feat(adr-023): ActionAuthService skeleton + repair step + empty seed + unit tests#21
Open
rubenvdlinde wants to merge 1 commit into
Open
feat(adr-023): ActionAuthService skeleton + repair step + empty seed + unit tests#21rubenvdlinde wants to merge 1 commit into
rubenvdlinde wants to merge 1 commit into
Conversation
…+ 8 unit tests Ports the ADR-023 action-authorization pattern from decidesk's reference implementation (decidesk@88844d0) to the template so every new app picks it up for free. What's included: * lib/Service/ActionAuthService.php — verbatim service: - requireAction (throws OCSForbiddenException) - can (non-throwing bool variant) - getAllowedGroups / getMatrix / setMatrix / getActions - Admin always passes (break-glass) - Default-deny on missing or malformed matrix - Matrix stored in IAppConfig under 'actions' key * lib/Repair/InitializeActions.php — seeds lib/actions.seed.json on install; preserves admin-customized matrix on upgrade * lib/actions.seed.json — empty "actions" object (template ships with no actions; implementers add one entry per requireAction() call site as the app grows) * tests/Unit/Service/ActionAuthServiceTest.php — 8 unit tests covering the contract: 1. Admin always passes 2. Default-deny on missing matrix entry 3. Admin-only matrix entry blocks non-admin 4. Group-matching non-admin passes 5. Admin in entry doesn't auto-pass non-admin 6. can() returns bool 7. Malformed matrix JSON falls back to deny 8. getAllowedGroups defaults to ['admin'] * appinfo/info.xml — registered Repair\InitializeActions on install + post-migration * openspec/architecture/adr-023-action-authorization.md — ADR copied from hydra for the app's local reference Implementers declare an action name in their controller (e.g. 'item.publish'), add it to actions.seed.json with ['admin'] default, then call $this->actionAuth->requireAction($user, 'item.publish') wrapped in try/catch for OCSForbiddenException. Admin broadens the group list via a settings UI (not included in this template port — a follow-up change can port decidesk's SettingsController matrix API). @SPEC openspec/architecture/adr-023-action-authorization.md
Contributor
Quality Report — ConductionNL/nextcloud-app-template @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 215/215 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-04-23 17:43 UTC
Download the full PDF report from the workflow artifacts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ports the ADR-023 action-authorization pattern from decidesk's reference implementation to the template so every new app picks it up for free.
What's included
lib/Service/ActionAuthService.php— the service (verbatim from decidesk@88844d0, namespace adjusted toOCA\AppTemplate).requireAction(IUser, string)— throwsOCSForbiddenExceptioncan(IUser, string): bool— non-throwing variantgetAllowedGroups/getMatrix/setMatrix/getActionsIAppConfigunderactionskey.lib/Repair/InitializeActions.php— seedslib/actions.seed.jsonon install; preserves admin-customized matrix on upgrade.lib/actions.seed.json— emptyactionsobject (template ships with no actions; implementers add one entry perrequireAction()call site as the app grows).tests/Unit/Service/ActionAuthServiceTest.php— 8 unit tests covering the contract (admin always passes, default-deny, group intersection, malformed JSON fallback, etc.).appinfo/info.xml—InitializeActionsregistered on install + post-migration.openspec/architecture/adr-023-action-authorization.md— ADR local to the app for reference.How implementers use it
Add
"item.publish": ["admin"]tolib/actions.seed.json. Admin broadens via a settings UI (not included here — follow-up can port decidesk'sSettingsControllermatrix endpoints).Not included (follow-up material)
get/setActionsonSettingsController; left out of this initial port to keep the diff surgical.