Scenarios and buckets belong to users (per-user ownership) #50
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
Discovered during #32 (allocation preview endpoint) pre-commit review. Currently there is no per-user ownership in the data model:
Scenariohas no owner relationship, and its#[ApiResource](and the new projection-preview endpoint) gate only onis_granted('ROLE_USER'). This means any authenticated user can read/preview/mutate any scenario, bucket, or stream by iterating UUIDs — there is no object-level authorization.This is a systemic, pre-existing gap (not introduced by #32). None of these models should be shared between users.
Entity inventory (complete): the only API-exposed, scenario-scoped resources are
Scenario,Bucket, andStream— all three are in scope.Useris the owner itself (not API-exposed). There are no other entities.Goal
Scenarios, buckets, and streams belong to a single owning user. A user can only see and operate on their own. Cross-user access is indistinguishable from a non-existent resource (404, never 403 — no existence oracle).
Locked decisions
WHERE owner = :currentUser) so non-owned rows don't exist for the query → API Platform's provider 404s naturally. NOT voters /securityexpressions (those return 403 and leak existence). Consistent with the #32 preview-endpoint 404 choice.Scenarioonly. Bucket and Stream ownership is transitive viascenario.owner— no owner FK on Bucket or Stream (single source of truth, no sync risk).nullable: falsedirectly (tests build their own fixtures per-test; no backfill needed).Scope / stories
scenario.owner— extension joins bucket→scenario→owner; bucket-create under a foreign scenario IRI → 404.PreviewProcessorinjects current user, owner check →NotFoundHttpException(404).scenario.owner— same treatment. NOTE: Stream has BOTH ascenarioand an optionalbucketFK; on create, both the scenario IRI and (if present) the bucket IRI must belong to the caller, else 404 (otherwise a non-owner could attach a stream to another user's bucket).Open item (resolves during build)
Out of scope