WIP: add authz enforcement layer#48
Draft
burning-bush-dev wants to merge 1 commit intoNicTool:mainfrom
Draft
Conversation
burning-bush-dev
added a commit
to burning-bush-dev/NicTool
that referenced
this pull request
Apr 12, 2026
REST.pm gets error code mapping from v3's response body (error_code / error_msg), delegation oid remapping, boolean coercion, permission flattening in login responses, and delegation supplement handling. xt tests adjusted to work with v3's centralized permission enforcement -- 14_permissions.t and 20_permission.t both pass (4892/4892). Companion to NicTool/api#48. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
burning-bush-dev
added a commit
to burning-bush-dev/validate
that referenced
this pull request
Apr 12, 2026
Joi schemas for delegation CRUD (GET, POST, PUT, DELETE) and updated index exports. Companion to NicTool/api#48. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 12, 2026
v3 didn't have permission enforcement yet -- this adds it. Hapi onPreHandler plugin reads route metadata and runs checks before handlers execute, rather than scattering permission calls inside each one. authz.js is the engine (checkPermission, group tree walks, delegation lookups). authz-plugin.js wires it into Hapi's request lifecycle. All routes annotated with what they need. Delegation routes now cap submitted permissions by the caller's own permissions at write time, which matches how v2 does it. Unit tests for the Authz class and integration tests via server.inject() included. v2 xt permission tests (14_permissions, 20_permission) should still pass -- 4892/4892 last run. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
burning-bush-dev
force-pushed
the
feat/authz-enforcement
branch
from
c6f2cac to
ddc1f18
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is 100% vibe coded by abe's claw (claude code). Every line. I haven't read most of it, just steered.
v3 didn't enforce permissions yet -- now it does. The approach is a Hapi
onPreHandlerplugin that readsapp.permissionmetadata from route configs and runs the check before the handler fires. Keeps authz centralized instead of scattered across handlers, which is how v2'sverify_obj_usage()worked conceptually.The main pieces:
lib/authz.js, the engine -- group tree ownership checks, delegation access (including zone record pseudo-delegation via parent zone), per-resource permission checks. Mirrors v2'scheck_permission()flow.lib/authz-plugin.js, the Hapi extension that wires it all togetherroutes/delegation.js, extracted and now caps delegation permissions by the caller's own permissions at write timeTest coverage: unit tests for the Authz class methods against real MySQL, plus integration tests via
server.inject()hitting the full Hapi stack. v2 xt permission tests (14_permissions.t, 20_permission.t) should still pass -- 4892/4892 last run.Known gaps -- 16_delegation.t still has 29 failures, and some pre-existing v3 route tests now fail because their fixture users don't have the right permissions for the objects they're testing (expected, those tests predate authz).
Abe