Skip to content

feat(permissions): Contains All ($all) operator support#5737

Merged
varonix0 merged 1 commit intomainfrom
daniel/agent-templating-funcs-docs
Mar 17, 2026
Merged

feat(permissions): Contains All ($all) operator support#5737
varonix0 merged 1 commit intomainfrom
daniel/agent-templating-funcs-docs

Conversation

@varonix0
Copy link
Copy Markdown
Member

@varonix0 varonix0 commented Mar 17, 2026
edited
Loading

Context

Added a new Contains All operator to the secret tags condition on the secrets permission subject. The existing Contains operator functions as an OR operator, meaning that if a secret contains one of the tags in the Contains array, it will allow access.

The Contains All operator is exactly the same as the Contains operator, except it requires the secrets to have ALL the tags defined in the condition.

It's built on the $all mongo2js operator which is natively supported in CASL, so no extra work for us!

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@maidul98
Copy link
Copy Markdown
Collaborator

maidul98 commented Mar 17, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@varonix0 varonix0 changed the title feat(permissions): $all (Contains All) operator support feat(permissions): Contains All ($all) operator support Mar 17, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 17, 2026
edited
Loading

Greptile Summary

This PR adds a $all ("Contains All") operator to the secretTags condition on the secrets permission subject, complementing the existing $in ("Contains") operator which acts as an OR match. The new operator requires a secret to have all specified tags before the permission condition is satisfied, enabling more precise tag-based access control.

The implementation is minimal and correct:

  • Adds $ALL = "$all" to the PermissionConditionOperators enum in both backend and frontend
  • Extends the SecretConditionV2Schema secretTags field to accept $all alongside $in
  • Registers the same array-of-strings Zod validation for $all as exists for $in
  • Adds the "Contains All" option to the frontend operator dropdown and its helper description text
  • Leverages the natively supported $all operator in @ucast/mongo2js (via buildMongoQueryMatcher) — no custom interpreter needed

Issues found:

  • The documentation at docs/internals/permissions/overview.mdx still states that secretTags "only supports $in operator". This needs to be updated to mention $all support, and the operators table on the same page should include an entry for $all.

Confidence Score: 4/5

  • This PR is safe to merge; the change is additive, backwards-compatible, and relies on a natively supported CASL/mongo2js operator with no custom logic required.
  • The implementation is clean, consistent with existing patterns, and uses a well-supported native operator. The only gap is an outdated documentation line that still describes secretTags as supporting only $in — not a runtime issue, but could mislead API users relying on the docs.
  • docs/internals/permissions/overview.mdx — documentation for secretTags operators needs updating.

Important Files Changed

Filename Overview
backend/src/lib/casl/index.ts Adds $ALL = "$all" to PermissionConditionOperators enum. The $all operator is natively supported by @ucast/mongo2js used in buildMongoQueryMatcher, so no additional interpreter registration is needed.
backend/src/ee/services/permission/permission-types.ts Adds $ALL to PermissionConditionSchema with the same array-of-strings validation as $IN. Consistent with the existing pattern.
backend/src/ee/services/permission/project-permission.ts Adds $ALL operator to secretTags in SecretConditionV2Schema. Only the V2 schema is modified, consistent with the codebase comment to not change V1.
frontend/src/pages/project/RoleDetailsBySlugPage/components/PermissionConditionHelpers.tsx Adds "Contains All" SelectItem for the secretTags condition type in the operator dropdown, and adds a helper description for the $ALL operator. Changes are clean and consistent with the existing UI pattern.

Comments Outside Diff (1)

  1. docs/internals/permissions/overview.mdx, line 77 (link)

    P2 Outdated secretTags documentation

    The description for secretTags still says it "only supports $in operator", but this PR adds support for $all as well. This should be updated to reflect the new operator, and the operators table below should include a $all row.

Last reviewed commit: ffb1238

@varonix0 varonix0 merged commit e2758b7 into main Mar 17, 2026
11 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akhilmhdh akhilmhdh akhilmhdh approved these changes

@scott-ray-wilson scott-ray-wilson Awaiting requested review from scott-ray-wilson

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@varonix0 @maidul98 @akhilmhdh