Skip to content

docs(api): document 403 on permission-gated routes#884

Open
cristim wants to merge 2 commits into
mainfrom
fix/476-wave20
Open

docs(api): document 403 on permission-gated routes#884
cristim wants to merge 2 commits into
mainfrom
fix/476-wave20

Conversation

@cristim

@cristim cristim commented May 30, 2026

Copy link
Copy Markdown
Member

Closes #476

Summary

  • Adds 403: $ref: '#/components/responses/Forbidden' to 27 operations in internal/api/openapi.yaml whose handlers call requirePermission() but previously only declared 401
  • Routes updated span: dashboard summary/upcoming, config (PUT), config/service (PUT), recommendations (GET + refresh POST), plans (CRUD + createPlannedPurchases), purchases (execute, planned CRUD), purchase details, history (GET/analytics/breakdown), and api-keys (CRUD)
  • Reuses the existing components/responses/Forbidden component (already present in users/groups section)
  • Adds internal/api/openapi_403_test.go: a source-reading regression guard that walks router.go to resolve each route's delegate handler, checks whether it calls requirePermission, and asserts the spec operation declares 403 -- the test fails immediately when a new permission-gated route is added without the matching 403

Test plan

  • go test ./internal/api/ -run TestOpenAPI403OnPermissionGatedRoutes passes
  • go test ./internal/api/... passes (1356 tests)
  • Add a new route calling requirePermission without a 403 in the spec and confirm the test fails

@cristim cristim added triaged Item has been triaged priority/p3 Polish / idea / may never ship severity/low Minor harm urgency/eventually No deadline impact/internal Team-internal only effort/m Days type/docs Documentation labels May 30, 2026
@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 8 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dbcb93b4-fa3d-475d-a3ca-ae9042c815a1

📥 Commits

Reviewing files that changed from the base of the PR and between 1d9f1b8 and 4522e63.

📒 Files selected for processing (2)
  • internal/api/openapi.yaml
  • internal/api/openapi_403_test.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/476-wave20

Comment @coderabbitai help to get the list of available commands.

@cristim

cristim commented May 30, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

cristim added a commit that referenced this pull request Jun 1, 2026
 #660)

RI exchanges are financially irreversible once submitted to AWS. Keeping
execute:ri-exchange disjoint from execute:purchases ensures a user who
can initiate regular purchases cannot inadvertently — or intentionally —
trigger an RI exchange without an explicit additional grant.

Changes:
- Add ResourceRIExchange = "ri-exchange" constant to internal/auth/types.go
- Update executeExchange handler to require execute:ri-exchange (was
  execute:purchases)
- Update TestExecuteExchange_PermissionGate to assert the new permission
  verb; add isolation sub-test proving execute:purchases does not grant
  ri-exchange access
- Add /api/ri-exchange/* routes to openapi.yaml with 403 responses and
  permission documentation on the execute endpoint
- Add 'ri-exchange' to the frontend Resource closed-union type and
  extend canAccess tests: admin true, user false (no default grant)

No DB migration needed: role defaults are computed at runtime from
Go constants; no DB table stores the permission set.

No conflict with PR #884 (fix/476): that PR adds 403 to plans/purchases
routes; this PR adds a new ri-exchange section that #884 does not touch.
cristim added a commit that referenced this pull request Jun 3, 2026
 #660)

RI exchanges are financially irreversible once submitted to AWS. Keeping
execute:ri-exchange disjoint from execute:purchases ensures a user who
can initiate regular purchases cannot inadvertently (or intentionally)
trigger an RI exchange without an explicit additional grant.

Changes:
- Add ResourceRIExchange = "ri-exchange" constant to internal/auth/types.go
- Update executeExchange handler to require execute:ri-exchange (was
  execute:purchases)
- Update TestExecuteExchange_PermissionGate to assert the new permission
  verb; add isolation sub-test proving execute:purchases does not grant
  ri-exchange access
- Add /api/ri-exchange/* routes to openapi.yaml with 403 responses and
  permission documentation on the execute endpoint
- Add 'ri-exchange' to the frontend Resource closed-union type and
  extend canAccess tests: admin true, user false (no default grant);
  add isolation sub-tests proving execute:purchases does not imply
  execute:ri-exchange (and vice versa) on the frontend gating mirror

Rebased onto feat/multicloud-web-frontend post #922 (effectivePermissions
migration). The conflict in frontend/src/__tests__/permissions.test.ts
was resolved by re-expressing the user-default-deny invariant in the new
effective-permissions model: a non-admin holding execute:purchases is
still denied execute:ri-exchange. Em-dashes scrubbed from added prose.

