Skip to content

feat(collections): enforce RBAC on all collection handlers#2892

Merged
subomi merged 6 commits into
mainfrom
collections-rbac-audit
May 18, 2026
Merged

feat(collections): enforce RBAC on all collection handlers#2892
subomi merged 6 commits into
mainfrom
collections-rbac-audit

Conversation

@subomi
Copy link
Copy Markdown
Contributor

@subomi subomi commented May 18, 2026
edited
Loading

Summary

Phase 1 of the collections RBAC + audit plan (plan.md): close the authorization gap on server/internal/collections/, where the authz.Engine was injected via auth.Auth but never invoked. Scopes mirror plugins (the closest org-scoped MCP-adjacent precedent) — no new scopes needed.

Server

  • Service now holds *authz.Engine directly and gates every handler:
    • org:readList, ListServers
    • org:adminCreate, Update, Delete, AttachServer, DetachServer
  • New rbac_test.go covers denied-without-grants, denied-with-wrong-scope, allowed-with-correct-grant, and denied-with-wrong-org-id per operation, using authztest.WithExactGrants.

Dashboard

Aligns the UI gating with the new server rules:

  • Sidebar: Collections nav item visible to org:read (was org:admin-only).
  • Collections list & detail pages: page-level RequireScope widened to ["org:read", "org:admin"].
  • Mutation affordances (create button, edit/delete, attach/detach server, the CreateCollection page itself) kept behind org:admin via section- and component-level RequireScope wrappers, so read-only members see the data but can't mutate.

Phase 2 (audit logging + URN type) ships separately.

Test plan

  • mise run lint:server
  • mise run test:server ./internal/collections/... — RBAC tests pass
  • Server: collection CRUD as member (mutations 403, list ok) and as admin (all allowed)
  • Dashboard: as org:read member — sidebar item shows, list + detail render, all mutation controls hidden
  • Dashboard: as org:admin — full CRUD works end-to-end

Resolves AGE-2416

🤖 Generated with Claude Code

@subomi @claude
feat(collections): enforce RBAC on all collection handlers
a132ca7 
Adds authz.Engine to the collections Service and gates each handler:
org:read for List/ListServers, org:admin for Create/Update/Delete/
AttachServer/DetachServer. Closes an authorization gap where collection
mutations were ungated despite the engine being injected via auth.Auth.

Includes rbac_test.go covering denied/allowed paths per operation plus
wrong-resource-id cases.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@subomi subomi requested a review from a team as a code owner May 18, 2026 08:44
@vercel
Copy link
Copy Markdown

vercel Bot commented May 18, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gram-docs-redirect Ready Ready Preview, Comment May 18, 2026 10:52am

Request Review

claude[bot]
claude Bot reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 18, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 5436ddd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
server Minor
dashboard Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions Bot added the preview Spawn a preview environment label May 18, 2026
@speakeasybot
Copy link
Copy Markdown
Collaborator

speakeasybot commented May 18, 2026
edited
Loading

🚀 Preview Environment (PR #2892)

Preview URL: https://pr-2892.dev.getgram.ai

Component Status Details Updated (UTC)
✅ Database Ready Existing database reused 2026-05-18 10:57:05.
✅ Images Available Container images ready 2026-05-18 10:56:47.

Gram Preview Bot

@subomi @claude
feat(dashboard): show collections nav item to org:read members
ccf6a9a 
Collections list is gated by org:read, so the sidebar item should be
visible to read-only members, not just org:admin.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@subomi subomi requested a review from a team as a code owner May 18, 2026 08:57
subomi and others added 3 commits May 18, 2026 10:03
@subomi
Merge branch 'main' into collections-rbac-audit
691f73e
@subomi
Merge branch 'main' into collections-rbac-audit
413ec21
@subomi @claude
feat(dashboard): gate collections pages by org:read, mutations by org…
1f937b3 
…:admin

Collections list and detail pages open up to org:read members to match
the server-side read gate, while mutation affordances (create, update,
delete, attach/detach server) stay behind org:admin via section- and
component-level RequireScope wrappers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@subomi @claude
chore: add changeset for collections RBAC
5436ddd 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@subomi subomi added this pull request to the merge queue May 18, 2026
Merged via the queue into main with commit 4ea14f3 May 18, 2026
30 checks passed
@subomi subomi deleted the collections-rbac-audit branch May 18, 2026 11:36
@github-actions github-actions Bot locked and limited conversation to collaborators May 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@claude claude[bot] claude[bot] left review comments

@adaam2 adaam2 adaam2 approved these changes

Assignees

No one assigned

Labels

preview Spawn a preview environment

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@subomi @speakeasybot @adaam2