code0-tech · Taucher2003 · Nov 5, 2025 · Nov 5, 2025
diff --git a/app/graphql/sagittarius_schema.rb b/app/graphql/sagittarius_schema.rb
@@ -57,4 +57,6 @@ def self.object_from_id(global_id, query_ctx = nil)
 # rubocop:enable GraphQL/MaxDepthSchema
 # rubocop:enable GraphQL/MaxComplexitySchema
 
-Types::BaseObject.instance_variable_set(:@user_ability_types, nil) # release temporary type map
+if Types::BaseObject.instance_variable_defined?(:@user_ability_types)
+  Types::BaseObject.remove_instance_variable(:@user_ability_types) # release temporary type map
+end
diff --git a/app/graphql/types/base_object.rb b/app/graphql/types/base_object.rb
@@ -24,7 +24,7 @@ def self.timestamps(entity_name = graphql_name)
       field :updated_at, Types::TimeType, null: false, description: "Time when this #{entity_name} was last updated"
     end
 
-    def self.expose_abilities(abilities, entity_name = graphql_name)
+    def self.expose_abilities(abilities, entity_name: graphql_name, subject_resolver: nil)
       @user_ability_types ||= {}
 
       type_class = @user_ability_types.fetch("#{entity_name}UserAbilities", nil)
@@ -43,10 +43,11 @@ def self.expose_abilities(abilities, entity_name = graphql_name)
         abilities.each do |ability|
           field ability, Boolean,
                 null: false,
-                description: "Shows if the current user can #{ability} in this #{entity_name}"
+                description: "Shows if the current user has the `#{ability}` ability on this #{entity_name}"
 
           define_method(ability) do
-            Ability.allowed?(current_user, ability, object)
+            subject = subject_resolver.nil? ? object : subject_resolver.call
+            Ability.allowed?(current_authentication, ability, subject)
           end
         end
       end

diff --git a/app/graphql/types/flow_type.rb b/app/graphql/types/flow_type.rb
@@ -30,6 +30,10 @@ class FlowType < Types::BaseObject
           description: 'Nodes of the flow',
           method: :collect_node_functions
 
+    expose_abilities %i[
+      delete_flow
+    ]
+
     id_field Flow
     timestamps
 

diff --git a/app/graphql/types/namespace_member_type.rb b/app/graphql/types/namespace_member_type.rb
@@ -12,6 +12,11 @@ class NamespaceMemberType < Types::BaseObject
     field :member_roles, NamespaceMemberRoleType.connection_type, null: false, description: 'Memberroles of the member'
     field :roles, NamespaceRoleType.connection_type, null: false, description: 'Roles of the member'
 
+    expose_abilities %i[
+      assign_member_roles
+      delete_member
+    ]
+
     id_field NamespaceMember
     timestamps
   end

diff --git a/app/graphql/types/namespace_project_type.rb b/app/graphql/types/namespace_project_type.rb
@@ -23,6 +23,13 @@ class NamespaceProjectType < Types::BaseObject
 
     field :flows, Types::FlowType.connection_type, null: true, description: 'Fetches all flows in this project'
 
+    expose_abilities %i[
+      create_flow
+      assign_project_runtimes
+      delete_namespace_project
+      update_namespace_project
+    ]
+
     id_field NamespaceProject
     timestamps
 

diff --git a/app/graphql/types/namespace_role_type.rb b/app/graphql/types/namespace_role_type.rb
@@ -15,6 +15,13 @@ class NamespaceRoleType < BaseObject
     field :assigned_projects, Types::NamespaceProjectType.connection_type,
           description: 'The projects this role is assigned to'
 
+    expose_abilities %i[
+      assign_role_abilities
+      assign_role_projects
+      delete_namespace_role
+      update_namespace_role
+    ]
+
     id_field ::NamespaceRole
     timestamps
 

diff --git a/app/graphql/types/namespace_type.rb b/app/graphql/types/namespace_type.rb
@@ -22,6 +22,13 @@ class NamespaceType < Types::BaseObject
     lookahead_field :members, base_scope: ->(object) { object.namespace_members },
                               conditional_lookaheads: { user: :user, namespace: :namespace }
 
