mirror of
https://github.com/ModernRelay/omnigraph.git
synced 2026-07-12 03:12:11 +02:00
Make invoke_query graph-scoped (one branch authority)
invoke_query gates reaching the curated stored-query surface — a graph-level capability. Per-branch/snapshot access is already enforced by the inner read/change gate in run_query/run_mutate (authorized against the resolved branch), so branch-scoping the outer gate was redundant AND wrong for snapshot reads (it defaulted to main). Drop the branch dimension: remove InvokeQuery from uses_branch_scope (it joins admin as graph-scoped) and authorize the boundary gate with branch: None. Lossless: an actor confined to branch X by their read/change rules can still only invoke a stored query that touches X. A rule that sets branch_scope on invoke_query is now rejected by validate() — write invoke_query in its own rule. Ripple (atomic): restructure the server invoke fixture so invoke_query sits in its own branch_scope-free rule; invert invoke_query_is_branch_scoped -> invoke_query_rejects_branch_scope; the per-graph authorize test uses branch: None; docs (policy.md, server.md, the InvokeQuery doc). No wire/OpenAPI change.
This commit is contained in:
parent
c9e13f3707
commit
ad2fc27849
5 changed files with 53 additions and 48 deletions
|
|
@ -2213,7 +2213,11 @@ async fn server_invoke_query(
|
|||
handle.policy.as_deref(),
|
||||
PolicyRequest {
|
||||
action: PolicyAction::InvokeQuery,
|
||||
branch: req.branch.clone().or_else(|| Some("main".to_string())),
|
||||
// Graph-scoped: no branch dimension. The per-branch/snapshot
|
||||
// access is enforced by the inner read/change gate in the
|
||||
// runner, so the outer gate must not resolve a branch (doing so
|
||||
// was wrong for snapshot reads).
|
||||
branch: None,
|
||||
target_branch: None,
|
||||
},
|
||||
)
|
||||
|
|
|
|||
|
|
@ -249,25 +249,34 @@ groups:
|
|||
invoke_only: ["act-invokeonly"]
|
||||
protected_branches: [main]
|
||||
rules:
|
||||
- id: invokers-invoke-and-read
|
||||
# invoke_query is graph-scoped — its own rules, no branch_scope.
|
||||
- id: invokers-can-invoke
|
||||
allow:
|
||||
actors: { group: invokers }
|
||||
actions: [invoke_query, read]
|
||||
branch_scope: any
|
||||
- id: full-invoke-read-change
|
||||
actions: [invoke_query]
|
||||
- id: full-can-invoke
|
||||
allow:
|
||||
actors: { group: full }
|
||||
actions: [invoke_query, read, change]
|
||||
branch_scope: any
|
||||
- id: readers-read-only
|
||||
allow:
|
||||
actors: { group: readers }
|
||||
actions: [read]
|
||||
branch_scope: any
|
||||
- id: invoke-only-no-read
|
||||
actions: [invoke_query]
|
||||
- id: invoke-only-can-invoke
|
||||
allow:
|
||||
actors: { group: invoke_only }
|
||||
actions: [invoke_query]
|
||||
# read / change are branch-scoped.
|
||||
- id: invokers-can-read
|
||||
allow:
|
||||
actors: { group: invokers }
|
||||
actions: [read]
|
||||
branch_scope: any
|
||||
- id: full-can-read-change
|
||||
allow:
|
||||
actors: { group: full }
|
||||
actions: [read, change]
|
||||
branch_scope: any
|
||||
- id: readers-can-read
|
||||
allow:
|
||||
actors: { group: readers }
|
||||
actions: [read]
|
||||
branch_scope: any
|
||||
"#;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue