Skip to content

feat(BA-5778): wire BulkActionRBACValidator to bulk permission check#11240

Merged
fregataa merged 4 commits intomainfrom
feat/BA-5778-wire-bulk-rbac-validator
Apr 23, 2026
Merged

feat(BA-5778): wire BulkActionRBACValidator to bulk permission check#11240
fregataa merged 4 commits intomainfrom
feat/BA-5778-wire-bulk-rbac-validator

Conversation

@fregataa
Copy link
Copy Markdown
Member

@fregataa fregataa commented Apr 23, 2026

Summary

  • Implement BulkActionRBACValidator.validate() to call check_bulk_permission_with_scope_chain() and split entity_ids into allowed/denied entries for the Bulk Processor's partial-success reporting (BA-5777).
  • Superadmins bypass the DB lookup; missing user context raises UserNotFound, mirroring SingleEntityActionRBACValidator.
  • Add TestBulkActionRBACValidator covering superadmin bypass, missing user, partial allow/deny split via self-scope permission, full-deny, and empty-batch cases.

Test plan

  • pants fmt / fix / lint on changed files
  • pants check tests/unit/manager/actions/validators/test_rbac_validators.py src/ai/backend/manager/actions/validators/rbac/bulk.py
  • pants test tests/unit/manager/actions/validators/test_rbac_validators.py
  • pants test tests/unit/manager/actions/test_bulk_processor.py (no regression)

Resolves BA-5778

@fregataa @claude
feat(BA-5778): wire BulkActionRBACValidator to bulk permission check
d651fba 
Implement validate() to call check_bulk_permission_with_scope_chain()
and split entity_ids into allowed/denied entries for the Bulk Processor's
partial-success reporting. Superadmins bypass the DB check; missing user
context raises UserNotFound consistent with single-entity validators.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 23, 2026 00:18
@github-actions github-actions Bot added size:L 100~500 LoC comp:manager Related to Manager component labels Apr 23, 2026
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR completes the RBAC enforcement path for bulk actions by implementing BulkActionRBACValidator.validate() using the permission controller’s bulk scope-chain check, enabling per-entity allow/deny results for partial-success bulk processing.

Changes:

  • Implement BulkActionRBACValidator.validate() to call PermissionControllerRepository.check_bulk_permission_with_scope_chain() and return allowed_entity_ids plus DeniedEntity entries.
  • Add superadmin bypass and missing-user (current_user() is None) handling consistent with existing RBAC validators.
  • Add unit tests covering superadmin bypass, missing user context, partial allow/deny, full deny, and empty-batch behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/ai/backend/manager/actions/validators/rbac/bulk.py Implements bulk RBAC validation using the repository bulk scope-chain permission check and returns per-entity decisions.
tests/unit/manager/actions/validators/test_rbac_validators.py Adds test action/fixtures and a new TestBulkActionRBACValidator suite validating expected allow/deny splitting and edge cases.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fregataa fregataa requested a review from a team April 23, 2026 01:22
@fregataa fregataa added this to the 26.5 milestone Apr 23, 2026
seedspirit
seedspirit reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@seedspirit seedspirit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does "Bulk Validation" mean that permission checks for multiple operations performed by a single user are carried out in bulk? Could you please confirm whether this refers to validating operations performed by a single user rather than multiple users?

Comment thread src/ai/backend/manager/actions/validators/rbac/bulk.py Outdated
@fregataa
Copy link
Copy Markdown
Member Author

fregataa commented Apr 23, 2026
edited
Loading

Does "Bulk Validation" mean that permission checks for multiple operations performed by a single user are carried out in bulk? Could you please confirm whether this refers to validating operations performed by a single user rather than multiple users?

bulk validation means validating multiple entities in a single user, single entity type, single operation type

@fregataa fregataa requested a review from seedspirit April 23, 2026 10:03
jopemachine
jopemachine reviewed Apr 23, 2026
View reviewed changes
Comment thread src/ai/backend/manager/actions/validators/rbac/bulk.py
@jopemachine
Copy link
Copy Markdown
Member

jopemachine commented Apr 23, 2026

CI is broken

@fregataa fregataa requested a review from a team April 23, 2026 10:30
jopemachine
jopemachine reviewed Apr 23, 2026
View reviewed changes
Comment thread src/ai/backend/manager/actions/validators/rbac/bulk.py
@fregataa fregataa merged commit 29bfd3c into main Apr 23, 2026
30 checks passed
@fregataa fregataa deleted the feat/BA-5778-wire-bulk-rbac-validator branch April 23, 2026 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jopemachine jopemachine jopemachine approved these changes

Copilot code review Copilot Copilot left review comments

@seedspirit seedspirit Awaiting requested review from seedspirit

Assignees

@fregataa fregataa

Labels

comp:manager Related to Manager component size:L 100~500 LoC

Projects

None yet

Milestone

26.5

Development

Successfully merging this pull request may close these issues.

4 participants

@fregataa @jopemachine @seedspirit