27198032949
43%
main: 43%

Ran 09 Jun 2026 09:54AM UTC

Jobs 1

Files 276

Run time 1min

Badge

Embed ▾

Committed 09 Jun 2026 09:49AM UTC coverage: 43.209% (-0.06%) from 43.271%

Build # 27198032949

Build Type

Pull #1685

github

Committed by

whoAbhishekSah

Commit Message

fix(permission): cascade role->permission tuple cleanup on delete

permission.Delete only removed the DB row. Every role granting the
permission keeps app/role:<role>#<slug>@<*> tuples (one per principal
type), so deleting a permission left those tuples dangling on a relation no
longer backed by any permission row. The method was also unreachable: the
DeletePermission RPC was hardwired to "function not available".

Changes:
- permission.Service gains a relation dependency and, on Delete, sweeps the
  role->permission tuples by object-namespace (app/role) + relation-name
  (the permission slug), clearing them across all roles and principal types
  before removing the row. Tolerates ErrNotExist for unused permissions.
- Implement the DeletePermission admin handler and gate it on superuser
  (previously returned CodeUnavailable), making the guard reachable and
  giving the data-cleanup effort a way to remove stray permissions.

Adds an e2e regression test: create a permission, build a role on it,
delete the permission, assert no role->permission tuple remains. Verified
it fails without the sweep (tuple lingers) and passes with it.

Refs #1661

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Pull Request Pull Request #1685: fix(permission): clean up leftover access in SpiceDB when a permission is deleted

Coverage Stats

33 of 114 new or added lines in 7 files covered. (28.95%)

4 existing lines in 1 file now uncovered.

16037 of 37115 relevant lines covered (43.21%)

12.28 hits per line

Uncovered Changes

Lines	Coverage	∆	File
34	64.97	-17.76%	internal/api/v1beta1connect/permission.go
20	28.87	-2.19%	internal/bootstrap/service.go
16	71.91	-5.25%	internal/store/postgres/role_repository.go
6	0.0	0.0%	cmd/serve.go
4	91.67	-8.33%	core/permission/service.go
1	0.0	0.0%	pkg/server/connect_interceptors/authorization.go

Coverage Regressions

Lines	Coverage	∆	File
4	64.97	-17.76%	internal/api/v1beta1connect/permission.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	27198032949.1	09 Jun 2026 09:54AM UTC	276	43.21	GitHub Action Run

raystack / frontier / 27198032949
43%
main: 43%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Coverage Regressions

Jobs

Source Files on build 27198032949

raystack / frontier / 27198032949 43% main: 43%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Coverage Regressions

Jobs

Source Files on build 27198032949

raystack / frontier / 27198032949
43%
main: 43%

README BADGES
x