Skip to content

feat(permissions): add rebase_branch permission#9124

Merged
gmazoyer merged 1 commit into
stablefrom
gma-20260504-rebase-permission
May 5, 2026
Merged

feat(permissions): add rebase_branch permission#9124
gmazoyer merged 1 commit into
stablefrom
gma-20260504-rebase-permission

Conversation

@gmazoyer

@gmazoyer gmazoyer commented May 4, 2026

Copy link
Copy Markdown
Contributor

Why & What

Until now rebasing a branch required super_admin, even when the user already had merge_branch and merge_proposed_change. That left admins with no way to delegate rebase to a regular user.

Add a rebase_branch global permission alongside the existing merge permissions, register it during first time initialization, and add a checker that gates the BranchRebase mutation.

Closes #8050

In a follow-up PR, that will target develop, I will probably try to get rid of checkers for branch merge and branch rebase. Having raise_for_permission call in the mutation code should suffice. This PR targets stable that why I went with another checker, to be consistent with what already exists.

Checklist

  • Tests added/updated
  • Changelog entry added (uv run towncrier create ...)
  • External docs updated (if user-facing or ops-facing change)
  • Internal .md docs updated (internal knowledge and AI code tools knowledge)
  • I have reviewed AI generated content

Until now rebasing a branch required super_admin, even when the
user already had merge_branch and merge_proposed_change. That left
admins with no way to delegate rebase to a regular user.

Add a rebase_branch global permission alongside the existing merge
permissions, register it during first time initialization, and add
a checker that gates the BranchRebase mutation.

Closes #8050
@github-actions github-actions Bot added the group/backend Issue related to the backend (API Server, Git Agent) label May 4, 2026
@gmazoyer gmazoyer force-pushed the gma-20260504-rebase-permission branch from edb825f to 2a7f382 Compare May 4, 2026 12:03
@codspeed-hq

codspeed-hq Bot commented May 4, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 12 untouched benchmarks


Comparing gma-20260504-rebase-permission (f13a1b7) with stable (a7617ec)1

Open in CodSpeed

Footnotes

  1. No successful run was found on stable (1ad7ef3) during the generation of this report, so a7617ec was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@gmazoyer gmazoyer marked this pull request as ready for review May 4, 2026 12:34
@gmazoyer gmazoyer requested a review from a team as a code owner May 4, 2026 12:34

@polmichel polmichel left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I have just written an optional comment

action=GlobalPermissions.REBASE_BRANCH.value, decision=PermissionDecision.ALLOW_ALL.value
)

async def supports(self, db: InfrahubDatabase, account_session: AccountSession, branch: Branch) -> bool: # noqa: ARG002

@polmichel polmichel May 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an optional comment:

It seems that all checkers are using this exact logic, except backend/infrahub/graphql/auth/query_permission_checker/anonymous_checker.py.

Would promote this behavior as default behavior of the interface be a good idea? The down side of this solution would be that persons that would implement future other classes could miss customizing this behavior.

Otherwise, creating another abstract class named AuthenticatedQueryPermissionCheckerBase which overrides the support method could be another option?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should keep it as is. it's a simple conditional that explicitly links the the actual check logic to its expected pre-conditions. and, like you said, it forces anyone adding a new subclass of GraphQLQueryPermissionCheckerInterface to consider when the check method should apply
I like DRY code too, but, in this case, I think forcing each subclass to write its own supports method is the better option

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice coverage

@gmazoyer gmazoyer force-pushed the gma-20260504-rebase-permission branch 3 times, most recently from 9d09432 to f13a1b7 Compare May 5, 2026 09:57
@gmazoyer gmazoyer merged commit 7298f33 into stable May 5, 2026
45 checks passed
@gmazoyer gmazoyer deleted the gma-20260504-rebase-permission branch May 5, 2026 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

group/backend Issue related to the backend (API Server, Git Agent)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: Add rebase_branch global permission for non-admin users

3 participants