+    expose_abilities %i[
+      invite_member
+      create_namespace_role
+      create_namespace_project
+      create_runtime
+    ]
+
     id_field Namespace
     timestamps
   end

diff --git a/app/graphql/types/organization_type.rb b/app/graphql/types/organization_type.rb
@@ -13,6 +13,11 @@ class OrganizationType < Types::BaseObject
           description: 'Namespace of this organization',
           method: :ensure_namespace
 
+    expose_abilities %i[
+      delete_organization
+      update_organization
+    ]
+
     id_field Organization
     timestamps
   end

diff --git a/app/graphql/types/query_type.rb b/app/graphql/types/query_type.rb
@@ -44,6 +44,15 @@ class QueryType < Types::BaseObject
 
     field :global_runtimes, Types::RuntimeType.connection_type, null: false, description: 'Find runtimes'
 
+    expose_abilities %i[
+      create_organization
+      create_runtime
+      delete_runtime
+      update_runtime
+      rotate_runtime_token
+      update_application_setting
+    ], entity_name: 'Instance', subject_resolver: -> { :global }
+
     def node(id:)
       context.schema.object_from_id(id, context)
     end

diff --git a/app/graphql/types/runtime_type.rb b/app/graphql/types/runtime_type.rb
@@ -17,6 +17,12 @@ class RuntimeType < Types::BaseObject
 
     field :token, String, null: true, description: 'Token belonging to the runtime, only present on creation'
 
+    expose_abilities %i[
+      delete_runtime
+      update_runtime
+      rotate_runtime_token
+    ]
+
     id_field Runtime
     timestamps
 

diff --git a/app/graphql/types/user_session_type.rb b/app/graphql/types/user_session_type.rb
@@ -11,6 +11,10 @@ class UserSessionType < Types::BaseObject
     field :token, String, null: true, description: 'Token belonging to the session, only present on creation'
     field :user, Types::UserType, null: false, description: 'User that belongs to the session'
 
+    expose_abilities %i[
+      logout_session
+    ]
+
     id_field UserSession
     timestamps
 

diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb
@@ -39,6 +39,11 @@ class UserType < Types::BaseObject
                     base_scope: ->(object) { object.namespace_memberships },
                     conditional_lookaheads: { user: :user, namespace: { namespace: :namespace_members } }
 
+    expose_abilities %i[
+      manage_mfa
+      update_user
+    ]
+
     id_field User
     timestamps
 

diff --git a/app/models/namespace_role_ability.rb b/app/models/namespace_role_ability.rb
@@ -25,9 +25,9 @@ class NamespaceRoleAbility < ApplicationRecord
     rotate_runtime_token: { db: 21, description: 'Allows to regenerate a runtime token' },
     assign_role_projects: { db: 22, description: 'Allows to change the assigned projects of a namespace role' },
     assign_project_runtimes: { db: 23, description: 'Allows to assign runtimes to a project in the namespace' },
-    create_flows: { db: 24, description: 'Allows to create flows in a namespace project' },
-    delete_flows: { db: 25, description: 'Allows to delete flows in a namespace project' },
-    update_flows: { db: 26, description: 'Allows to update flows in the project' },
+    create_flow: { db: 24, description: 'Allows to create flows in a namespace project' },
+    delete_flow: { db: 25, description: 'Allows to delete flows in a namespace project' },
+    update_flow: { db: 26, description: 'Allows to update flows in the project' },
   }.with_indifferent_access
   enum :ability, ABILITIES.transform_values { |v| v[:db] }, prefix: :can
 

diff --git a/app/policies/namespace_project_policy.rb b/app/policies/namespace_project_policy.rb
@@ -17,7 +17,7 @@ class NamespaceProjectPolicy < BasePolicy
   customizable_permission :read_namespace_project
   customizable_permission :update_namespace_project
   customizable_permission :delete_namespace_project
-  customizable_permission :create_flows
-  customizable_permission :update_flows
-  customizable_permission :delete_flows
+  customizable_permission :create_flow
+  customizable_permission :update_flow
+  customizable_permission :delete_flow
 end
diff --git a/app/services/namespaces/members/assign_roles_service.rb b/app/services/namespaces/members/assign_roles_service.rb
@@ -15,7 +15,7 @@ def initialize(current_authentication, member, roles)
 
