VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge feat/effective-access-hovercard: per-location permissions/roles, copyable read-only YAML, scoped access endpoint

Browse source 
- browse hovercard shows 'Your permissions' (verbs) + 'Your roles' (cascade
  roles) for the hovered folder/file; server adds path_roles to
  /.profile/access?path=.
- read-only YAML/.zddc viewer is selectable/copyable (readOnly:true, not
  'nocursor') without enabling admin mode.
- /.profile/access?path= returns only the path-scoped payload (skips the
  global project + admin-subtree tree walks).
This commit is contained in:
ZDDC 2026-06-01 13:30:46 -05:00
commit 5ed4f8582b
6 changed files with 200 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
browse/js/hovercard.js
View file

@ -89,6 +89,24 @@
return 'File';
}
var VERB_NAMES = { r: 'read', w: 'write', c: 'create', d: 'delete', a: 'admin' };
function verbsLabel(verbs) {
return ['r', 'w', 'c', 'd', 'a']
.filter(function (v) { return verbs.indexOf(v) !== -1; })
.map(function (v) { return VERB_NAMES[v]; })
.join(', ');
}
// permsValue renders the per-entry verb set the principal holds here.
// Server mode: node.verbs ("rwcda" subset). Offline (FS-API) mode has
// no ACL — access is whatever the filesystem grants.
function permsValue(verbs) {
if (typeof verbs !== 'string') {
return state.source === 'fs' ? 'local folder (filesystem)' : 'unknown';
}
if (!verbs) return 'none (read-only)';
return verbsLabel(verbs) + ' (' + verbs + ')';
}
function buildRowsHtml(node) {
var tree = window.app.modules.tree;
var z = window.zddc;
@ -147,6 +165,18 @@
if (node.modTime) html += kv('Modified', fmtDate(node.modTime));
if (node.virtual) html += kv('Virtual', 'Not yet created on disk');
// ── Effective access for the current principal at this location ──
// "Your permissions" is the per-entry verb set (sync, from the
// listing). "Your roles" is cascade-scoped — it can differ by
// location — so it needs a path-scoped fetch; render a placeholder
// that fillRoles() updates once /.profile/access?path= resolves.
html += '<div class="tree-hovercard__sep"></div>';
html += kv('Your permissions', permsValue(node.verbs));
if (state.source === 'server') {
html += '<span class="tree-hovercard__key">Your roles</span>'
+ '<span class="tree-hovercard__val" id="hc-roles">…</span>';
}
// Path comes last (longest, most likely to wrap).
var path = tree ? tree.pathFor(node) : '';
if (path) html += kv('Path', path, true);
@ -239,6 +269,25 @@
render(node);
position(row);
card.classList.add('is-visible');
fillRoles(row, node);
}
// Async-fill the "Your roles" row from the path-scoped access view
// (zddc.cap.at memoises per path, so repeat hovers are instant).
// Bails if the card has moved to another row before the fetch lands.
async function fillRoles(row, node) {
if (state.source !== 'server') return;
if (!window.zddc || !window.zddc.cap) return;
var tree = window.app.modules.tree;
var path = tree ? tree.pathFor(node) : '';
if (!path) return;
var view;
try { view = await window.zddc.cap.at(path); } catch (_e) { return; }
if (currentRow !== row) return;
var el = card && card.querySelector('#hc-roles');
if (!el) return;
var roles = (view && Array.isArray(view.path_roles)) ? view.path_roles : [];
el.textContent = roles.length ? roles.join(', ') : 'none';
}
function init() {

11
browse/js/preview-yaml.js
View file

@ -484,9 +484,14 @@
// .zddc files without diverting into the editor. User
// clicks (or tabs) into the editor when they want to type.
autofocus: false,
// CodeMirror's "nocursor" mode is the truest read-only:
// selection allowed for copy, no caret, no edit affordances.
readOnly: !writable ? 'nocursor' : false,
// Read-only uses readOnly:true (NOT "nocursor"): the editor
// stays focusable so the user can click in, select text, and
// copy — they just can't edit. "nocursor" removes the textarea
// from focus, which also kills click-drag selection (the whole
// reason a viewer would otherwise force admin mode just to copy
// a .zddc snippet). autofocus:false keeps arrow-key tree nav
// intact until the user deliberately clicks into the editor.
readOnly: !writable,
});
// Stash the node on the editor so the lint helper can decide
// whether to apply the .zddc schema layer.

