feat(permissions): add rebase_branch permission#9124
Conversation
Until now rebasing a branch required super_admin, even when the user already had merge_branch and merge_proposed_change. That left admins with no way to delegate rebase to a regular user. Add a rebase_branch global permission alongside the existing merge permissions, register it during first time initialization, and add a checker that gates the BranchRebase mutation. Closes #8050
edb825f to
2a7f382
Compare
polmichel
left a comment
There was a problem hiding this comment.
LGTM! I have just written an optional comment
| action=GlobalPermissions.REBASE_BRANCH.value, decision=PermissionDecision.ALLOW_ALL.value | ||
| ) | ||
|
|
||
| async def supports(self, db: InfrahubDatabase, account_session: AccountSession, branch: Branch) -> bool: # noqa: ARG002 |
There was a problem hiding this comment.
This is an optional comment:
It seems that all checkers are using this exact logic, except backend/infrahub/graphql/auth/query_permission_checker/anonymous_checker.py.
Would promote this behavior as default behavior of the interface be a good idea? The down side of this solution would be that persons that would implement future other classes could miss customizing this behavior.
Otherwise, creating another abstract class named AuthenticatedQueryPermissionCheckerBase which overrides the support method could be another option?
There was a problem hiding this comment.
I think we should keep it as is. it's a simple conditional that explicitly links the the actual check logic to its expected pre-conditions. and, like you said, it forces anyone adding a new subclass of GraphQLQueryPermissionCheckerInterface to consider when the check method should apply
I like DRY code too, but, in this case, I think forcing each subclass to write its own supports method is the better option
9d09432 to
f13a1b7
Compare
Why & What
Until now rebasing a branch required super_admin, even when the user already had merge_branch and merge_proposed_change. That left admins with no way to delegate rebase to a regular user.
Add a rebase_branch global permission alongside the existing merge permissions, register it during first time initialization, and add a checker that gates the BranchRebase mutation.
Closes #8050
In a follow-up PR, that will target
develop, I will probably try to get rid of checkers for branch merge and branch rebase. Havingraise_for_permissioncall in the mutation code should suffice. This PR targetsstablethat why I went with another checker, to be consistent with what already exists.Checklist
uv run towncrier create ...)