feat: require explicit admin override for self-approval; fix :run PID file#216
Merged
Conversation
… file
Admin users now follow the same self-approval path as regular users when
reviewing their own pushes. ROLE_ADMIN alone no longer bypasses the
identity check for self-review — admins either use the self-certify path
(ROLE_SELF_CERTIFY + repo permission) or must explicitly activate an
admin override toggle in the dashboard UI.
Changes:
- Backend: checkReviewerIdentity now treats admin self-review the same
as regular user self-review unless adminOverride=true is sent in the
approve request body. Admins reviewing someone else's push still bypass
unconditionally. isSelfApproval only flags the attestation when the
override is explicitly used.
- Frontend: isSelfReview applies to admins too; self-certify blue banner
shown for admins with the permission; admin override toggle is hidden
when self-certify is active and only surfaces as a low-prominence link
for the break-glass case.
- Fix :run PID file: applicationDefaultJvmArgs only applies to generated
distribution scripts, not the Gradle JavaExec run task. Added the
-Dgitproxyjava.pidfile JVM arg explicitly to tasks.named('run') in
both server and dashboard build.gradle so :stop works after ctrl+c.
- Local config: grant thomas-cooper ROLE_SELF_CERTIFY so the self-certify
path is exercisable in local dev without needing the admin override.
closes #184
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ROLE_ADMINalone no longer bypasses the self-approval identity check. Admins either self-certify (viaROLE_SELF_CERTIFY+ repo permission, same as any user) or must explicitly activate an Enable admin override toggle in the dashboard UI for break-glass situations.selfApproval=trueis only recorded in the audit log when the override flag is explicitly used — admin self-certify approvals are no longer incorrectly flagged.:runPID file:applicationDefaultJvmArgsonly applies to generated distribution scripts, not the GradleJavaExecrun task. Added-Dgitproxyjava.pidfileexplicitly totasks.named('run')in bothbuild.gradlefiles so./gradlew :stopworks correctly afterctrl+c.thomas-cooperROLE_SELF_CERTIFYso the self-certify path is exercisable without needing the admin override.Test plan
selfApproval: trueselfApproval: false./gradlew :git-proxy-java-dashboard:runthenctrl+cthen./gradlew :git-proxy-java-dashboard:stop— confirm "Stopping … (PID: …)" rather than "No PID file found"./gradlew :git-proxy-java-dashboard:testpasses