       def execute
         namespace = member.namespace
-        unless Ability.allowed?(current_authentication, :assign_member_roles, namespace)
+        unless Ability.allowed?(current_authentication, :assign_member_roles, member)
           return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission)
         end
 

diff --git a/app/services/namespaces/projects/flows/create_service.rb b/app/services/namespaces/projects/flows/create_service.rb
@@ -15,7 +15,7 @@ def initialize(current_authentication, namespace_project:, **params)
         end
 
         def execute
-          unless Ability.allowed?(current_authentication, :create_flows, namespace_project)
+          unless Ability.allowed?(current_authentication, :create_flow, namespace_project)
             return ServiceResponse.error(message: 'Missing permission', payload: :missing_permission)
           end
 

diff --git a/app/services/namespaces/projects/flows/delete_service.rb b/app/services/namespaces/projects/flows/delete_service.rb
@@ -14,7 +14,7 @@ def initialize(current_authentication, flow:)
         end
 
         def execute
-          unless Ability.allowed?(current_authentication, :delete_flows, flow.project)
+          unless Ability.allowed?(current_authentication, :delete_flow, flow)
             return ServiceResponse.error(message: 'Missing permission', payload: :missing_permission)
           end
 

diff --git a/app/services/namespaces/roles/assign_abilities_service.rb b/app/services/namespaces/roles/assign_abilities_service.rb
@@ -15,7 +15,7 @@ def initialize(current_authentication, role, abilities)
 
       def execute
         namespace = role.namespace
-        unless Ability.allowed?(current_authentication, :assign_role_abilities, namespace)
+        unless Ability.allowed?(current_authentication, :assign_role_abilities, role)
           return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission)
         end
 

diff --git a/app/services/namespaces/roles/assign_projects_service.rb b/app/services/namespaces/roles/assign_projects_service.rb
@@ -15,7 +15,7 @@ def initialize(current_authentication, role, projects)
 
       def execute
         namespace = role.namespace
-        unless Ability.allowed?(current_authentication, :assign_role_projects, namespace)
+        unless Ability.allowed?(current_authentication, :assign_role_projects, role)
           return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission)
         end
 

diff --git a/app/services/runtimes/delete_service.rb b/app/services/runtimes/delete_service.rb
@@ -12,7 +12,7 @@ def initialize(current_authentication, runtime)
     end
 
     def execute
-      unless Ability.allowed?(current_authentication, :delete_runtime, runtime.namespace || :global)
+      unless Ability.allowed?(current_authentication, :delete_runtime, runtime || :global)
         return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission)
       end
 

diff --git a/app/services/runtimes/rotate_token_service.rb b/app/services/runtimes/rotate_token_service.rb
@@ -12,7 +12,7 @@ def initialize(current_authentication, runtime)
     end
 
     def execute
-      unless Ability.allowed?(current_authentication, :rotate_runtime_token, runtime.namespace || :global)
+      unless Ability.allowed?(current_authentication, :rotate_runtime_token, runtime || :global)
         return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission)
       end
 

diff --git a/app/services/runtimes/update_service.rb b/app/services/runtimes/update_service.rb
@@ -13,7 +13,7 @@ def initialize(current_authentication, runtime, params)
     end
 
     def execute
-      unless Ability.allowed?(current_authentication, :update_runtime, runtime.namespace || :global)
+      unless Ability.allowed?(current_authentication, :update_runtime, runtime || :global)
         return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission)
       end
 

