API permission filtering — scope /projects, /notes, /boards by user permissions #250

New issue

Open

opened 2026-03-30 22:10:10 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-30 22:10:10 +00:00

Owner

Copy link

Type

Feature

Lineage

Depends on UserProjectPermission table (pal-e-api sibling issue).

Repo

forgejo_admin/pal-e-api

User Story

As a stakeholder
I want to see only the projects and boards assigned to me
So that I'm not overwhelmed with content I don't need

Context

Once UserProjectPermission exists, the API must filter responses based on the authenticated user's permissions. Extract keycloak_sub from Bearer JWT, query UserProjectPermission, return only permitted projects/notes/boards. Public content (is_public=true) bypasses this filter. Superadmin bypasses all checks. See arch-dataflow-pal-e-app.

File Targets

Files to modify:

• src/pal_e_docs/routes/projects.py — filter project list by user permissions
• src/pal_e_docs/routes/notes.py — filter notes by project permissions
• src/pal_e_docs/routes/boards.py — filter boards by project permissions
• src/pal_e_docs/deps.py or similar — JWT extraction, permission check dependency

Files NOT to touch:

• MCP server code — uses service account, not user tokens

Acceptance Criteria

• GET /projects returns only permitted projects plus is_public projects
• GET /notes filters by project scope
• GET /boards filters by project scope
• GET /boards/{slug}/items returns 403 if user lacks project access
• Unauthenticated requests see only is_public content (preserved)
• Superadmin bypass works

Test Expectations

• Unit test: permission filtering logic
• Integration test: auth requests with/without permissions
• Run command: pytest tests/ -k test_permission_filter

Constraints

• Must not break existing MCP server or unauthenticated access
• Permission check should be a reusable FastAPI dependency

Checklist

• PR opened
• Tests pass
• No unrelated changes

Related

• project-pal-e-app
• arch-dataflow-pal-e-app

### Type Feature ### Lineage Depends on UserProjectPermission table (pal-e-api sibling issue). ### Repo `forgejo_admin/pal-e-api` ### User Story As a stakeholder I want to see only the projects and boards assigned to me So that I'm not overwhelmed with content I don't need ### Context Once UserProjectPermission exists, the API must filter responses based on the authenticated user's permissions. Extract keycloak_sub from Bearer JWT, query UserProjectPermission, return only permitted projects/notes/boards. Public content (is_public=true) bypasses this filter. Superadmin bypasses all checks. See arch-dataflow-pal-e-app. ### File Targets Files to modify: - `src/pal_e_docs/routes/projects.py` — filter project list by user permissions - `src/pal_e_docs/routes/notes.py` — filter notes by project permissions - `src/pal_e_docs/routes/boards.py` — filter boards by project permissions - `src/pal_e_docs/deps.py` or similar — JWT extraction, permission check dependency Files NOT to touch: - MCP server code — uses service account, not user tokens ### Acceptance Criteria - [ ] GET /projects returns only permitted projects plus is_public projects - [ ] GET /notes filters by project scope - [ ] GET /boards filters by project scope - [ ] GET /boards/{slug}/items returns 403 if user lacks project access - [ ] Unauthenticated requests see only is_public content (preserved) - [ ] Superadmin bypass works ### Test Expectations - [ ] Unit test: permission filtering logic - [ ] Integration test: auth requests with/without permissions - Run command: `pytest tests/ -k test_permission_filter` ### Constraints - Must not break existing MCP server or unauthenticated access - Permission check should be a reusable FastAPI dependency ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-app` - `arch-dataflow-pal-e-app`

forgejo_admin referenced this issue 2026-04-13 00:13:14 +00:00

feat: dual auth — accept Keycloak JWT alongside API key #269

forgejo_admin referenced this issue 2026-04-13 14:54:16 +00:00

feat: user attribution on notes — track who creates and edits #272

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

265-fix-add-partial-index-declarations-to-mo

256-cors-middleware

158-incident-fix-migration-crash-drop-hnsw-i

128-add-jinja2-template-rendering-endpoint-p

132-fix-template-endpoint-qa-nits-is-public

123-clean-up-test-seed-block-objects-with-nu

124-harden-anchor-id-column-to-not-null

119-generate-anchor-ids-for-all-block-types

111-7e-1a-qa-nits-cleanup-redundant-assignme

11-fix-repos-formatting

5-browse-frontend

1-scaffold-project

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-api#250

No description provided.