Skip to content

Fix: Add scopes for devkeys #10984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Meldiron merged 1 commit into from
Dec 18, 2025
Merged

Fix: Add scopes for devkeys #10984

Meldiron merged 1 commit into from
Dec 18, 2025
+7 −5

Conversation

@Meldiron
Copy link
Contributor

@Meldiron Meldiron commented Dec 18, 2025

What does this PR do?

Currently project scopes were re-used; separating scopes gives more flexibility

Test Plan

Current tests must pass

Related PRs and Issues

x

Checklist

  • Have you read the Contributing Guidelines on issues?
  • If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 18, 2025
edited
Loading

📝 Walkthrough

Walkthrough

This change introduces new granular authorization scopes for developer key operations. The roles configuration file grants admin users two new permissions: devKeys.read and devKeys.write. Concurrently, five HTTP endpoints managing developer key operations (Get, List, Create, Update, Delete) are updated to use these new scope labels instead of the broader projects.read and projects.write scopes, implementing fine-grained access control for dev key management.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Rationale: The changes follow a consistent, repetitive pattern across multiple files. Each endpoint modification is identical in nature (single scope label replacement), and the roles configuration addition is straightforward. No logic, error handling, or control flow modifications are present. The homogeneity of changes across six files reduces per-file review complexity.
  • Areas to verify:
    • Confirm the new scopes (devKeys.read, devKeys.write) are correctly applied to their respective operations (read vs. write)
    • Verify that all five DevKeys endpoints have been updated (no missed endpoints)
    • Ensure the admin role in roles.php includes both new scopes and no other unintended additions

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change—adding new scopes for devkeys—and directly reflects the core purpose of the PR.
Description check ✅ Passed The description explains the motivation (separating scopes for flexibility) and testing approach, and is clearly related to the changeset.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-devkey-scopes
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9bda831 and 7dea3f1.

📒 Files selected for processing (6)
  • app/config/roles.php (1 hunks)
  • src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Create.php (1 hunks)
  • src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Delete.php (1 hunks)
  • src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Get.php (1 hunks)
  • src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Update.php (1 hunks)
  • src/Appwrite/Platform/Modules/Projects/Http/DevKeys/XList.php (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Setup & Build Appwrite Image
  • GitHub Check: Setup & Build Appwrite Image
  • GitHub Check: scan
🔇 Additional comments (6)
src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Create.php (1)

37-37: LGTM! Scope change aligns with fine-grained authorization.

The migration from projects.write to devKeys.write correctly scopes this CREATE endpoint to developer key operations.

src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Get.php (1)

31-31: LGTM! Scope change correctly implements read-only authorization.

The migration from projects.read to devKeys.read properly scopes this GET endpoint to developer key read operations.

src/Appwrite/Platform/Modules/Projects/Http/DevKeys/XList.php (1)

35-35: LGTM! List endpoint correctly uses read scope.

The migration from projects.read to devKeys.read appropriately scopes this list endpoint to developer key read operations.

src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Update.php (1)

32-32: LGTM! Update endpoint correctly uses write scope.

The migration from projects.write to devKeys.write properly scopes this UPDATE endpoint to developer key write operations.

src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Delete.php (1)

31-31: LGTM! Delete endpoint correctly uses write scope.

The migration from projects.write to devKeys.write appropriately scopes this DELETE endpoint to developer key write operations.

app/config/roles.php (1)

61-62: LGTM! New scopes correctly added to admin roles.

The addition of devKeys.read and devKeys.write scopes to the $admins array correctly grants Admin, Developer, and Owner roles access to the devKeys endpoints. All devKeys endpoints (Create, Delete, Get, Update, XList) are properly configured with auth: [AuthType::ADMIN] and use the correct scope labels. The placement after keys.write provides logical grouping, and excluding these scopes from the $member array is appropriate since all endpoints require admin authentication.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Dec 18, 2025

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
libpng 1.6.51-r0 CVE-2025-66293 HIGH
libpng-dev 1.6.51-r0 CVE-2025-66293 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

@github-actions
Copy link

github-actions bot commented Dec 18, 2025

✨ Benchmark results

  • Requests per second: 1,187
  • Requests with 200 status code: 213,743
  • P99 latency: 0.163221802

⚡ Benchmark Comparison

Metric This PR Latest version
RPS 1,187 1,275
200 213,743 229,632
P99 0.163221802 0.160548084

@Meldiron Meldiron requested a review from Copilot December 18, 2025 11:43
Copilot AI reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces separate scopes for dev keys operations to provide more granular access control. Previously, dev keys endpoints reused the generic projects.read and projects.write scopes, which lacked the flexibility to manage dev keys permissions independently from general project permissions.

Key Changes:

  • Replaced projects.read and projects.write scopes with dedicated devKeys.read and devKeys.write scopes across all dev keys endpoints
  • Registered the new scopes in the application's role configuration

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/Appwrite/Platform/Modules/Projects/Http/DevKeys/XList.php Updated list endpoint to use devKeys.read scope
src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Get.php Updated get endpoint to use devKeys.read scope
src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Create.php Updated create endpoint to use devKeys.write scope
src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Update.php Updated update endpoint to use devKeys.write scope
src/Appwrite/Platform/Modules/Projects/Http/DevKeys/Delete.php Updated delete endpoint to use devKeys.write scope
app/config/roles.php Registered new devKeys.read and devKeys.write scopes

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Meldiron Meldiron merged commit 9fb1aaa into 1.8.x Dec 18, 2025
49 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@eldadfux eldadfux eldadfux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Meldiron @eldadfux