Skip to content

editoast: migrate infra grant revoking to authz::v2#16974

Open
leovalais wants to merge 4 commits into
devfrom
lva/revoke-infra-grant-v2
Open

editoast: migrate infra grant revoking to authz::v2#16974
leovalais wants to merge 4 commits into
devfrom
lva/revoke-infra-grant-v2

Conversation

@leovalais
Copy link
Copy Markdown
Contributor

@leovalais leovalais commented May 29, 2026
edited
Loading

leovalais added 4 commits May 29, 2026 13:11
@leovalais
editoast: harmonize authorizers error type
0f02dce 
Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
@leovalais
editoast: authz: impl Authorizer for Either<L, R>
29614cf 
`Authorizer` is not dyn-compatible for more than one reason. Though it'll
be useful at times to have *either* a `SystemAuthorizer` or
a `UserAuthorizer` depending on the authentication mode.

Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
@leovalais
editoast: authz: migrate to v2::infra_revoke_grant
185e920 
Removes the corresponding function in the `Regulator` and adapts all
call sites. Adds the `Protected` operation, its tests, new `Check`s,
their implementation in authorizers and their tests.

CHANGE: now admins **can** revoke the last owner of a resource. It's fine
because admins have access to everything so they can re-assign it if
necessary. It will allow us to "retire" resources without deleting them
for example. It's also much more consistent with our "admin" vison:
"admins can do anything as long as it doesn't break internal consistency".

Improvement: the batching endpoint now revokes all grants concurrently.

Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
@leovalais
editoast: views: add more tests for grant revoking route
89fecf2 
Makes sure that our revoking rules below are always upheld:
1. Only owners (and admins) can fully revoke grants
2. The last owner of a resource cannot be revoked (admins can)
3. An owner cannot revoke another owner


Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
@leovalais leovalais requested a review from a team as a code owner May 29, 2026 11:13
@github-actions github-actions Bot added the area:editoast Work on Editoast Service label May 29, 2026
@leovalais leovalais self-assigned this May 29, 2026
@leovalais leovalais moved this to In Progress in Board PI 20 May 29, 2026
@leovalais leovalais moved this from In Progress to Awaiting merge in Board PI 20 May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sh099078 Sh099078 Awaiting requested review from Sh099078

@younesschrifi younesschrifi Awaiting requested review from younesschrifi

At least 0 approving reviews are required to merge this pull request.

Assignees

@leovalais leovalais

Labels

area:editoast Work on Editoast Service

Projects

Board PI 20
Status: Awaiting merge

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leovalais