-
Notifications
You must be signed in to change notification settings - Fork 0
Project Access Control
github-actions[bot] edited this page Jun 11, 2026
·
1 revision
Start here for a non-technical overview: Authorization layers explains role templates vs project membership vs system administrator.
OsWL uses two cooperating layers:
-
Global permissions (
Permissionon role templates) — e.g.SCAN_VIEW,LICENSE_EXPORT. -
Project membership (
project_members) — whether the signed-in user may access a specific project.
A user typically needs the relevant permission and project membership. System administrators bypass membership.
| Table | Purpose |
|---|---|
project_members |
Links user_id to project_id with role ADMIN or MEMBER
|
- ADMIN (membership) — assigned to the project creator at creation time.
-
MEMBER (membership) — default for other rows; feature gates still use global
Permissionvalues.
projects.created_by_user_id is used for bootstrap: on startup, projects with a creator and no members get the creator added as membership ADMIN.
ProjectAccessService is the single entry point:
| Method | Use |
|---|---|
assertCanViewProject(projectId) |
UI and read/write APIs scoped by project; 403 if denied |
assertCanSubmitScan(projectId, userId) |
CLI scan ingest after API key + password |
accessibleProjectIds() |
Filters project lists and trash for non–system-admin users |
These call assertCanViewProject (or equivalent service checks) before returning data:
| Area | Examples |
|---|---|
| Analysis UI | Security Center, License (including exports), Component Detail, Version Diff, Risk Trend, Scan History |
| API |
GET/POST /api/projects/{projectId}/keys, GET /api/vcs/branches?projectId=, scan status poll |
| Services |
ProjectService.getById, findAll, trash operations filtered by accessible IDs |
POST /api/scan requires:
- Valid project API key (interceptor).
- Submitter email + password with
SCAN_SUBMIT. - Submitter in
project_membersfor that project.
Audit events include SCAN.INGEST, SCAN.AUTH_FAILURE, SCAN.API_KEY_FAILURE, SCAN.AUTH_RATE_LIMITED. Rate limits are configurable via oswl.scan-api.*.
-
New installs: Hibernate
ddl-auto(or your schema tool) createsproject_members; creators are added automatically. -
Older databases: ensure the
project_memberstable exists, then restart soProjectMemberBootstrapRunnercan backfill creators where needed.