Extend group-based access with ndp_admin role and endpoint UUID (v0.12.0)#107
Merged
Extend group-based access with ndp_admin role and endpoint UUID (v0.12.0)#107
Conversation
added 10 commits
April 22, 2026 12:20
…dpoint UUID group Previously, enabling group-based access required a user to belong to one of the groups listed in GROUP_NAMES. This commit broadens the authorization rule so that any of the following grants access: 1. Membership in a group listed in GROUP_NAMES (existing behavior) 2. The 'ndp_admin' role on the user's token 3. Membership in the group whose name matches AFFINITIES_EP_UUID When ENABLE_GROUP_BASED_ACCESS is False the behavior is unchanged. The forbidden response now describes all three accepted paths. Refs #106
Add 12 test cases for the two new authorization paths: - ndp_admin role grants access (including without matching group, with empty GROUP_NAMES, case-insensitive, and ignored when the roles field is missing or malformed) - Membership in the AFFINITIES_EP_UUID group grants access (including group given as a dict with path, case-insensitive matching, and the empty-UUID guard) - The feature-disabled path remains permissive Also confirm that a user outside all three paths is denied. Refs #106
Introduce get_user_for_endpoint_access, a dependency that mirrors the existing write-operation gate but with an error message tailored to Endpoint-wide access rather than write operations. Apply it on /user/info so unauthorized users are rejected at the UI entry point instead of being allowed to enter the app only to hit 403s on every write. Extract the shared 403 response into a small helper so both paths report the same 'ndp_admin / endpoint UUID group / GROUP_NAMES' contract with only the context phrase differing. Refs #106
After obtaining a token through the credentials login flow, validate
it against /user/info before storing it, so authorization errors are
surfaced to the user at login time rather than after entering the app.
Translate 403 responses from /user/info into a user-visible message
('You do not have permission to access this Endpoint.' or the
backend-supplied detail) in the AuthGuard token, credentials, and
existing-session paths.
Refs #106
Verify four behaviors of the new Endpoint-access dependency:
- Feature disabled: any authenticated user is allowed
- Authorized user (via mocked check_group_membership) is passed through
- Unauthorized user raises 403 with a message naming the Endpoint,
including the ndp_admin role and the configured endpoint UUID
- The pre-existing write-operation dependency still reports its own
context ('write operations') to ensure the refactor didn't leak
one context phrase into the other
Refs #106
The previous 403 detail exposed internal authorization jargon
(admin role name, endpoint UUID, configured GROUP_NAMES list,
even an empty []) that end users could not act on. Replace it with
two concise, actionable messages:
- Endpoint access:
'You do not have permission to access this Endpoint.
Please contact the administrator if you believe this is
a mistake.'
- Write operations:
'You do not have permission to perform this operation.
Please contact the administrator if you believe this is
a mistake.'
Technical details (required role, endpoint group UUID, configured
group list) are now emitted as a warning in the backend log so
administrators can still diagnose rejections without leaking
implementation details to end users.
Refs #106
Drop the 'if you believe this is a mistake' tail so the 403 detail is
a short two-sentence instruction:
- 'You do not have permission to access this Endpoint.
Please contact the administrator.'
- 'You do not have permission to perform this operation.
Please contact the administrator.'
Refs #106
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ENABLE_GROUP_BASED_ACCESS=True, authorize users if any of the following is true:GROUP_NAMES(existing behavior)ndp_adminroleAFFINITIES_EP_UUIDCloses #106
Test plan
black --check --diff .passesflake8 api/ tests/ --max-line-length=88 --extend-ignore=E203,W503,E501,F401passes