Squashed commit of the following:

commit 4d914e0
Author: Sid <[email protected]>
Date:   Thu Oct 23 13:11:03 2025 +0200

    [Write restricted dashboards] Change AccessMode const (elastic#239973)

    Closes elastic#237816

    PR changes the `read_only` const we've been using to `write_restricted`.
    We've also changed the integration and unit test descriptions to match
    this. No functional changes here.

    ---------

    Co-authored-by: Elastic Machine <[email protected]>
    Co-authored-by: “jeramysoucy” <[email protected]>
    Co-authored-by: kibanamachine <[email protected]>

Author: jeramysoucy

.buildkite/ftr_platform_stateful_configs.yml

@@ -332,7 +332,7 @@ enabled:
   - x-pack/platform/test/spaces_api_integration/security_and_spaces/config_basic.ts
   - x-pack/platform/test/spaces_api_integration/security_and_spaces/config_trial.ts
   - x-pack/platform/test/spaces_api_integration/spaces_only/config.ts
-  - x-pack/platform/test/spaces_api_integration/read_only_objects/config.ts
+  - x-pack/platform/test/spaces_api_integration/access_control_objects/config.ts
   - x-pack/platform/test/task_manager_claimer_update_by_query/config.ts
   - x-pack/platform/test/ui_capabilities/security_and_spaces/config.ts
   - x-pack/platform/test/ui_capabilities/spaces_only/config.ts

package.json

@@ -164,6 +164,7 @@
     "@hapi/wreck": "^18.1.0",
     "@hello-pangea/dnd": "18.0.1",
     "@kbn/aad-fixtures-plugin": "link:x-pack/platform/test/alerting_api_integration/common/plugins/aad",
+    "@kbn/access-control-test-plugin": "link:x-pack/platform/test/spaces_api_integration/common/plugins/access_control_test_plugin",
     "@kbn/actions-plugin": "link:x-pack/platform/plugins/shared/actions",
     "@kbn/actions-simulators-plugin": "link:x-pack/platform/test/alerting_api_integration/common/plugins/actions_simulators",
     "@kbn/actions-types": "link:src/platform/packages/shared/kbn-actions-types",
@@ -824,7 +825,6 @@
     "@kbn/react-kibana-context-theme": "link:src/platform/packages/shared/react/kibana_context/theme",
     "@kbn/react-kibana-mount": "link:src/platform/packages/shared/react/kibana_mount",
     "@kbn/react-mute-legacy-root-warning": "link:src/platform/packages/private/kbn-react-mute-legacy-root-warning",
-    "@kbn/read-only-objects-test-plugin": "link:x-pack/platform/test/spaces_api_integration/common/plugins/read_only_objects_test_plugin",
     "@kbn/recently-accessed": "link:src/platform/packages/shared/kbn-recently-accessed",
     "@kbn/reindex-service-plugin": "link:x-pack/platform/plugins/private/reindex_service",
     "@kbn/remote-clusters-plugin": "link:x-pack/platform/plugins/private/remote_clusters",

src/core/packages/saved-objects/api-server-internal/src/lib/apis/bulk_create.test.ts

@@ -1093,7 +1093,7 @@ describe('#bulkCreate', () => {
 
       describe('access control', () => {
         const CURRENT_USER_PROFILE_ID = 'current_user_profile_id';
-        const READ_ONLY_TYPE = 'read-only-type';
+        const ACCESS_CONTROL_TYPE = 'access-control-type';
 
         beforeEach(() => {
           securityExtension.getCurrentUser.mockReturnValue({
@@ -1116,7 +1116,7 @@ describe('#bulkCreate', () => {
         });
 
         registry.registerType({
-          name: READ_ONLY_TYPE,
+          name: ACCESS_CONTROL_TYPE,
           hidden: false,
           namespaceType: 'multiple-isolated',
           supportsAccessControl: true,
@@ -1143,13 +1143,13 @@ describe('#bulkCreate', () => {
             references: [{ name: 'ref_0', type: 'test', id: '1' }],
           };
           const obj2AccessControl = {
-            type: READ_ONLY_TYPE,
+            type: ACCESS_CONTROL_TYPE,
             id: 'has-read-only-metadata',
             attributes: { title: 'Test Two' },
             references: [{ name: 'ref_0', type: 'test', id: '2' }],
           };
           await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl], {
-            accessControl: { accessMode: 'read_only' },
+            accessControl: { accessMode: 'write_restricted' },
           });
 
           expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
@@ -1164,14 +1164,14 @@ describe('#bulkCreate', () => {
                   // explicitly confirm there is no accessControl for non-supporting type
                 },
                 {
-                  type: READ_ONLY_TYPE,
+                  type: ACCESS_CONTROL_TYPE,
                   id: 'has-read-only-metadata',
                   name: 'Test Two',
                   existingNamespaces: [],
                   initialNamespace: undefined,
                   accessControl: {
                     owner: CURRENT_USER_PROFILE_ID,
-                    accessMode: 'read_only',
+                    accessMode: 'write_restricted',
                   },
                 },
               ]),
@@ -1186,11 +1186,11 @@ describe('#bulkCreate', () => {
             attributes: { title: 'Test One' },
             references: [{ name: 'ref_0', type: 'test', id: '1' }],
             accessControl: {
-              accessMode: 'read_only',
+              accessMode: 'write_restricted',
             } as Pick<SavedObjectAccessControl, 'accessMode'>,
           };
           const obj2AccessControl = {
-            type: READ_ONLY_TYPE,
+            type: ACCESS_CONTROL_TYPE,
             id: 'has-read-only-metadata',
             attributes: { title: 'Test Two' },
             references: [{ name: 'ref_0', type: 'test', id: '2' }],
@@ -1199,7 +1199,7 @@ describe('#bulkCreate', () => {
             } as Pick<SavedObjectAccessControl, 'accessMode'>,
           };
           const obj3AccessControl = {
-            type: READ_ONLY_TYPE,
+            type: ACCESS_CONTROL_TYPE,
             id: 'has-read-only-metadata',
             attributes: { title: 'Test Three' },
             references: [{ name: 'ref_0', type: 'test', id: '3' }],
@@ -1209,7 +1209,7 @@ describe('#bulkCreate', () => {
             repository,
             [obj1NoAccessControl, obj2AccessControl, obj3AccessControl],
             {
-              accessControl: { accessMode: 'read_only' },
+              accessControl: { accessMode: 'write_restricted' },
             }
           );
 
@@ -1225,7 +1225,7 @@ describe('#bulkCreate', () => {
                   // explicitly confirm there is no accessControl for non-supporting type
                 },
                 {
-                  type: READ_ONLY_TYPE,
+                  type: ACCESS_CONTROL_TYPE,
                   id: 'has-read-only-metadata',
                   name: 'Test Two',
                   existingNamespaces: [],
@@ -1236,14 +1236,14 @@ describe('#bulkCreate', () => {
                   },
                 },
                 {
-                  type: READ_ONLY_TYPE,
+                  type: ACCESS_CONTROL_TYPE,
                   id: 'has-read-only-metadata',
                   name: 'Test Three',
                   existingNamespaces: [],
                   initialNamespace: undefined,
                   accessControl: {
                     owner: CURRENT_USER_PROFILE_ID,
-                    accessMode: 'read_only', // explicitly confirm the mode is NOT overriden
+                    accessMode: 'write_restricted', // explicitly confirm the mode is NOT overriden
                   },
                 },
               ]),
@@ -1261,13 +1261,13 @@ describe('#bulkCreate', () => {
             references: [{ name: 'ref_0', type: 'test', id: '1' }],
           };
           const obj2AccessControl = {
-            type: READ_ONLY_TYPE,
+            type: ACCESS_CONTROL_TYPE,
             id: 'has-read-only-metadata',
             attributes: { title: 'Test Two' },
             references: [{ name: 'ref_0', type: 'test', id: '2' }],
           };
           await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl], {
-            accessControl: { accessMode: 'read_only' },
+            accessControl: { accessMode: 'write_restricted' },
           });
 
           expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
@@ -1297,7 +1297,7 @@ describe('#bulkCreate', () => {
             references: [{ name: 'ref_0', type: 'test', id: '1' }],
           };
           const obj2AccessControl = {
-            type: READ_ONLY_TYPE,
+            type: ACCESS_CONTROL_TYPE,
             id: 'could-have-read-only-metadata',
             attributes: { title: 'Test Two' },
             references: [{ name: 'ref_0', type: 'test', id: '2' }],
@@ -1316,7 +1316,7 @@ describe('#bulkCreate', () => {
                   // explicitly confirm there is no accessControl for non-supporting type
                 },
                 {
-                  type: READ_ONLY_TYPE,
+                  type: ACCESS_CONTROL_TYPE,
                   id: 'could-have-read-only-metadata',
                   name: 'Test Two',
                   existingNamespaces: [],

src/core/packages/saved-objects/api-server-internal/src/lib/apis/create.test.ts

@@ -862,7 +862,7 @@ describe('#create', () => {
             id,
             namespace,
             accessControl: {
-              accessMode: 'read_only',
+              accessMode: 'write_restricted',
             },
           })
         ).rejects.toThrowError(
@@ -878,7 +878,7 @@ describe('#create', () => {
           mockAuthenticatedUser({ profile_uid: 'u_test_user_version' })
         );
         const accessControl = {
-          accessMode: 'read_only' as const,
+          accessMode: 'write_restricted' as const,
         };
 
         const result = await repository.create(ACCESS_CONTROL_TYPE, attributes, {
@@ -901,7 +901,7 @@ describe('#create', () => {
           updated_by: 'u_test_user_version',
           created_by: 'u_test_user_version',
           accessControl: {
-            accessMode: 'read_only',
+            accessMode: 'write_restricted',
             owner: 'u_test_user_version',
           },
         });
@@ -915,12 +915,12 @@ describe('#create', () => {
             namespace,
             references,
             accessControl: {
-              accessMode: 'read_only',
+              accessMode: 'write_restricted',
             },
           })
         ).rejects.toThrowError(
           createBadRequestErrorPayload(
-            `Unable to create \"read_only\" \"accessControlType\" saved object. User profile ID not found.`
+            `Unable to create \"write_restricted\" \"accessControlType\" saved object. User profile ID not found.`
           )
         );
         expect(client.create).not.toHaveBeenCalled();

src/core/packages/saved-objects/api-server-internal/src/lib/apis/internals/change_object_access_control.test.ts

@@ -36,8 +36,8 @@ jest.mock('../utils', () => ({
 
 type SetupParams = Partial<Pick<ChangeAccessControlParams, 'objects'>>;
 
-const READ_ONLY_TYPE = 'read-only-type';
-const NON_READ_ONLY_TYPE = 'non-read-only-type';
+const ACCESS_CONTROL_TYPE = 'access-control-type';
+const NON_ACCESS_CONTROL_TYPE = 'non-access-control-type';
 
 const BULK_ERROR = {
   error: 'Oh no, a bulk error!',
@@ -58,14 +58,14 @@ describe('changeObjectAccessControl', () => {
     securityExtension?: ISavedObjectsSecurityExtension
   ) {
     const registry = typeRegistryMock.create();
-    registry.supportsAccessControl.mockImplementation((type) => type === READ_ONLY_TYPE);
+    registry.supportsAccessControl.mockImplementation((type) => type === ACCESS_CONTROL_TYPE);
     client = elasticsearchClientMock.createElasticsearchClient();
     const serializer = new SavedObjectsSerializer(registry);
 
     return {
       mappings: { properties: {} }, // doesn't matter, only used as an argument to deleteLegacyUrlAliases which is mocked
       registry,
-      allowedTypes: [READ_ONLY_TYPE, NON_READ_ONLY_TYPE],
+      allowedTypes: [ACCESS_CONTROL_TYPE, NON_ACCESS_CONTROL_TYPE],
       client,
       serializer,
       logger: loggerMock.create(),
@@ -90,8 +90,8 @@ describe('changeObjectAccessControl', () => {
     const result = results.map((x) =>
       x.found
         ? {
-            _id: `${x.type ?? READ_ONLY_TYPE}:${x.id ?? 'id-unknown'}`,
-            _index: `index-for-${x.type ?? READ_ONLY_TYPE}`,
+            _id: `${x.type ?? ACCESS_CONTROL_TYPE}:${x.id ?? 'id-unknown'}`,
+            _index: `index-for-${x.type ?? ACCESS_CONTROL_TYPE}`,
             _source: { namespaces: x.namespaces, accessControl: x.accessControl },
             _seq_no: VERSION_PROPS._seq_no,
             _primary_term: VERSION_PROPS._primary_term,
@@ -130,7 +130,7 @@ describe('changeObjectAccessControl', () => {
     describe('validation', () => {
       it('throws if owner is not specified', async () => {
         const params = setup({
-          objects: [{ type: READ_ONLY_TYPE, id: 'id-1' }],
+          objects: [{ type: ACCESS_CONTROL_TYPE, id: 'id-1' }],
         });
 
         await expect(() =>
@@ -149,7 +149,7 @@ describe('changeObjectAccessControl', () => {
 
       it('throws if owner has invalid user profile id', async () => {
         const params = setup({
-          objects: [{ type: READ_ONLY_TYPE, id: 'id-1' }],
+          objects: [{ type: ACCESS_CONTROL_TYPE, id: 'id-1' }],
         });
 
         await expect(() =>
@@ -166,11 +166,11 @@ describe('changeObjectAccessControl', () => {
         );
       });
 
