feat: GRANT/REVOKE ACCESS on PUBLISHED REST SERVICE (#162)

Adds module-role access control for published REST services, mirroring
the existing OData service GRANT/REVOKE syntax. The REST metamodel
stores this in the AllowedRoles BSON field (vs OData's
AllowedModuleRoles), so a separate writer entrypoint is introduced.
DESCRIBE now emits a trailing GRANT statement when AllowedRoles is
non-empty so the output remains a re-executable roundtrip.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ako

cmd/mxcli/help_topics/rest.txt

@@ -37,6 +37,16 @@ CREATE / DROP PUBLISHED REST SERVICE
 
   Properties: Path (required), Version, ServiceName, Folder
   HTTP methods: GET, POST, PUT, DELETE, PATCH
+
+GRANT / REVOKE ACCESS
+---------------------
+
+  GRANT ACCESS ON PUBLISHED REST SERVICE Module.MyAPI
+    TO Module.User, Module.Admin;
+
+  REVOKE ACCESS ON PUBLISHED REST SERVICE Module.MyAPI
+    FROM Module.User;
+
   Modifiers: DEPRECATED, IMPORT MAPPING, EXPORT MAPPING, COMMIT
   Operation paths: empty '' for root, '{name}' for path params.
                    Do NOT start/end with /.