No DB migration needed: role defaults are computed at runtime from
Go constants; no DB table stores the permission set.

No conflict with PR #884 (fix/476): that PR adds 403 to plans/purchases
routes; this PR adds a new ri-exchange section that #884 does not touch.
cristim added a commit that referenced this pull request Jun 3, 2026
 #660) (#891)

RI exchanges are financially irreversible once submitted to AWS. Keeping
execute:ri-exchange disjoint from execute:purchases ensures a user who
can initiate regular purchases cannot inadvertently (or intentionally)
trigger an RI exchange without an explicit additional grant.

Changes:
- Add ResourceRIExchange = "ri-exchange" constant to internal/auth/types.go
- Update executeExchange handler to require execute:ri-exchange (was
  execute:purchases)
- Update TestExecuteExchange_PermissionGate to assert the new permission
  verb; add isolation sub-test proving execute:purchases does not grant
  ri-exchange access
- Add /api/ri-exchange/* routes to openapi.yaml with 403 responses and
  permission documentation on the execute endpoint
- Add 'ri-exchange' to the frontend Resource closed-union type and
  extend canAccess tests: admin true, user false (no default grant);
  add isolation sub-tests proving execute:purchases does not imply
  execute:ri-exchange (and vice versa) on the frontend gating mirror

Rebased onto feat/multicloud-web-frontend post #922 (effectivePermissions
migration). The conflict in frontend/src/__tests__/permissions.test.ts
was resolved by re-expressing the user-default-deny invariant in the new
effective-permissions model: a non-admin holding execute:purchases is
still denied execute:ri-exchange. Em-dashes scrubbed from added prose.

No DB migration needed: role defaults are computed at runtime from
Go constants; no DB table stores the permission set.

No conflict with PR #884 (fix/476): that PR adds 403 to plans/purchases
routes; this PR adds a new ri-exchange section that #884 does not touch.
@cristim

cristim commented Jun 4, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim

cristim commented Jun 4, 2026

Copy link
Copy Markdown
Member Author

cr-watch-884 summary: CodeRabbit returned no actionable findings on this PR.

  • Original review for commit b7d424f87 was preempted by an org rate-limit notice (40-minute cooldown) before any findings could be produced.
  • After the rate-limit window cleared, @coderabbitai review was re-triggered and CR responded with "Review finished" (incremental run, no inline comments, no review body, no requested changes).
  • REST cross-check: /pulls/884/reviews returns 0, /pulls/884/comments (review threads) returns 0.
  • CI is green (4 checks passing, 0 failing).

No code changes required; closing the watcher. Ready for human merge.

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Rate Limit Exceeded

@cristim have exceeded the limit for the number of chat messages per hour. Please wait 38 minutes and 46 seconds before sending another message.

@cristim

cristim commented Jun 5, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim

cristim commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Full review finished.

@cristim
cristim changed the base branch from feat/multicloud-web-frontend to main June 9, 2026 15:52
@cristim

cristim commented Jun 19, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim

cristim commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Every operation in openapi.yaml whose handler calls requirePermission
now declares '403: $ref: "#/components/responses/Forbidden"' alongside
the existing 401.  27 operations updated across dashboard, config,
recommendations, plans, planned-purchases, purchases, history, and
api-keys sections.

The components/responses/Forbidden component already existed (used in
the users/groups section); this change wires it consistently across all
remaining permission-gated routes.

Adds openapi_403_test.go: a source-reading regression guard that walks
router.go to map each route's handler wrapper to its delegate h.*
function, then checks whether that function calls requirePermission, and
asserts the spec operation declares 403.  The test fails as soon as a
new permission-gated route is wired in router.go without a matching 403
in the spec.
…ice/{service}

Both handlers call requirePermission("view","config") but the spec only
declared 403 on their PUT counterparts. The regression test added in this
PR caught the gap. Add the missing 403 response to both GET operations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

effort/m Days impact/internal Team-internal only priority/p3 Polish / idea / may never ship severity/low Minor harm triaged Item has been triaged type/docs Documentation urgency/eventually No deadline

Projects

None yet

Development

Successfully merging this pull request may close these issues.

docs(api): document 403 for every permission-gated route in openapi.yaml

1 participant