diff --git a/docs/graphql/enum/namespaceroleability.md b/docs/graphql/enum/namespaceroleability.md
@@ -10,12 +10,12 @@ Represents abilities that can be granted to roles in namespaces.
 | `ASSIGN_PROJECT_RUNTIMES` | Allows to assign runtimes to a project in the namespace |
 | `ASSIGN_ROLE_ABILITIES` | Allows to change the abilities of a namespace role |
 | `ASSIGN_ROLE_PROJECTS` | Allows to change the assigned projects of a namespace role |
-| `CREATE_FLOWS` | Allows to create flows in a namespace project |
+| `CREATE_FLOW` | Allows to create flows in a namespace project |
 | `CREATE_NAMESPACE_LICENSE` | Allows to create a license for the namespace |
 | `CREATE_NAMESPACE_PROJECT` | Allows to create a project in the namespace |
 | `CREATE_NAMESPACE_ROLE` | Allows the creation of roles in a namespace |
 | `CREATE_RUNTIME` | Allows to create a runtime globally or for the namespace |
-| `DELETE_FLOWS` | Allows to delete flows in a namespace project |
+| `DELETE_FLOW` | Allows to delete flows in a namespace project |
 | `DELETE_MEMBER` | Allows to remove members of a namespace |
 | `DELETE_NAMESPACE_LICENSE` | Allows to delete the license of the namespace |
 | `DELETE_NAMESPACE_PROJECT` | Allows to delete the project of the namespace |
@@ -27,7 +27,7 @@ Represents abilities that can be granted to roles in namespaces.
 | `READ_NAMESPACE_LICENSE` | Allows to read the license of the namespace |
 | `READ_NAMESPACE_PROJECT` | Allows to read the project of the namespace |
 | `ROTATE_RUNTIME_TOKEN` | Allows to regenerate a runtime token |
-| `UPDATE_FLOWS` | Allows to update flows in the project |
+| `UPDATE_FLOW` | Allows to update flows in the project |
 | `UPDATE_NAMESPACE_PROJECT` | Allows to update the project of the namespace |
 | `UPDATE_NAMESPACE_ROLE` | Allows to update the namespace role |
 | `UPDATE_ORGANIZATION` | Allows to update the organization |

diff --git a/docs/graphql/object/flow.md b/docs/graphql/object/flow.md
@@ -18,4 +18,5 @@ Represents a flow
 | `startingNodeId` | [`NodeFunctionID!`](../scalar/nodefunctionid.md) | The ID of the starting node of the flow |
 | `type` | [`FlowType!`](../object/flowtype.md) | The flow type of the flow |
 | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this Flow was last updated |
+| `userAbilities` | [`FlowUserAbilities!`](../object/flowuserabilities.md) | Abilities for the current user on this Flow |
 
diff --git a/docs/graphql/object/flowuserabilities.md b/docs/graphql/object/flowuserabilities.md
@@ -0,0 +1,12 @@
+---
+title: FlowUserAbilities
+---
+
+Abilities for the current user on this Flow
+
+## Fields without arguments
+
+| Name | Type | Description |
+|------|------|-------------|
+| `deleteFlow` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_flow` ability on this Flow |
+
diff --git a/docs/graphql/object/instanceuserabilities.md b/docs/graphql/object/instanceuserabilities.md
@@ -0,0 +1,17 @@
+---
+title: InstanceUserAbilities
+---
+
+Abilities for the current user on this Instance
+
+## Fields without arguments
+
+| Name | Type | Description |
+|------|------|-------------|
+| `createOrganization` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_organization` ability on this Instance |
+| `createRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_runtime` ability on this Instance |
+| `deleteRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_runtime` ability on this Instance |
+| `rotateRuntimeToken` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `rotate_runtime_token` ability on this Instance |
+| `updateApplicationSetting` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_application_setting` ability on this Instance |
+| `updateRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_runtime` ability on this Instance |
+
diff --git a/docs/graphql/object/namespace.md b/docs/graphql/object/namespace.md
@@ -17,4 +17,5 @@ Represents a Namespace
 | `roles` | [`NamespaceRoleConnection!`](../object/namespaceroleconnection.md) | Roles of the namespace |
 | `runtimes` | [`RuntimeConnection!`](../object/runtimeconnection.md) | Runtime of the namespace |
 | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this Namespace was last updated |
+| `userAbilities` | [`NamespaceUserAbilities!`](../object/namespaceuserabilities.md) | Abilities for the current user on this Namespace |
 
