer, viewer) to the vote_response FGA type, which directly matches the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about the problem, the specific relations added, and production impact from missing relations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tbramwell/LFXV2-1554-vote-response-relations

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the OpenFGA authorization model to add missing vote_response relations so lfx.fga-sync.update_access can write the tuples emitted by voting-service without failing validation.

Changes:

• Add project relation to vote_response.
• Add writer relation (allowing direct assignment and deriving from owner).
• Add viewer relation (allowing explicit users/wildcard and deriving from auditor).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/lfx-platform/templates/openfga/model.yaml`:
- Around line 310-315: The model adds new relations (see define project, define
owner, define writer, define auditor, define viewer) but the authorization model
version remains 10.0.0; bump the model's semantic version by incrementing the
minor component (e.g., change 10.0.0 to 10.1.0) in the model.yaml header so the
relation additions are tracked as a minor version change per the in-file
versioning guidance.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2939f0fc-58d4-4a8f-83b2-8cc4b525dc0d

📥 Commits

Reviewing files that changed from the base of the PR and between a575e9f and b72764d.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml

[bramwelt]

Review Feedback Addressed

Commit: 1cc8e30

Changes Made

• model.yaml:23: Bumped model version 10.0.0 → 10.1.0; adding relations (project, writer, viewer) requires a minor bump per in-file guidelines (per copilot-pull-request-reviewer, coderabbitai[bot])
• model.yaml:318: Fixed viewer type restriction ordering to [user, user:*] matching existing pattern at lines 165/186/207 (per copilot-pull-request-reviewer)

Threads Resolved

3 of 3 unresolved threads addressed.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[emsearcy]

@bramwelt I've approved this, but I wonder if the better fix would be changing the fga-sync rules sent by the Vote service?

Based on my audit, there are no endpoints that actually enforce "writer" level permissions. And nobody should be able to change a vote except the person who cast it, right? I see that it doesn't inherit from anything ... so it doesn't exactly make sense from a product perspective. Am I authorizing another person to change my vote? (except you're not, since writers can't do anything according the RuleSets...) ... so... I'm making it possible to grant read access to somebody other than the owner, but calling it write access ... the optics just don't look good.

CC @andrest50 who shows up in the "blame" for the removed comment.

[bramwelt]

Closing in favor of: linuxfoundation/lfx-v2-voting-service#30