Conversation
What was broken M2M POST, PATCH, and DELETE requests for project members could still return 403 even when the raw token payload carried project-member write scope. Root cause (if identifiable) The permission layer preferred user.scopes when they were present, while the route guard evaluated scopes from the raw token payload. If those two scope sources drifted, the guard could admit the request and the project-member service could still reject it. What was changed Merged normalized scopes from both user.scopes and the raw token payload in PermissionService so downstream permission checks use the same effective M2M grants that the auth guard sees. Added a regression that covers create, update, and delete project-member permissions when the raw token payload is broader than user.scopes. Any added/updated tests Updated src/shared/services/permission.service.spec.ts with create, update, and delete project-member M2M regression coverage for mismatched scope sources.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was broken
M2M POST, PATCH, and DELETE requests for project members could still return 403 when the raw token payload carried project-member write scope but the normalized user scope list did not fully match it.
Root cause (if identifiable)
PermissionService preferred user.scopes over the raw token payload, while TokenRolesGuard evaluates the raw token payload directly. When those two scope sources drifted, the write routes could pass the auth guard and still fail inside project-member permission checks.
What was changed
PermissionService now merges scopes from user.scopes and the raw token payload before evaluating named permissions, so M2M project-member write checks use the same effective grants across the guard and service layers.
Added a focused regression for create, update, and delete project-member permissions when tokenPayload.scope is broader than user.scopes.
Any added/updated tests
Updated src/shared/services/permission.service.spec.ts with create, update, and delete project-member M2M regression coverage for mismatched scope sources.
Validation run: pnpm lint, pnpm build, pnpm test -- src/shared/services/permission.service.spec.ts, and pnpm test:e2e -- --runInBand test/project-member.e2e-spec.ts passed.
pnpm test still fails in unrelated metadata event-publishing specs already failing on the current dev baseline.