raystack / frontier / 27194484134

43%

main: 43%

Build Type

Pull #1685

github

Committed by whoAbhishekSah

Commit Message

fix(permission): cascade role->permission tuple cleanup on delete

permission.Delete only removed the DB row. Every role granting the
permission keeps app/role:<role>#<slug>@<*> tuples (one per principal
type), so deleting a permission left those tuples dangling on a relation no
longer backed by any permission row. The method was also unreachable: the
DeletePermission RPC was hardwired to "function not available".

Changes:
- permission.Service gains a relation dependency and, on Delete, sweeps the
  role->permission tuples by object-namespace (app/role) + relation-name
  (the permission slug), clearing them across all roles and principal types
  before removing the row. Tolerates ErrNotExist for unused permissions.
- Implement the DeletePermission admin handler and gate it on superuser
  (previously returned CodeUnavailable), making the guard reachable and
  giving the data-cleanup effort a way to remove stray permissions.

Adds an e2e regression test: create a permission, build a role on it,
delete the permission, assert no role->permission tuple remains. Verified
it fails without the sweep (tuple lingers) and passes with it.

Refs #1661

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Pull Request Pull Request #1685: fix(permission): clean up leftover access in SpiceDB when a permission is deleted

Coverage Stats

26 of 86 new or added lines in 5 files covered. (30.23%)

4 existing lines in 1 file now uncovered.

16030 of 37087 relevant lines covered (43.22%)

12.29 hits per line