46
zddc/internal/handler/profilehandler.go
View file

@ -175,6 +175,12 @@ type AccessView struct {
PathVerbs string `json:"path_verbs,omitempty"`
PathIsAdmin bool `json:"path_is_admin,omitempty"`
PathCanElevateGrant string `json:"path_can_elevate_grant,omitempty"`
// PathRoles is the set of cascade roles the caller belongs to AT
// THIS PATH (e.g. ["document_controller", "project_team"]). Roles
// are cascade-scoped, so this can differ between locations — it's
// the "which roles do I hold here?" answer the browse hovercard
// surfaces. Elevation-independent (role membership, not admin).
PathRoles []string `json:"path_roles,omitempty"`
}
// enumerateAccess builds an AccessView for the given caller. Used by the
@ -191,10 +197,22 @@ type AccessView struct {
// silently ignored (the global fields still return).
func enumerateAccess(ctx context.Context, decider policy.Decider, cfg config.Config, p zddc.Principal, pathQuery string) AccessView {
view := AccessView{
Email: p.Email,
EmailHeader: cfg.EmailHeader,
IsSuperAdmin: zddc.IsAdmin(cfg.Root, p),
Email: p.Email,
EmailHeader: cfg.EmailHeader,
}
// Path-scoped query: return ONLY the access for THIS location. The
// global summary (every project, every admin subtree) requires tree
// walks that are irrelevant to "what can I do here?" — and the
// hovercard calls this per folder, so paying that cost per hover
// would be wasteful. Callers that want the global view omit ?path=.
if pathQuery != "" {
populatePathScopedAccess(ctx, decider, cfg, p, pathQuery, &view)
return view
}
// Global summary (the profile page).
view.IsSuperAdmin = zddc.IsAdmin(cfg.Root, p)
view.Projects, _ = EnumerateProjects(ctx, decider, cfg, p)
view.AdminSubtrees = enumerateAdminSubtrees(cfg, p)
view.HasAnyAdminScope = view.IsSuperAdmin || len(view.AdminSubtrees) > 0
@ -210,9 +228,6 @@ func enumerateAccess(ctx context.Context, decider policy.Decider, cfg config.Con
allowed, _ := policy.AllowActionFromChainP(ctx, decider, rootChain, p, "/", policy.ActionCreate)
view.CanCreateProject = allowed
}
if pathQuery != "" {
populatePathScopedAccess(ctx, decider, cfg, p, pathQuery, &view)
}
return view
}
@ -241,6 +256,9 @@ func populatePathScopedAccess(ctx context.Context, decider policy.Decider, cfg c
verbs := policy.EffectiveVerbsFromChainP(ctx, decider, chain, p, pathQuery)
view.PathVerbs = verbs.String()
view.PathIsAdmin = p.Elevated && p.Email != "" && zddc.IsAdminForChain(chain, p.Email)
// Which cascade roles the caller holds at this path — the answer to
// "the system thinks I'm a document_controller here, right?".
view.PathRoles = zddc.RolesForPrincipalInChain(chain, p.Email)
// would_elevate_grant: only meaningful when (a) the caller isn't
// already elevated and (b) elevation would actually change the
// verb set. Avoid noise — an empty value tells the client there
@ -470,17 +488,17 @@ func serveProfileEffectivePolicy(cfg config.Config, w http.ResponseWriter, r *ht
allow, _ := policy.AllowFromChain(ctx, decider, chain, probeEmail, probePath)
type levelView struct {
Index int `json:"index"`
ZddcPath string `json:"zddc_path"`
Exists bool `json:"exists"`
Acl *zddc.ACLRules `json:"acl,omitempty"`
Admins []string `json:"admins,omitempty"`
AnyMatch bool `json:"matches_email"`
Decision string `json:"decision_at_level"`
Index int `json:"index"`
ZddcPath string `json:"zddc_path"`
Exists bool `json:"exists"`
Acl *zddc.ACLRules `json:"acl,omitempty"`
Admins []string `json:"admins,omitempty"`
AnyMatch bool `json:"matches_email"`
Decision string `json:"decision_at_level"`
// Inherit is the level's explicit inherit setting if present
// (nil for absent — defaults to "inherit normally"). When
// false, this level fences ancestors above it from descendants.
Inherit *bool `json:"inherit,omitempty"`
Inherit *bool `json:"inherit,omitempty"`
}
// Build the per-level breakdown by walking the chain levels in

6
zddc/internal/handler/profilehandler_test.go
View file

@ -540,6 +540,12 @@ acl:
if alice.PathVerbs != "rw" {
t.Errorf("alice PathVerbs = %q, want rw", alice.PathVerbs)
}
// A path-scoped query returns ONLY the access for this location — the
// global summary (projects + admin-subtree walks) is omitted.
if len(alice.Projects) != 0 || len(alice.AdminSubtrees) != 0 || alice.CanCreateProject {
t.Errorf("path-scoped response leaked global fields: Projects=%d AdminSubtrees=%d CanCreateProject=%v",
len(alice.Projects), len(alice.AdminSubtrees), alice.CanCreateProject)
}
if alice.PathIsAdmin {
t.Errorf("alice PathIsAdmin = true, want false")
}

