Skip to content

added RocketAdmin::ActionEvent permissions#1795

Merged
Artuomka merged 1 commit into
mainfrom
backend_custom_table_action_permission
May 21, 2026
Merged

added RocketAdmin::ActionEvent permissions#1795
Artuomka merged 1 commit into
mainfrom
backend_custom_table_action_permission

Conversation

@Artuomka
Copy link
Copy Markdown
Collaborator

@Artuomka Artuomka commented May 21, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • New Features

    • Custom action event triggering now controlled by granular permissions, configurable per-event or at table level.
    • Authorization enforcement added for action event trigger operations.

  • Tests

    • Added comprehensive tests for custom action trigger permission authorization scenarios.
    • Updated existing tests to reflect expanded permissions structure.

Review Change Stack

Copilot AI review requested due to automatic review settings May 21, 2026 14:46
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 21, 2026
edited
Loading

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces Cedar authorization support for custom action event trigger permissions. It adds a new ActionEvent resource type and actionEvent:trigger action to the authorization schema, extends permission models to include per-event trigger access, implements a protective guard on action activation endpoints, and delivers comprehensive test coverage across all database backends.

Changes

Custom Action Event Trigger Permissions

Layer / File(s) Summary
Cedar Schema & Authorization Contracts
backend/src/entities/cedar-authorization/cedar-schema.json, cedar-schema.ts, cedar-action-map.ts		 Cedar schema defines the ActionEvent resource entity type with connectionId and tableName attributes, parented to Table, and introduces the actionEvent:trigger action for User principals. Action map adds the new enum members and a probe ID constant.
Permission Data Models
backend/src/entities/permission/permission.interface.ts, application/data-structures/create-permissions.ds.ts		 New interfaces IActionEventAccessLevel and IActionEventPermissionData represent per-event trigger rights. DTOs ActionEventAccessLevelsDs and ActionEventPermissionDs carry the same structure. Table access levels gain optional triggerCustomAction flags. Permissions now include optional actionEvents arrays.
Cedar Authorization & Permission Evaluation
backend/src/entities/cedar-authorization/cedar-authorization.service.ts, cedar-entity-builder.ts, cedar-permissions.service.ts		 Authorization service routes actionEvent requests and passes actionEventId to entity builder. Entity builder creates ActionEvent entities when actionEventId is present. Permissions service adds checkActionEventTrigger method and computes triggerCustomAction capability via probe entity evaluation.
Cedar Policy Generation & Parsing
backend/src/entities/cedar-authorization/cedar-policy-generator.ts, cedar-policy-parser.ts		 Policy generator emits actionEvent:trigger permits for tables with triggerCustomAction and per-event permits from permissions.actionEvents. Parser recognizes relation-based grants, extracts ActionEvent resource IDs, and materializes trigger permissions.
Action Event Trigger Protection
backend/src/guards/action-event-trigger.guard.ts, backend/src/entities/table-actions/table-action-events-module/repository/*, backend/src/entities/table-actions/table-action-rules-module/action-rules.controller.ts, activate-actions-in-rule.use.case.ts		 New ActionEventTriggerGuard validates request params, queries the action event, and enforces trigger permissions via Cedar. Repository adds findEventByIdInConnection method. Controller applies the guard to the activation endpoint. Use case removes Cedar checks (now in guard).
Permission Use Case & Data Flow
backend/src/entities/permission/use-cases/create-or-update-permissions.use.case.ts		 Permission use case propagates actionEvents from input through to returned permissions object.
E2E Test Coverage
backend/test/ava-tests/saas-tests/action-rules-e2e.test.ts, backend/test/ava-tests/saas-tests/table-*.e2e.test.ts (40+ files), backend/test/ava-tests/non-saas-tests/non-saas-table-*.e2e.test.ts (10+ files)		 New comprehensive trigger permission guard test suite covering owner access, conditional invitee access with/without trigger, denial scenarios, connection scoping, per-event isolation, and blanket trigger behavior. All table listing tests across database backends updated to expect 7 permission keys instead of 6.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • rocket-admin/rocketadmin#1713: Both extend Cedar authorization flow with new resource-scoped IDs; this PR adds ActionEventTrigger with actionEventId, while that PR added Panel permissions with panelId.
  • rocket-admin/rocketadmin#1759: Both extend Cedar authorization and permission pipeline to add new table-level permission flags; this PR for actionEvent:trigger/RocketAdmin::ActionEvent, that PR for table:ai-request/Table.

Suggested reviewers

  • lyubov-voloshko

Poem

🐰 A bunny hops through Cedar's trees,
Permissions fine-tuned with such ease,
Each action event now stands so tall,
With guard rails protecting them all,
Trigger rights dance in the breeze! 🌿✨

🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Security Check ⚠️ Warning Missing validation of two new Cedar policy patterns: "resource in" for Tables and direct ActionEvent references bypass cross-connection security checks in validatePolicyReferences(). Add regex validation for the two new patterns in validatePolicyReferences() to enforce connectionId prefix checks matching existing implementation.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the primary change: adding support for RocketAdmin::ActionEvent permissions throughout the authorization system.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch backend_custom_table_action_permission

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Artuomka Artuomka enabled auto-merge May 21, 2026 14:47
@coderabbitai coderabbitai Bot requested a review from lyubov-voloshko May 21, 2026 14:48
Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request introduces a dedicated Cedar permission for triggering custom action events (ActionEvent), wires it into the action activation endpoint via a new guard, and updates permission modeling/policy generation/parsing accordingly so triggering can be granted independently of table visibility/read permissions.