diff --git a/docs/graphql/object/namespacelicense.md b/docs/graphql/object/namespacelicense.md
@@ -15,4 +15,5 @@ title: NamespaceLicense
 | `namespace` | [`Namespace!`](../object/namespace.md) | The namespace the license belongs to |
 | `startDate` | [`Time!`](../scalar/time.md) | The start date of the license |
 | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceLicense was last updated |
+| `userAbilities` | [`NamespaceLicenseUserAbilities!`](../object/namespacelicenseuserabilities.md) | Abilities for the current user on this NamespaceLicense |
 
diff --git a/docs/graphql/object/namespacelicenseuserabilities.md b/docs/graphql/object/namespacelicenseuserabilities.md
@@ -0,0 +1,12 @@
+---
+title: NamespaceLicenseUserAbilities
+---
+
+Abilities for the current user on this NamespaceLicense
+
+## Fields without arguments
+
+| Name | Type | Description |
+|------|------|-------------|
+| `deleteNamespaceLicense` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_namespace_license` ability on this NamespaceLicense |
+
diff --git a/docs/graphql/object/namespacemember.md b/docs/graphql/object/namespacemember.md
@@ -15,4 +15,5 @@ Represents a namespace member
 | `roles` | [`NamespaceRoleConnection!`](../object/namespaceroleconnection.md) | Roles of the member |
 | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceMember was last updated |
 | `user` | [`User!`](../object/user.md) | User this member belongs to |
+| `userAbilities` | [`NamespaceMemberUserAbilities!`](../object/namespacememberuserabilities.md) | Abilities for the current user on this NamespaceMember |
 
diff --git a/docs/graphql/object/namespacememberuserabilities.md b/docs/graphql/object/namespacememberuserabilities.md
@@ -0,0 +1,13 @@
+---
+title: NamespaceMemberUserAbilities
+---
+
+Abilities for the current user on this NamespaceMember
+
+## Fields without arguments
+
+| Name | Type | Description |
+|------|------|-------------|
+| `assignMemberRoles` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `assign_member_roles` ability on this NamespaceMember |
+| `deleteMember` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_member` ability on this NamespaceMember |
+
diff --git a/docs/graphql/object/namespaceproject.md b/docs/graphql/object/namespaceproject.md
@@ -17,6 +17,7 @@ Represents a namespace project
 | `primaryRuntime` | [`Runtime`](../object/runtime.md) | The primary runtime for the project |
 | `runtimes` | [`RuntimeConnection!`](../object/runtimeconnection.md) | Runtimes assigned to this project |
 | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceProject was last updated |
+| `userAbilities` | [`NamespaceProjectUserAbilities!`](../object/namespaceprojectuserabilities.md) | Abilities for the current user on this NamespaceProject |
 
 ## Fields with arguments
 

diff --git a/docs/graphql/object/namespaceprojectuserabilities.md b/docs/graphql/object/namespaceprojectuserabilities.md
@@ -0,0 +1,15 @@
+---
+title: NamespaceProjectUserAbilities
+---
+
+Abilities for the current user on this NamespaceProject
+
+## Fields without arguments
+
+| Name | Type | Description |
+|------|------|-------------|
+| `assignProjectRuntimes` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `assign_project_runtimes` ability on this NamespaceProject |
+| `createFlow` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_flow` ability on this NamespaceProject |
+| `deleteNamespaceProject` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_namespace_project` ability on this NamespaceProject |
+| `updateNamespaceProject` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_namespace_project` ability on this NamespaceProject |
+
diff --git a/docs/graphql/object/namespacerole.md b/docs/graphql/object/namespacerole.md
@@ -15,4 +15,5 @@ Represents a namespace role.
 | `name` | [`String!`](../scalar/string.md) | The name of this role |
 | `namespace` | [`Namespace`](../object/namespace.md) | The namespace where this role belongs to |
 | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceRole was last updated |
+| `userAbilities` | [`NamespaceRoleUserAbilities!`](../object/namespaceroleuserabilities.md) | Abilities for the current user on this NamespaceRole |