Skip to content

Replace wildcard role-permission expansion with explicit lists#5571

Merged
ramonsmits merged 3 commits into
authfrom
permission-wildcard-to-explicit-list
Jul 2, 2026
Merged

Replace wildcard role-permission expansion with explicit lists#5571
ramonsmits merged 3 commits into
authfrom
permission-wildcard-to-explicit-list

Conversation

@ramonsmits

@ramonsmits ramonsmits commented Jul 2, 2026

Copy link
Copy Markdown
Member

Alternative to:

Removes the wildcard/exclusion pattern machinery (Expand(), segment matching) from RolePermissions and declares each role's permissions as explicit constant lists built from additive groups (Read, ReadConfiguration, Operate, Configure). The resulting per-role sets are identical to #5569: reader = all views, writer = operate but no licensing/notifications/redirects/throughput access, admin = everything.

A guard test fails when a new Permissions constant is not assigned to any role, so every new permission requires an explicit classification decision instead of being granted implicitly by a wildcard.

Roles are explicit permission-constant lists built from four additive
groups: Read (16 views), ReadConfiguration (licensing/notifications/
redirects/throughput views), Operate (message triage, housekeeping
deletes, endpoints/connections manage), Configure (licensing/
notifications/redirects/throughput manage + test). Reader = Read +
ReadConfiguration, Writer = Read + Operate, Admin = everything.
All pattern parsing/expansion machinery is removed.

The sets match the include/exclude patterns of #5569 exactly: writer
holds endpoints:manage and connections:manage but has no access to the
licensing/notifications/redirects/throughput areas (not even :view),
so reader is intentionally not a subset of writer.

Guard tests break the build when a new permission constant is not
assigned to a role, enforce reader/writer ⊂ admin, and pin writer's
configuration-area exclusions.
@ramonsmits ramonsmits marked this pull request as ready for review July 2, 2026 10:06
@ramonsmits ramonsmits requested review from WilliamBZA and dvdstelt July 2, 2026 10:06

@WilliamBZA WilliamBZA left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much better!

@ramonsmits ramonsmits merged commit 000f47e into auth Jul 2, 2026
33 checks passed
@ramonsmits ramonsmits deleted the permission-wildcard-to-explicit-list branch July 2, 2026 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants