Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NOISSUE - Add send_invitation permission #2773

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

NOISSUE - Add send_invitation permission #2773

wants to merge 5 commits into from

Conversation

WashingtonKK
Copy link
Contributor

What type of PR is this?

What does this do?

Which issue(s) does this PR fix/relate to?

  • Related Issue #
  • Resolves #

Have you included tests for your changes?

Did you document any new/modified feature?

Notes

@WashingtonKK WashingtonKK requested a review from a team as a code owner March 26, 2025 12:54
@codecov Codecov
Copy link

codecov bot commented Mar 26, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Project coverage is 36.98%. Comparing base (e56b868) to head (c65fb87).

Files with missing lines Patch % Lines
domains/middleware/authorization.go 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2773      +/-   ##
==========================================
- Coverage   41.73%   36.98%   -4.76%     
==========================================
  Files         352       30     -322     
  Lines       48692     4467   -44225     
==========================================
- Hits        20322     1652   -18670     
+ Misses      26156     2655   -23501     
+ Partials     2214      160    -2054

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

SammyOina
SammyOina requested changes Mar 26, 2025
View reviewed changes
domains/middleware/authorization.go Outdated
Comment on lines 270 to 281
func (am *authorizationMiddleware) billingPermissionCheck(ctx context.Context, domainID, subj, perm string) error {
req := authz.PolicyReq{
SubjectType: policies.UserType,
SubjectKind: policies.UsersKind,
Subject: subj,
Permission: perm,
ObjectType: policies.DomainType,
Object: domainID,
}
if err := am.authz.Authorize(ctx, req); err != nil {
return err
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we do not need a new function, just edit the current permission check

SammyOina
SammyOina requested changes Mar 26, 2025
View reviewed changes
domains/middleware/authorization.go Outdated
var ErrMemberExist = errors.New("user is already a member of the domain")
var (
ErrMemberExist = errors.New("user is already a member of the domain")
ErrPermissionFail = errors.New("billing permission failed")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there can be many auth callouts so error will be passed from auth service

domains/middleware/authorization.go Outdated
@@ -151,6 +154,10 @@ func (am *authorizationMiddleware) SendInvitation(ctx context.Context, session a
return err
}

if err := am.extAuthorize(ctx, auth.EncodeDomainUserID(invitation.DomainID, session.UserID), policies.SendInvitationPermission, policies.DomainType, invitation.DomainID); err != nil {
return errors.Wrap(svcerr.ErrAuthorization, ErrPermissionFail)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrap err and authorization error

arvindh123
arvindh123 requested changes Mar 27, 2025
View reviewed changes
docker/spicedb/schema.zed
@@ -361,7 +361,8 @@ definition domain {
permission group_add_role_users_permission = group_add_role_users + team->group_add_role_users + organization->admin
permission group_remove_role_users_permission = group_remove_role_users + team->group_remove_role_users + organization->admin
permission group_view_role_users_permission = group_view_role_users + team->group_view_role_users + organization->admin


permission send_invitation = admin
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't we reuse the permission admin or add_role_users_permission?,

supermq/docker/spicedb/schema.zed

Line 323 in d842182

permission admin = read & update & enable & disable & delete & manage_role & add_role_users & remove_role_users & view_role_users

Because , invitation is similar to adding user to a role.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adding user to role is not exactly the same. since invitations can be rejected.

The idea here is with billing if we are to limit the number of users in a workspace. we need to limit sending invitations and accepting invitations at the same time.

some psudocode:

  1. Send user inviation

  2. Billing callback checks if domain-members limit is exceeded. if not invitation sending is authorized

  3. when user is accepting invitation ("adding role user")

  4. billing will also check domain members limit. Allow the user to be added to domain or not

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it,
Then Can we have separate relation like relation send_invitations: role#member?
and separate permission like permission send_invitation_permission = send_invitations + organization->admin

What do you think about this approach ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if a new relation is needed, since it will add the number of options the user has on actions, but I don't mind if you'd like to add it on mg. Billing only cares about the permission in the auth request

@WashingtonKK @SammyOina
add send_invitation permission
5103087 
Signed-off-by: WashingtonKK <[email protected]>
@WashingtonKK @SammyOina
add permission check for billing
2842c51 
Signed-off-by: WashingtonKK <[email protected]>
@WashingtonKK @SammyOina
fix
4f8c55a 
Signed-off-by: WashingtonKK <[email protected]>
@WashingtonKK @SammyOina
refactor
c197ff6 
Signed-off-by: WashingtonKK <[email protected]>
@WashingtonKK @SammyOina
refactor permission check
c65fb87 
Signed-off-by: WashingtonKK <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arvindh123 arvindh123 arvindh123 requested changes

@SammyOina SammyOina SammyOina approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@WashingtonKK @arvindh123 @SammyOina