Skip to content

PM-3764: allow legacy topcoder_manager through route guards#12

Open
jmgasper wants to merge 1 commit intodevfrom
PM-3764-1
Open

PM-3764: allow legacy topcoder_manager through route guards#12
jmgasper wants to merge 1 commit intodevfrom
PM-3764-1

Conversation

@jmgasper
Copy link
Copy Markdown
Contributor

@jmgasper jmgasper commented Apr 3, 2026

What was broken
The previous PM-3764 fix restored legacy read parity inside PermissionService, but some QA users could still be denied before those permission checks ran. Tokens carrying the legacy topcoder_manager role were excluded from controller-level @Roles(...Object.values(UserRole)) allowlists, so the read-parity logic never executed for them.

Root cause (if identifiable)
PermissionService and the Swagger permission documentation still knew about the legacy topcoder_manager role, but the shared UserRole enum did not. Route-level role gates derive their allowlists from Object.values(UserRole), which left the coarse auth layer out of sync with the PM-3764 compatibility logic.

What was changed
Added UserRole.TOPCODER_MANAGER for the legacy JWT role and updated the permission/documentation helpers to use the enum-backed value.
Kept the existing PM-3764 read-parity behavior intact while extending regression coverage for legacy topcoder_manager access through the route guard and read-permission paths.
Documented that topcoder_manager is accepted by both route guards and PermissionService.

Any added/updated tests
Added a TokenRolesGuard regression test covering topcoder_manager against Object.values(UserRole) route allowlists.
Expanded PermissionService regression coverage for topcoder_manager project, member, invite, and attachment read access.
Validated with pnpm lint, targeted auth regression tests, and pnpm build.
The full pnpm test suite still has the existing unrelated metadata event-bus failures on the current dev baseline.

@jmgasper
PM-3764: allow legacy topcoder_manager through route guards
e749f86 
What was broken
The previous PM-3764 fix restored legacy read parity inside PermissionService, but some QA users could still be denied before those permission checks ran. Tokens carrying the legacy `topcoder_manager` role were excluded from controller-level `@Roles(...Object.values(UserRole))` allowlists, so the read-parity logic never executed for them.

Root cause (if identifiable)
PermissionService and the Swagger permission documentation still knew about the legacy `topcoder_manager` role, but the shared UserRole enum did not. Route-level role gates derive their allowlists from `Object.values(UserRole)`, which left the coarse auth layer out of sync with the PM-3764 compatibility logic.

What was changed
Added `UserRole.TOPCODER_MANAGER` for the legacy JWT role and updated the permission/documentation helpers to use the enum-backed value.
Kept the existing PM-3764 read-parity behavior intact while extending regression coverage for legacy `topcoder_manager` access through the route guard and read-permission paths.
Documented that `topcoder_manager` is accepted by both route guards and PermissionService.

Any added/updated tests
Added a TokenRolesGuard regression test covering `topcoder_manager` against `Object.values(UserRole)` route allowlists.
Expanded PermissionService regression coverage for `topcoder_manager` project, member, invite, and attachment read access.
Validated with `pnpm lint`, targeted auth regression tests, and `pnpm build`.
The full `pnpm test` suite still has the existing unrelated metadata event-bus failures on the current `dev` baseline.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmgasper