Let merge-permission users write through dolt_conflicts_<t>#11032
Merged
tbantle22 merged 1 commit intoMay 12, 2026
Merged
Conversation
Adds a carve-out so a user with only branch_control.Permissions_Merge on a branch can resolve a merge that produced data conflicts by writing through the dolt_conflicts_<t> system tables. Lets PR reviewers on the SQL workbench finish a conflicting merge without being granted full write access on the target branch. Admission rule applied at every entry point: Write, OR (Merge AND MergeActive AND data conflicts exist). The "data conflicts exist" check is scoped to the specific table for the conflicts-table writers and to the working root for the DOLT_CONFLICTS_RESOLVE procedure. Implementation: - New checkConflictsTableWriteAccess helper in dtables/. Gates both ProllyConflictsTable.Updater and .Deleter (relaxing the existing Write gate added in #11030). - New ConflictsBypassMarker on context.Context, keyed by (db, branch, table). prollyConflictOurTableUpdater sets it before constructing the eagerly-built source-table srcUpdater; WritableDoltTable.Updater honors it as a Write-check bypass only when the marker matches the target table. Scoped narrowly so a marker for t1 cannot bypass writes on t2. - New CheckAccessOrMergeActive helper in dsess for procedure-level gating; DoDoltConflictsResolve now uses it. Tests in branch_control_test.go: extended the existing "Merge permission allows merge with conflicts" case with the full UPDATE -> DOLT_CONFLICTS_RESOLVE -> DOLT_COMMIT positive workflow; added a DELETE-path positive case; added a negative case for a merge-only user outside an active merge. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tbantle22
merged commit 6217ad2
into
taylor/conflicts-delete-permission-gate
17 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacks on top of #11030. Adds a branch-control carve-out so a user with only
Permissions_Mergeon a branch can resolve a merge that produced data conflicts by writing throughdolt_conflicts_<t>and viaDOLT_CONFLICTS_RESOLVE. Lets a PR reviewer on the SQL workbench finish a conflicting merge without being granted full write access on the target branch.Admission rule applied at every entry point — Write, OR (Merge AND MergeActive AND data conflicts exist):
ProllyConflictsTable.Updater(dtables/conflicts_tables_prolly.go) — new gate viacheckConflictsTableWriteAccess.ProllyConflictsTable.Deleter(same file) — replaces the bareWritegate from Gate DELETE on dolt_conflicts_<t> with branch_control Write permission #11030 with the same helper.DoDoltConflictsResolve(dprocedures/dolt_conflicts_resolve.go) — newdsess.CheckAccessOrMergeActivehelper; "data conflicts exist" scoped to the working root.The
Updaterpath's source-tablesrcUpdateris constructed eagerly insidenewProllyConflictOurTableUpdater, so a merge-permission caller admitted at the outer gate would otherwise be rejected by the innerWritableDoltTable.UpdaterWrite check. To bridge that delegation chain:dsess.ConflictsBypassMarkerkeyed on(db, branch, table).prollyConflictOurTableUpdatersets it on a derived context just for the source-table writer factory call.WritableDoltTable.Updaterhonors the marker as a Write-check bypass only when it matches the target table. A marker fort1cannot leak into a write ont2.Test plan
"Merge permission allows merge with conflicts"(branch_control_test.go) with the full positive workflow: merge-only user runsUPDATE dolt_conflicts_test(write goes through to source table),CALL DOLT_CONFLICTS_RESOLVE,CALL DOLT_COMMIT. Source-table direct writes remain rejected."Merge permission allows DELETE from dolt_conflicts_<t> to resolve conflicts"— exercises the DELETE path end-to-end."Merge permission does not allow conflicts writes outside an active merge"— without an active merge, even a merge-permission user is rejected byDOLT_CONFLICTS_RESOLVEand by direct source-table writes.go test ./libraries/doltcore/sqle/enginetest/ -run "TestBranchControl"passes.go vet ./libraries/doltcore/sqle/...clean.Known limitation
When a merge-only user runs
UPDATE/DELETEondolt_conflicts_<t>with zero matching rows (e.g., empty conflicts table outside an active merge), the engine never invokes the writer's per-row methods, so the static error from the factory's permission check never surfaces. This is the same property that affects everyWritableDoltTablewrite check — consistent with existing Dolt behavior. The negative test asserts viaDOLT_CONFLICTS_RESOLVEand a direct source-table write instead, both of which run the gate regardless of matching-row count.🤖 Generated with Claude Code