Scoped PATs: permission enforcement#7777
Merged
Merged
Conversation
…based permissions
…d refactor duplicate PAT checks
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7777 +/- ##
==========================================
+ Coverage 75.04% 75.08% +0.04%
==========================================
Files 430 430
Lines 22781 22825 +44
Branches 6036 6052 +16
==========================================
+ Hits 17095 17138 +43
- Misses 5686 5687 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Member
knolleary
reviewed
Jul 10, 2026
knolleary
left a comment
Member
There was a problem hiding this comment.
Will be approved pending the merge conflict resolution
# Conflicts: # forge/routes/auth/index.js # test/unit/forge/routes/api/user_spec.js
Contributor
Author
|
Curious case of merge conflict, this branch only built upon the previous one. Fixed nonetheless |
knolleary
self-requested a review
July 10, 2026 15:08
knolleary
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds PAT scope enforcement to the permission layer, building on the metadata populated in #7446 and the CRUD routes from #7515.
adminOptInis false, the admin flag is shadowed on the session user viaObject.definePropertyso all downstream checks treat the request as non-admin without mutating the Sequelize model.needsPermissionenforces team scope and read-only after the existing role checks. The admin bypass path also enforces these restrictions when the PAT hasadminOptIn: true.hasPermissionapplies the same checks via@fastify/request-context, naturally skipped for non-HTTP paths like MQTT ACL.The issue proposed nullifying request.teamMembership in the shared preHandlers when a PAT's team scopes don't include the current team. I tried this but reverted it because nullifying membership conflates "user isn't a member" with "PAT restricts access", which are different concerns. Enforcement belongs in the permission layer where it can deny access without altering the request data that downstream code relies on.
No functional changes for existing tokens
Existing PATs default to
readOnly: false,adminOptIn: false, no team scopes. The only behavioral change is that admin users authenticating with a default PAT no longer get the admin bypass (sinceadminOptIndefaults to false).Related Issue(s)
closes #7447
Checklist
flowforge.yml?FlowFuse/helmto update ConfigMap TemplateFlowFuse/CloudProjectto update values for Staging/ProductionLabels
area:migrationlabel