Monorepo for Tangled
tangled.org
rbac: scope repo collaborator listing to role, no more knot-member check
Lewis: May this revision serve well! <lewis@tangled.org>
author
Lewis
committer
Tangled
date
(Jun 16, 2026, 9:04 PM +0300)
commit
6dc5c9d8
6dc5c9d824e0ac95c88e548e97da552cdc67ba2a
parent
30a2d031
30a2d0316e14647f510ae35aafb6ab5766ab3449
change-id
ynvqrkkt
ynvqrkktkskynrqxlxokqmosntpxolnu
+36
-7
+13
-6
rbac/rbac.go
+13
-6
rbac/rbac.go
···
264
264
}
265
265
266
266
func (e *Enforcer) GetUserByRoleInRepo(role, domain, repo string) ([]string, error) {
267
-
var users []string
268
-
269
267
policies, err := e.E.GetImplicitUsersForResourceByDomain(repo, domain)
268
+
if err != nil {
269
+
return nil, err
270
+
}
271
+
272
+
var users []string
270
273
for _, p := range policies {
271
274
user := p[0]
272
-
if strings.HasPrefix(user, "did:") {
275
+
if !strings.HasPrefix(user, "did:") {
276
+
continue
277
+
}
278
+
ok, err := e.E.Enforce(user, domain, repo, role)
279
+
if err != nil {
280
+
return nil, err
281
+
}
282
+
if ok {
273
283
users = append(users, user)
274
284
}
275
-
}
276
-
if err != nil {
277
-
return nil, err
278
285
}
279
286
280
287
slices.Sort(users)
+23
-1
rbac/rbac_test.go
+23
-1
rbac/rbac_test.go
···
172
172
collaborators, err := e.GetUserByRoleInRepo("repo:collaborator", knot, repo)
173
173
assert.NoError(t, err)
174
174
assert.ElementsMatch(t, []string{
175
-
"did:plc:foo", // owner
176
175
"did:plc:bar", // collaborator1
177
176
"did:plc:baz", // collaborator2
178
177
}, collaborators)
178
+
assert.NotContains(t, collaborators, owner, "owner does not hold repo:collaborator and must not be listed")
179
179
}
180
180
181
181
func TestGetPermissionsInRepo(t *testing.T) {
···
475
475
assert.NoError(t, err)
476
476
assert.Empty(t, spindles)
477
477
}
478
+
479
+
func TestWipeRepoPoliciesRemovesCollaborators(t *testing.T) {
480
+
e := setup(t)
481
+
482
+
knot := "example.com"
483
+
repo := "did:plc:akshay/my-repo"
484
+
owner := "did:plc:akshay"
485
+
collaborator := "did:plc:boltless"
486
+
487
+
_ = e.AddKnot(knot)
488
+
_ = e.AddRepo(owner, knot, repo)
489
+
err := e.AddCollaborator(collaborator, knot, repo)
490
+
assert.NoError(t, err)
491
+
492
+
err = e.WipeRepoPolicies(knot, repo)
493
+
assert.NoError(t, err)
494
+
495
+
assert.ElementsMatch(t, []string{}, e.GetPermissionsInRepo(collaborator, knot, repo),
496
+
"collaborator policies must be wiped on repo teardown")
497
+
assert.ElementsMatch(t, []string{}, e.GetPermissionsInRepo(owner, knot, repo),
498
+
"owner policies must be wiped on repo teardown")
499
+
}