Skip to content

[P0][security] Permission lifecycle ops ungated (allowTransfer/allowRestore/allowPurge) #1883

Description

@os-zhuang

Part of the metadata liveness audit umbrella #1878 (P0 security cluster).

Problem

Destructive record lifecycle operations are not gated by RBAC. allowTransfer / allowRestore / allowPurge are omitted from OPERATION_TO_PERMISSION (permission-evaluator.ts:8-16), so:

  • ownership transfer,
  • undelete (restore), and
  • hard-delete / GDPR purge

run without any permission check. These are exactly the operations that most need RBAC gating.

Decision required (enforce or remove)

  • Enforce: add transfer/restore/purge entries to OPERATION_TO_PERMISSION and ensure the corresponding routes/services consult the evaluator before executing.
  • Remove: if these ops are intentionally unrestricted, drop the allowTransfer/allowRestore/allowPurge permission props from the spec.

Evidence

  • docs/audits/2026-06-security-identity-property-liveness.md
  • permission-evaluator.ts:8-16 (OPERATION_TO_PERMISSION)

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority:p0Critical: blocker, must ship before MVPsecurity

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions