Skip to content

fix(ruleset): check owner on vote_response instead of participant on vote for POST /vote_responses#36

Merged
jordane merged 2 commits into
mainfrom
jme/LFXV2-1842
May 18, 2026
Merged

fix(ruleset): check owner on vote_response instead of participant on vote for POST /vote_responses#36
jordane merged 2 commits into
mainfrom
jme/LFXV2-1842

Conversation

@jordane
Copy link
Copy Markdown
Member

@jordane jordane commented May 18, 2026

Summary

  • Fixes a 403 on POST /vote_responses in prod after the recent ruleset update
  • The previous rule checked participant on vote:{vote_uid}, but no participant tuples exist on vote objects in OpenFGA (only committee and project)
  • Switches to checking owner on vote_response:{vote_response_uid} — tuples are written ahead of the create call by the invite/seed flow and are already present
  • Updates docs (api-contracts.md, glossary.md, itx-proxy-implementation.md) to remove the now-unused participant relation

Fixes: LFXV2-1842

🤖 Generated with Claude Code

@jordane @claude
fix(ruleset): check owner on vote_response instead of participant on …
0648f58 
…vote for POST /vote_responses

No participant tuples exist on vote objects in OpenFGA. The correct
authorization signal is the owner tuple on the vote_response, which is
written ahead of the create call by the invite/seed flow.

Issue: LFXV2-1842

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Jordan Evans <jevans@linuxfoundation.org>
@jordane jordane requested a review from a team as a code owner May 18, 2026 23:18
Copilot AI review requested due to automatic review settings May 18, 2026 23:18
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Heimdall/OpenFGA authorization rule for POST /vote_responses to check ownership on the vote response object instead of checking a removed participant relation on the parent vote.

Changes:

  • Switches the vote response create RuleSet check to owner on vote_response:{vote_response_uid}.
  • Updates API and architecture docs to reflect the new required permission.
  • Removes the obsolete participant glossary entry.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
charts/lfx-v2-voting-service/templates/ruleset.yaml Updates the OpenFGA object/relation used for creating vote responses.
docs/api-contracts.md Documents the new required permission for POST /vote_responses.
docs/glossary.md Removes participant and expands owner to cover create/update.
docs/itx-proxy-implementation.md Updates the permission model summary to remove participant.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jordane jordane merged commit 99821b8 into main May 18, 2026
9 checks passed
@jordane jordane deleted the jme/LFXV2-1842 branch May 18, 2026 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andrest50 andrest50 andrest50 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jordane @andrest50