docs/01-project/MDL_QUICK_REFERENCE.md

@@ -445,6 +445,8 @@ CREATE OR REPLACE NAVIGATION Responsive
 | Create service | See below | |
 | Create or replace | `CREATE OR REPLACE PUBLISHED REST SERVICE ...` | Replaces existing service |
 | Drop service | `DROP PUBLISHED REST SERVICE Module.Name;` | |
+| Grant access | `GRANT ACCESS ON PUBLISHED REST SERVICE Module.Name TO Module.Role, ...;` | Adds module roles to AllowedRoles |
+| Revoke access | `REVOKE ACCESS ON PUBLISHED REST SERVICE Module.Name FROM Module.Role, ...;` | |
 
 ```sql
 CREATE PUBLISHED REST SERVICE Module.MyAPI (

mdl-examples/doctype-tests/22-published-rest-service-examples.mdl

@@ -124,7 +124,23 @@ SHOW PUBLISHED REST SERVICES;
 SHOW PUBLISHED REST SERVICES IN PrsTest;
 
 -- ############################################################################
--- PART 6: DROP
+-- PART 6: GRANT / REVOKE ACCESS
+-- ############################################################################
+--
+-- Grant module roles access to a published REST service. The roles must
+-- already exist in the same module's security model.
+
+CREATE MODULE ROLE PrsTest.User;
+CREATE MODULE ROLE PrsTest.Admin;
+
+GRANT ACCESS ON PUBLISHED REST SERVICE PrsTest.OrderAPI TO PrsTest.User, PrsTest.Admin;
+DESCRIBE PUBLISHED REST SERVICE PrsTest.OrderAPI;
+
+REVOKE ACCESS ON PUBLISHED REST SERVICE PrsTest.OrderAPI FROM PrsTest.User;
+DESCRIBE PUBLISHED REST SERVICE PrsTest.OrderAPI;
+
+-- ############################################################################
+-- PART 7: DROP
 -- ############################################################################
 
 DROP PUBLISHED REST SERVICE PrsTest.OrderAPI;

mdl/ast/ast_security.go

@@ -150,6 +150,22 @@ type RevokeODataServiceAccessStmt struct {
 
 func (s *RevokeODataServiceAccessStmt) isStatement() {}
 
+// GrantPublishedRestServiceAccessStmt represents: GRANT ACCESS ON PUBLISHED REST SERVICE Module.Svc TO role1, role2
+type GrantPublishedRestServiceAccessStmt struct {
+	Service QualifiedName
+	Roles   []QualifiedName
+}
+
+func (s *GrantPublishedRestServiceAccessStmt) isStatement() {}
+
+// RevokePublishedRestServiceAccessStmt represents: REVOKE ACCESS ON PUBLISHED REST SERVICE Module.Svc FROM role1, role2
+type RevokePublishedRestServiceAccessStmt struct {
+	Service QualifiedName
+	Roles   []QualifiedName
+}
+
+func (s *RevokePublishedRestServiceAccessStmt) isStatement() {}
+
 // AlterProjectSecurityStmt represents ALTER PROJECT SECURITY commands.
 type AlterProjectSecurityStmt struct {
 	// SecurityLevel is set for ALTER PROJECT SECURITY LEVEL (PRODUCTION|PROTOTYPE|OFF)

mdl/executor/cmd_published_rest.go

@@ -141,6 +141,12 @@ func (e *Executor) describePublishedRestService(name ast.QualifiedName) error {
 		}
 		fmt.Fprintln(e.output, "/")
 
+		// Emit GRANT statements for any module roles with access.
+		if len(svc.AllowedRoles) > 0 {
+			fmt.Fprintf(e.output, "\nGRANT ACCESS ON PUBLISHED REST SERVICE %s.%s TO %s;\n",
+				modName, svc.Name, strings.Join(svc.AllowedRoles, ", "))
+		}
+
 		return nil
 	}
 

mdl/executor/cmd_security_write.go

@@ -1199,6 +1199,126 @@ func (e *Executor) execRevokeODataServiceAccess(s *ast.RevokeODataServiceAccessS
 	return fmt.Errorf("published OData service not found: %s.%s", s.Service.Module, s.Service.Name)
 }
 
+// ============================================================================
+// GRANT/REVOKE ACCESS ON PUBLISHED REST SERVICE
+// ============================================================================
+
+// execGrantPublishedRestServiceAccess handles GRANT ACCESS ON PUBLISHED REST SERVICE Module.Svc TO roles.
+func (e *Executor) execGrantPublishedRestServiceAccess(s *ast.GrantPublishedRestServiceAccessStmt) error {
+	if e.writer == nil {
+		return fmt.Errorf("not connected to a project in write mode")
+	}
+
+	h, err := e.getHierarchy()
+	if err != nil {
+		return fmt.Errorf("failed to build hierarchy: %w", err)
+	}
+
+	services, err := e.reader.ListPublishedRestServices()
+	if err != nil {
+		return fmt.Errorf("failed to list published REST services: %w", err)
+	}
+
+	for _, svc := range services {
+		modID := h.FindModuleID(svc.ContainerID)
+		modName := h.GetModuleName(modID)
+		if modName != s.Service.Module || svc.Name != s.Service.Name {
+			continue
+		}
+
+		// Validate all roles exist
+		for _, role := range s.Roles {
+			if err := e.validateModuleRole(role); err != nil {
+				return err
+			}
+		}
+
+		// Merge new roles with existing (skip duplicates)
+		existing := make(map[string]bool)
+		var merged []string
+		for _, r := range svc.AllowedRoles {
+			existing[r] = true
+			merged = append(merged, r)
+		}
+		var added []string
+		for _, role := range s.Roles {