Changes:

  • Add ActionEvent as a Cedar resource type with actionEvent:trigger authorization, including policy generation/parsing and entity construction.
  • Protect POST /event/actions/activate/:eventId/:connectionId with a new ActionEventTriggerGuard and remove the previous “must be able to read table” check from the activation use case.
  • Extend permission DTOs/interfaces to support triggerCustomAction and per-event trigger grants, and update e2e tests to reflect the new permission shape and guard behavior.

Reviewed changes

Copilot reviewed 54 out of 54 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
backend/test/ava-tests/saas-tests/table-redis-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-redis-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-postgres-schema-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-postgres-encrypted-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-postgres-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-postgres-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-oracledb-schema-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-oracledb-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-oracle-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-mysql-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-mysql-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-mssql-schema-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-mssql-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-mssql-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-mongodb-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-mongodb-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-ibmdb2-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-ibmdb2-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-elasticsearch-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-dynamodb-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-clickhouse-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-clickhouse-agent-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-cassandra.e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/table-cassandra-agent.e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/saas-tests/connection-properties-e2e.test.ts Update expected permissions key count in connection properties response.
backend/test/ava-tests/saas-tests/api-key-e2e.test.ts Update expected permissions key count when using API key flows.
backend/test/ava-tests/saas-tests/action-rules-e2e.test.ts Add new e2e coverage for ActionEvent trigger authorization (owner, table-level, per-event grants, negative cases).
backend/test/ava-tests/non-saas-tests/non-saas-table-redis-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-postgres-schema-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-postgres-encrypted-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-oracledb-schema-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-oracledb-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-mysql-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-mssql-schema-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-mssql-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-mongodb-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-ibmdb2-e2e.test.ts Update expected table permission key count to include new permission flag.
backend/test/ava-tests/non-saas-tests/non-saas-table-cassandra.e2e.test.ts Update expected table permission key count to include new permission flag.
backend/src/guards/action-event-trigger.guard.ts New guard: resolves ActionEvent in-connection and enforces Cedar actionEvent:trigger.
backend/src/entities/table-actions/table-action-rules-module/use-cases/activate-actions-in-rule.use.case.ts Remove table-read permission gate (authorization moved to trigger-specific guard).
backend/src/entities/table-actions/table-action-rules-module/action-rules.controller.ts Apply ActionEventTriggerGuard to action activation endpoint.
backend/src/entities/table-actions/table-action-events-module/repository/action-events-custom-repository.interface.ts Add repository contract for finding an event by id within a connection.
backend/src/entities/table-actions/table-action-events-module/repository/action-events-custom-repository.extension.ts Implement findEventByIdInConnection query used by the new guard.
backend/src/entities/permission/use-cases/create-or-update-permissions.use.case.ts Ensure actionEvents permissions are persisted into the policy generation input.
backend/src/entities/permission/permission.interface.ts Extend permission model with triggerCustomAction and per-event actionEvents grants.
backend/src/entities/permission/application/data-structures/create-permissions.ds.ts Add DTO validation/schema for triggerCustomAction and actionEvents permissions.
backend/src/entities/cedar-authorization/cedar-schema.ts Add Cedar ActionEvent entity type and actionEvent:trigger action.
backend/src/entities/cedar-authorization/cedar-schema.json Keep JSON Cedar schema in sync with TS schema for ActionEvent.
backend/src/entities/cedar-authorization/cedar-policy-parser.ts Parse actionEvent:trigger permits into classical permissions (table-level and per-event).
backend/src/entities/cedar-authorization/cedar-policy-generator.ts Generate Cedar permits for table-level and per-event action event triggering.
backend/src/entities/cedar-authorization/cedar-permissions.service.ts Compute triggerCustomAction in returned table permissions and add action-event trigger checks.
backend/src/entities/cedar-authorization/cedar-entity-builder.ts Build ActionEvent Cedar entities parented by table to support resource in Table policies.
backend/src/entities/cedar-authorization/cedar-authorization.service.ts Extend validation to support ActionEvent resource evaluation.
backend/src/entities/cedar-authorization/cedar-action-map.ts Add ActionEventTrigger action, ActionEvent resource type, and probe constant.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread backend/test/ava-tests/saas-tests/action-rules-e2e.test.ts
Comment on lines +1435 to +1437
const owner = await registerUserAndReturnUserInfo(app);
const invitee = await inviteUserInCompanyAndAcceptInvitation(owner.token, 'USER', app, undefined);

Comment thread backend/test/ava-tests/saas-tests/action-rules-e2e.test.ts
Comment on lines +1506 to +1507
if (status > 201) {
throw new Error(`Expected 2xx, got ${status}`);
Comment thread backend/test/ava-tests/saas-tests/action-rules-e2e.test.ts
Comment on lines +1485 to +1492
const groupId = JSON.parse(createGroupResult.text).id;

await request(app.getHttpServer())
.put('/group/user')
.set('Cookie', owner.token)
.send({ groupId, email: invitee.email })
.set('Content-Type', 'application/json')
.set('Accept', 'application/json');
@Artuomka Artuomka merged commit 10f541b into main May 21, 2026
19 of 20 checks passed
@Artuomka Artuomka deleted the backend_custom_table_action_permission branch May 21, 2026 14:55
@coderabbitai coderabbitai Bot mentioned this pull request May 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lyubov-voloshko lyubov-voloshko Awaiting requested review from lyubov-voloshko

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Artuomka