40
zddc/internal/zddc/roles.go
View file

@ -215,3 +215,43 @@ func MatchingPrincipals(chain PolicyChain, levelIdx int, email string) []string
sort.Strings(out)
return out
}
// RolesForPrincipalInChain returns the sorted, de-duplicated role names
// that email is a member of, as roles resolve at the chain's leaf level —
// honouring inherit:false fences and role resets via MatchesPrincipal.
// Role names declared anywhere in the visible chain OR in the embedded
// defaults are considered (so a standard role like document_controller
// that ships empty but gains members from an on-disk .zddc is reported).
// Returns nil for an empty email or empty chain.
//
// This is "which roles do I hold HERE" — roles are cascade-scoped, so the
// answer can differ between locations. The file handler surfaces it via
// /.profile/access?path=… (AccessView.PathRoles).
func RolesForPrincipalInChain(chain PolicyChain, email string) []string {
if email == "" || len(chain.Levels) == 0 {
return nil
}
leaf := len(chain.Levels) - 1
seen := make(map[string]struct{})
var out []string
consider := func(name string) {
if _, dup := seen[name]; dup {
return
}
seen[name] = struct{}{}
if MatchesPrincipal(name, email, chain, leaf) {
out = append(out, name)
}
}
floor := chain.VisibleStart(leaf)
for i := leaf; i >= floor; i-- {
for name := range chain.Levels[i].Roles {
consider(name)
}
}
for name := range chain.Embedded.Roles {
consider(name)
}
sort.Strings(out)
return out
}

72
zddc/internal/zddc/roles_test.go
View file

@ -10,7 +10,7 @@ func TestParseVerbSetRoundTrip(t *testing.T) {
{"", ""},
{"r", "r"},
{"rw", "rw"},
{"wr", "rw"}, // canonical reorder
{"wr", "rw"}, // canonical reorder
{"rwcd", "rwcd"},
{"adcwr", "rwcda"}, // canonical reorder
{"RWCDA", "rwcda"}, // case-insensitive
@ -50,12 +50,12 @@ func TestVerbSetHasAndUnion(t *testing.T) {
func TestIsPrincipalRole(t *testing.T) {
cases := map[string]bool{
"alice@example.com": false,
"*@example.com": false,
"alice@*": false,
"_doc_controller": true,
"vendor_acme": true,
"*": true, // legacy bare wildcard — treated as role-or-pattern
"alice@example.com": false,
"*@example.com": false,
"alice@*": false,
"_doc_controller": true,
"vendor_acme": true,
"*": true, // legacy bare wildcard — treated as role-or-pattern
}
for in, want := range cases {
if got := IsPrincipalRole(in); got != want {
@ -163,3 +163,61 @@ func TestMatchesPrincipalRoleNamePrefersRole(t *testing.T) {
t.Errorf("rep@other.com should NOT match role vendor_acme — fallback to pattern would wrongly succeed")
}
}
func sameStrs(a, b []string) bool {
if len(a) != len(b) {
return false
}
for i := range a {
if a[i] != b[i] {
return false
}
}
return true
}
// TestRolesForPrincipalInChain — "which roles do I hold here?" honours
// member unions across the visible chain, wildcard members, and reports
// nothing for non-members / empty email. Output is sorted.
func TestRolesForPrincipalInChain(t *testing.T) {
chain := buildChain(
ZddcFile{
Roles: map[string]Role{
"document_controller": {Members: []string{"dc@example.com"}},
"project_team": {Members: []string{"*@example.com"}},
},
ACL: aclOpen(map[string]string{"*@example.com": "r"}),
},
// A deeper level adds another DC; the root members still union in.
ZddcFile{
Roles: map[string]Role{
"document_controller": {Members: []string{"vendor-dc@example.com"}},
},
},
)
if got := RolesForPrincipalInChain(chain, "dc@example.com"); !sameStrs(got, []string{"document_controller", "project_team"}) {
t.Errorf("dc: got %v, want [document_controller project_team]", got)
}
if got := RolesForPrincipalInChain(chain, "alice@example.com"); !sameStrs(got, []string{"project_team"}) {
t.Errorf("alice: got %v, want [project_team]", got)
}
if got := RolesForPrincipalInChain(chain, "x@other.com"); len(got) != 0 {
t.Errorf("outsider: got %v, want none", got)
}
if got := RolesForPrincipalInChain(chain, ""); got != nil {
t.Errorf("empty email: got %v, want nil", got)
}
}
// A role defined above an inherit:false fence is invisible below it, so
// membership there reports no such role.
func TestRolesForPrincipalInChain_FenceHidesAncestorRole(t *testing.T) {
chain := buildChain(
ZddcFile{Roles: map[string]Role{"document_controller": {Members: []string{"dc@example.com"}}}},
ZddcFile{ACL: aclFenced(map[string]string{"*@vendor.com": "rwcd"}, false)},
)
if got := RolesForPrincipalInChain(chain, "dc@example.com"); len(got) != 0 {
t.Errorf("role above fence must be invisible below it; got %v", got)
}
}