+			qn := role.Module + "." + role.Name
+			if !existing[qn] {
+				merged = append(merged, qn)
+				added = append(added, qn)
+			}
+		}
+
+		if err := e.writer.UpdatePublishedRestServiceRoles(svc.ID, merged); err != nil {
+			return fmt.Errorf("failed to update published REST service access: %w", err)
+		}
+
+		if len(added) == 0 {
+			fmt.Fprintf(e.output, "All specified roles already have access on published REST service %s.%s\n", modName, svc.Name)
+		} else {
+			fmt.Fprintf(e.output, "Granted access on published REST service %s.%s to %s\n", modName, svc.Name, strings.Join(added, ", "))
+		}
+		return nil
+	}
+
+	return fmt.Errorf("published REST service not found: %s.%s", s.Service.Module, s.Service.Name)
+}
+
+// execRevokePublishedRestServiceAccess handles REVOKE ACCESS ON PUBLISHED REST SERVICE Module.Svc FROM roles.
+func (e *Executor) execRevokePublishedRestServiceAccess(s *ast.RevokePublishedRestServiceAccessStmt) error {
+	if e.writer == nil {
+		return fmt.Errorf("not connected to a project in write mode")
+	}
+
+	h, err := e.getHierarchy()
+	if err != nil {
+		return fmt.Errorf("failed to build hierarchy: %w", err)
+	}
+
+	services, err := e.reader.ListPublishedRestServices()
+	if err != nil {
+		return fmt.Errorf("failed to list published REST services: %w", err)
+	}
+
+	for _, svc := range services {
+		modID := h.FindModuleID(svc.ContainerID)
+		modName := h.GetModuleName(modID)
+		if modName != s.Service.Module || svc.Name != s.Service.Name {
+			continue
+		}
+
+		// Build set of roles to remove
+		toRemove := make(map[string]bool)
+		for _, role := range s.Roles {
+			toRemove[role.Module+"."+role.Name] = true
+		}
+
+		// Filter out removed roles
+		var remaining []string
+		var removed []string
+		for _, r := range svc.AllowedRoles {
+			if toRemove[r] {
+				removed = append(removed, r)
+			} else {
+				remaining = append(remaining, r)
+			}
+		}
+
+		if err := e.writer.UpdatePublishedRestServiceRoles(svc.ID, remaining); err != nil {
+			return fmt.Errorf("failed to update published REST service access: %w", err)
+		}
+
+		if len(removed) == 0 {
+			fmt.Fprintf(e.output, "None of the specified roles had access on published REST service %s.%s\n", modName, svc.Name)
+		} else {
+			fmt.Fprintf(e.output, "Revoked access on published REST service %s.%s from %s\n", modName, svc.Name, strings.Join(removed, ", "))
+		}
+		return nil
+	}
+
+	return fmt.Errorf("published REST service not found: %s.%s", s.Service.Module, s.Service.Name)
+}
+
 // execUpdateSecurity handles UPDATE SECURITY [IN Module].
 func (e *Executor) execUpdateSecurity(s *ast.UpdateSecurityStmt) error {
 	if e.writer == nil {

mdl/executor/executor_dispatch.go

@@ -208,6 +208,10 @@ func (e *Executor) executeInner(stmt ast.Statement) error {
 		return e.execGrantODataServiceAccess(s)
 	case *ast.RevokeODataServiceAccessStmt:
 		return e.execRevokeODataServiceAccess(s)
+	case *ast.GrantPublishedRestServiceAccessStmt:
+		return e.execGrantPublishedRestServiceAccess(s)
+	case *ast.RevokePublishedRestServiceAccessStmt:
+		return e.execRevokePublishedRestServiceAccess(s)
 
 	// Query statements
 	case *ast.ShowStmt:

mdl/executor/stmt_summary.go

@@ -121,6 +121,10 @@ func stmtSummary(stmt ast.Statement) string {
 		return fmt.Sprintf("GRANT ACCESS ON ODATA SERVICE %s", s.Service)
 	case *ast.RevokeODataServiceAccessStmt:
 		return fmt.Sprintf("REVOKE ACCESS ON ODATA SERVICE %s", s.Service)
+	case *ast.GrantPublishedRestServiceAccessStmt:
+		return fmt.Sprintf("GRANT ACCESS ON PUBLISHED REST SERVICE %s", s.Service)
+	case *ast.RevokePublishedRestServiceAccessStmt:
+		return fmt.Sprintf("REVOKE ACCESS ON PUBLISHED REST SERVICE %s", s.Service)
 
 	// Image Collection
 	case *ast.CreateImageCollectionStmt:

mdl/grammar/MDLParser.g4

@@ -342,6 +342,8 @@ securityStatement
     | revokeWorkflowAccessStatement
     | grantODataServiceAccessStatement
     | revokeODataServiceAccessStatement
+    | grantPublishedRestServiceAccessStatement
+    | revokePublishedRestServiceAccessStatement
     | alterProjectSecurityStatement
     | dropDemoUserStatement
     | updateSecurityStatement
@@ -413,6 +415,14 @@ revokeODataServiceAccessStatement
     : REVOKE ACCESS ON ODATA SERVICE qualifiedName FROM moduleRoleList
     ;
 
+grantPublishedRestServiceAccessStatement
+    : GRANT ACCESS ON PUBLISHED REST SERVICE qualifiedName TO moduleRoleList
+    ;
+
+revokePublishedRestServiceAccessStatement
+    : REVOKE ACCESS ON PUBLISHED REST SERVICE qualifiedName FROM moduleRoleList
+    ;
+
 alterProjectSecurityStatement
     : ALTER PROJECT SECURITY LEVEL (PRODUCTION | PROTOTYPE | OFF)
     | ALTER PROJECT SECURITY DEMO USERS (ON | OFF)