fix: list-my-workspaces permissions were broken (#1002)

list-my-workspaces has AUTHENTICATED scope, so anyone is permitted to run the operation. No specific permission grant is needed.
2026-06-30 00:49:38 +02:00 · 2026-06-29 09:13:05 +01:00 · 2026-06-29 09:13:05 +01:00 · 5cb4f83afa
commit 5cb4f83afa
parent 0a828379be
3 changed files with 2 additions and 4 deletions
--- a/docs/tech-specs/capabilities.md
+++ b/docs/tech-specs/capabilities.md
@ -100,7 +100,6 @@ multi-word subsystems.
 | `users:admin` | Assign / remove roles on users within the workspace |
 | `keys:self` | Create / revoke / list **own** API keys |
 | `keys:admin` | Create / revoke / list **any user's** API keys within the workspace |
-| `workspaces:list-own` | List workspaces the caller has access to |
 | `workspaces:admin` | Create / delete / disable workspaces (system-level) |
 | `iam:admin` | JWT signing-key rotation, IAM-level operations |
 | `metrics:read` | Prometheus metrics proxy |
@ -111,7 +110,7 @@ The open-source edition ships three roles:

 | Role | Capabilities |
 |---|---|
-| `reader` | `agent`, `graph:read`, `documents:read`, `rows:read`, `llm`, `embeddings`, `mcp`, `collections:read`, `knowledge:read`, `flows:read`, `config:read`, `keys:self`, `workspaces:list-own` |
+| `reader` | `agent`, `graph:read`, `documents:read`, `rows:read`, `llm`, `embeddings`, `mcp`, `collections:read`, `knowledge:read`, `flows:read`, `config:read`, `keys:self` |
 | `writer` | everything in `reader` **+** `graph:write`, `documents:write`, `rows:write`, `collections:write`, `knowledge:write` |
 | `admin` | everything in `writer` **+** `config:write`, `flows:write`, `users:read`, `users:write`, `users:admin`, `keys:admin`, `workspaces:admin`, `iam:admin`, `metrics:read` |

--- a/trustgraph-flow/trustgraph/gateway/registry.py
+++ b/trustgraph-flow/trustgraph/gateway/registry.py
@ -311,7 +311,7 @@ register(Operation(
 ))
 register(Operation(
    name="list-my-workspaces",
-    capability="workspaces:list-own",
+    capability=AUTHENTICATED,
    resource_level=ResourceLevel.SYSTEM,
    extract_resource=_empty_resource,
    extract_parameters=_no_parameters,
--- a/trustgraph-flow/trustgraph/iam/service/iam.py
+++ b/trustgraph-flow/trustgraph/iam/service/iam.py
@ -78,7 +78,6 @@ _READER_CAPS = {
    "collections:read",
    "knowledge:read",
    "keys:self",
-    "workspaces:list-own",
 }

 _WRITER_CAPS = _READER_CAPS | {