fix(resource): reconcile #project/#owner relations on update#1686
Draft
whoAbhishekSah wants to merge 1 commit into
Draft
fix(resource): reconcile #project/#owner relations on update#1686whoAbhishekSah wants to merge 1 commit into
whoAbhishekSah wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
whoAbhishekSah
force-pushed
the
fix/resource-update-reconcile
branch
from
76e7d0c to
8ea5f1d
Compare
whoAbhishekSah
force-pushed
the
fix/resource-update-reconcile
branch
from
8ea5f1d to
95452af
Compare
resource.Update was DB-only and persisted just title/metadata, so moving a resource to a new project or reassigning its owner was a silent no-op: the change was dropped from the row and the old #project/#owner SpiceDB tuples stayed put while the new ones were never written. Update now: - persists project_id, principal_id, principal_type, and a recomputed URN (name and namespace remain immutable on update); - when the project changes, deletes the old app/<ns>:<id>#project tuple and writes the new one; - when the owner changes, deletes the old #owner tuple and writes the new one. PAT owners are resolved to the underlying user, mirroring Create. Adds an e2e regression test: create a resource in project A, move it to project B, assert the #project relation now points at B (old tuple gone). Verified it fails without the reconcile (relation stays on A) and passes with it. Refs #1661 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
whoAbhishekSah
force-pushed
the
fix/resource-update-reconcile
branch
from
95452af to
3dd0010
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
resource.Updatewas DB-only and persisted justtitle/metadata. Moving a resource to a new project or reassigning its owner was therefore a silent no-op: the change was dropped from the row, and the old#project/#ownerSpiceDB tuples stayed in place while the new ones were never written.Fix
Updatenow:project_id,principal_id,principal_type, and a recomputedURN(the URN embeds the project name).nameandnamespacestay immutable on update;app/<ns>:<id>#projecttuple and writes the new one;#ownertuple and writes the new one;Create.Reconciliation is scoped to the
#project/#ownerrelations — resource grant tuples (#grantedrolebindings) are left untouched.Test
New e2e regression test
TestProjectResourceUpdateReconcile: create a resource in project A, move it to project B, then assert viaListRelationsthat the#projectrelation now points at B (old A tuple gone). Verified it fails without the reconcile (relation stays on A) and passes with it.Addresses gap (7) of #1661.