Skip to content

HP-2835: Fix Unauthorized HiApi Requests Triggered by Kafka Events#31

Open
VadymHrechukha wants to merge 1 commit intohiqdev:masterfrom
VadymHrechukha:HP-2835_fix_unauthorized_hiapi_requests_triggered_by_kafka_events
Open

HP-2835: Fix Unauthorized HiApi Requests Triggered by Kafka Events#31
VadymHrechukha wants to merge 1 commit intohiqdev:masterfrom
VadymHrechukha:HP-2835_fix_unauthorized_hiapi_requests_triggered_by_kafka_events

Conversation

@VadymHrechukha
Copy link
Copy Markdown
Collaborator

@VadymHrechukha VadymHrechukha commented Jan 12, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features
    • Added support for privileged accounts that can bypass standard permission requirements in the system.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Jan 12, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This PR introduces a new PrivilegedIdentity marker interface and modifies the CheckPermissionsMiddleware to allow identities implementing this interface to bypass permission checks.

Changes

Cohort / File(s) Summary
Privileged Identity Bypass
src/Endpoint/Middleware/PrivilegedIdentity.php
src/Endpoint/Middleware/CheckPermissionsMiddleware.php		 New marker interface PrivilegedIdentity added to tag identities with unrestricted permissions. Middleware updated to allow proceeding if user has required permission OR implements PrivilegedIdentity, otherwise throws InsufficientPermissionsException.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A badge of privilege, shiny and bright,
Lets some identities skip the permission flight,
The middleware whispers, "You may pass through,"
For those marked special—a shortcut or two! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title clearly and specifically describes the main change: fixing unauthorized HiApi requests triggered by Kafka events by introducing a PrivilegedIdentity marker that bypasses permission checks.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Jan 12, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
src/Endpoint/Middleware/PrivilegedIdentity.php (1)

7-12: Marker interface is well-structured.

The implementation follows the marker interface pattern correctly. Consider expanding the docblock with a security note to warn future developers about the implications of implementing this interface:

📝 Optional: Enhanced documentation 
 /**
  * Marker interface for identities with unrestricted permissions.
+ *
+ * WARNING: Identities implementing this interface bypass ALL permission checks.
+ * Only implement this for trusted system-level identities (e.g., internal Kafka consumers).
  */
 interface PrivilegedIdentity
 {
 }
src/Endpoint/Middleware/CheckPermissionsMiddleware.php (1)

31-37: Consider extracting the PrivilegedIdentity check before the loop for clarity and efficiency.

The instanceof PrivilegedIdentity check is evaluated redundantly on every iteration. Extracting it improves readability and avoids repeated checks:

♻️ Suggested refactor 
     public function execute($command, callable $next)
     {
+        if ($this->user->identity instanceof PrivilegedIdentity) {
+            return $next($command);
+        }
+
         foreach ($this->endpoint->permissions as $permission) {
-            if (! $this->user->can($permission)
-                && !$this->user->identity instanceof PrivilegedIdentity
-            ) {
+            if (!$this->user->can($permission)) {
                 throw new InsufficientPermissionsException($permission);
             }
         }

         return $next($command);
     }

Note: PrivilegedIdentity is a marker interface with no current implementations. When adding implementations in the future, ensure they represent only trusted, internal identities (e.g., Kafka consumers) to avoid unintended permission bypass.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0f23e5d and 0fd0438.

📒 Files selected for processing (2)
  • src/Endpoint/Middleware/CheckPermissionsMiddleware.php
  • src/Endpoint/Middleware/PrivilegedIdentity.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@VadymHrechukha