Skip to content

feat: validate user project access during PAT Create and Update#1487

Merged
AmanGIT07 merged 4 commits intomainfrom
feat/validate-pat-project-org
Mar 30, 2026
Merged

feat: validate user project access during PAT Create and Update#1487
AmanGIT07 merged 4 commits intomainfrom
feat/validate-pat-project-org

Conversation

@AmanGIT07
Copy link
Copy Markdown
Contributor

@AmanGIT07 AmanGIT07 commented Mar 30, 2026

Description:

Summary

  • Validate that project resource IDs in PAT scopes are accessible by the user during Create and Update
  • Prevents creating PAT policies on projects the user doesn't have access to (including cross-org projects)
  • Uses SpiceDB LookupResources via projectService.ListByUser for authoritative access check

How it works

During Create/Update, after scope-role validation and before any mutations, validateProjectAccess is called:

  1. Collects all project resource IDs from the scopes
  2. If none (org-only scope or all-projects scope), skips validation
  3. Calls projectService.ListByUser(principal, Filter{OrgID}) which:
    • Queries SpiceDB LookupResources for projects the user has member permission on
    • Filters by org ID in Postgres
    • Returns only projects the user actually has access to within the org
  4. Checks each requested project ID against the user's accessible projects
  5. If any project is inaccessible, returns ErrProjectForbidden (generic message to user, specific project IDs logged server-side)

This aligns with the UI which uses ListProjectsByCurrentUser to populate the project dropdown — users can only select projects they have access to. The backend validation prevents direct API callers from bypassing this.

Changes

  • Service: Added ProjectService interface (ListByUser), validateProjectAccess method, called in Create and Update flows
  • Errors: Added ErrProjectForbidden — "user does not have access to one or more specified projects"
  • Handler: Maps ErrProjectForbidden to CodeInvalidArgument in Create and Update error switches
  • Wiring: cmd/serve.go — passes projectService to userpat.NewService (moved creation order after projectService)
  • Mocks: Added core/userpat to .mockery.yaml, regenerated ProjectService mock
  • Tests: 3 new tests (reject inaccessible project, allow accessible project, skip for all-projects scope) + updated 74 existing NewService calls

Test plan

  • go test ./core/userpat/... — all pass including 3 new validation tests
  • go test ./internal/api/v1beta1connect/... — all pass
  • go build ./... — clean
  • Manual: Create PAT with project from another org → invalid_argument
  • Manual: Create PAT with project user doesn't have access to → invalid_argument
  • Manual: Create PAT with accessible projects → success
  • Manual: Update PAT removing inaccessible project → success (stale project naturally dropped)

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 30, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontier Ready Ready Preview, Comment Mar 30, 2026 7:49am

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 30, 2026
edited
Loading

Warning

Rate limit exceeded

@AmanGIT07 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 32 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 16 minutes and 32 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5c1911b6-a11c-48d6-9df9-12755aac88e6

📥 Commits

Reviewing files that changed from the base of the PR and between 94cc5c4 and d199676.

📒 Files selected for processing (2)
  • core/userpat/mocks/project_service.go
  • core/userpat/service_test.go
📝 Walkthrough

Walkthrough

This PR adds project-access validation to the user personal access token service. It introduces a ProjectService dependency to verify users have access to requested projects, implements validation logic in the PAT service, and updates handlers and tests to support the new validation flow.

Changes

Cohort / File(s) Summary
Project Access Validation
core/userpat/service.go, core/userpat/errors/errors.go, internal/api/v1beta1connect/user_pat.go		 Added ProjectService interface and validateProjectAccess function to validate user project access before PAT creation/update; new ErrProjectForbidden error constant; handlers map this error to connect.CodeInvalidArgument.
Dependency Wiring
cmd/serve.go		 Reordered userpat.NewService instantiation to add projectService dependency parameter after projectService construction.
Tests
core/userpat/service_test.go		 Extended test helper to create project service mock; updated all NewService calls with project service argument; added new TestService_ValidateProjectAccess test suite covering project access validation, allowed/rejected scenarios, and all-projects scope bypass.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • whoAbhishekSah
  • rohilsurana

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b764f742-bcd9-4b1b-af7c-0cd84ad30de2

📥 Commits

Reviewing files that changed from the base of the PR and between aacebb0 and 94cc5c4.

📒 Files selected for processing (5)
  • cmd/serve.go
  • core/userpat/errors/errors.go
  • core/userpat/service.go
  • core/userpat/service_test.go
  • internal/api/v1beta1connect/user_pat.go

@coveralls
Copy link
Copy Markdown

coveralls commented Mar 30, 2026
edited
Loading

Pull Request Test Coverage Report for Build 23733767561

Details

  • 35 of 45 (77.78%) changed or added relevant lines in 3 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.05%) to 41.669%
Changes Missing Coverage Covered Lines Changed/Added Lines %
cmd/serve.go 0 2 0.0%
core/userpat/service.go 35 39 89.74%
internal/api/v1beta1connect/user_pat.go 0 4 0.0%
Totals Coverage Status
Change from base Build 23732692416: 0.05%
Covered Lines: 15048
Relevant Lines: 36113
💛 - Coveralls

@AmanGIT07 AmanGIT07 enabled auto-merge (squash) March 30, 2026 07:52
@AmanGIT07 AmanGIT07 merged commit 70b7db4 into main Mar 30, 2026
8 checks passed
@AmanGIT07 AmanGIT07 deleted the feat/validate-pat-project-org branch March 30, 2026 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@whoAbhishekSah whoAbhishekSah whoAbhishekSah approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AmanGIT07 @coveralls @whoAbhishekSah