Add scopes in auth

[JBorrow]

Uses the scopes to bypass additional authentication requirements if the user owns the administrator grant.

[Copilot]

Pull Request Overview

This PR implements scope-based authorization for admin users in addition to the existing group-based access control. The main change introduces a scopes parameter throughout the service and API layers, allowing users with the "hippo:admin" scope to bypass group-based access restrictions.

Key changes:

• Added scopes parameter to all service functions that perform access checks
• Modified check_user_access() to grant access when "hippo:admin" is in scopes
• Updated search and read functions to skip group-based filtering when "hippo:admin" scope is present
• Updated all web and API endpoints to pass request.auth.scopes to service functions
• Updated templates to check scopes instead of groups for admin access

Reviewed Changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
hipposerve/service/acl.py	Core access control logic updated to check scopes for admin access
hipposerve/service/product.py	All product service functions updated to accept and use scopes parameter
hipposerve/service/collection.py	All collection service functions updated to accept and use scopes parameter
hipposerve/api/product.py	API endpoints updated to pass scopes from request.auth
hipposerve/api/relationships.py	Relationship endpoints updated to pass scopes from request.auth
hipposerve/web/init.py	Web views updated to pass scopes from request.auth
hipposerve/web/search.py	Search endpoints updated to pass scopes from request.auth
hipposerve/web/auth.py	User page endpoint updated to pass scopes
hipposerve/web/templates/*.html	Templates updated to check scopes for admin access
tests/test_services/*.py	All test cases updated to pass scopes parameter
upload_cameras.py	New script for uploading camera timelapses
revise_metadata.py	New script for revising product metadata
make_collection.py	New script for creating collections
app.py	New marimo app for product management
.gitignore	Added patterns for uv.lock, .mp4, and product.json files

Comments suppressed due to low confidence (3)

hipposerve/web/init.py:139

• Call to function read with too few arguments; should be no fewer than 3.

    collection_instance = await collection.read(id, request.user.groups)

hipposerve/web/init.py:154

• Call to function read with too few arguments; should be no fewer than 3.

    collection_instance = await collection.read(id, request.user.groups)

tests/test_services/conftest.py:144

• Call to function delete with too few arguments; should be no fewer than 3.

    await collection.delete(
        id=data.id,
        groups=created_user.groups,
    )

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.