-      it('returns error if no read-only objects are specified', async () => {
+      it('returns error if no access control objects are specified', async () => {
         const params = setup({
           objects: [
-            { type: NON_READ_ONLY_TYPE, id: 'id-1' },
-            { type: NON_READ_ONLY_TYPE, id: 'id-2' },
+            { type: NON_ACCESS_CONTROL_TYPE, id: 'id-1' },
+            { type: NON_ACCESS_CONTROL_TYPE, id: 'id-2' },
           ],
         });
 
@@ -186,15 +186,15 @@ describe('changeObjectAccessControl', () => {
         const error = result.objects[0].error;
         expect(error).toBeTruthy();
         expect(error!.message).toBe(
-          `The type ${NON_READ_ONLY_TYPE} does not support access control: Bad Request`
+          `The type ${NON_ACCESS_CONTROL_TYPE} does not support access control: Bad Request`
         );
       });
     });
 
     describe('bulk and mget behavior', () => {
       it('does not call bulk if no objects need to be updated', async () => {
         const params = setup({
-          objects: [{ type: NON_READ_ONLY_TYPE, id: 'id-1' }],
+          objects: [{ type: NON_ACCESS_CONTROL_TYPE, id: 'id-1' }],
         });
         mockMgetResults([{ found: true, namespaces: ['default'] }]);
         const result = await changeObjectAccessControl({
@@ -212,13 +212,13 @@ describe('changeObjectAccessControl', () => {
     describe('authorization of operations', () => {
       it('successfully delegates to security extension for change ownership', async () => {
         const params = setup({
-          objects: [{ type: READ_ONLY_TYPE, id: 'id-1' }],
+          objects: [{ type: ACCESS_CONTROL_TYPE, id: 'id-1' }],
         });
         mockMgetResults([
           {
             found: true,
             namespaces: ['default'],
-            type: READ_ONLY_TYPE,
+            type: ACCESS_CONTROL_TYPE,
             id: 'id-1',
             accessControl: {
               owner: 'new-owner',
@@ -239,7 +239,7 @@ describe('changeObjectAccessControl', () => {
             namespace: 'default',
             objects: [
               {
-                type: READ_ONLY_TYPE,
+                type: ACCESS_CONTROL_TYPE,
                 id: 'id-1',
                 accessControl: {
                   owner: 'new-owner',
@@ -259,7 +259,7 @@ describe('changeObjectAccessControl', () => {
     describe('validation', () => {
       it('throws if access mode is not specified', async () => {
         const params = setup({
-          objects: [{ type: READ_ONLY_TYPE, id: 'id-1' }],
+          objects: [{ type: ACCESS_CONTROL_TYPE, id: 'id-1' }],
         });
 
         await expect(() =>
@@ -276,15 +276,15 @@ describe('changeObjectAccessControl', () => {
         );
       });
 
-      it('returns error if no read-only objects are specified', async () => {
+      it('returns error if no access control objects are specified', async () => {
         const params = setup({
-          objects: [{ type: NON_READ_ONLY_TYPE, id: 'id-1' }],
+          objects: [{ type: NON_ACCESS_CONTROL_TYPE, id: 'id-1' }],
         });
 
         const result = await changeObjectAccessControl({
           ...params,
           options: {
-            accessMode: 'read_only',
+            accessMode: 'write_restricted',
           },
           actionType: 'changeAccessMode',
           currentUserProfileUid: mockUserProfileId,
@@ -293,20 +293,20 @@ describe('changeObjectAccessControl', () => {
         const error = result.objects[0].error;
         expect(error).toBeTruthy();
         expect(error!.message).toBe(
-          `The type ${NON_READ_ONLY_TYPE} does not support access control: Bad Request`
+          `The type ${NON_ACCESS_CONTROL_TYPE} does not support access control: Bad Request`
         );
       });
     });
     describe('authorization of operations', () => {
       it('successfully delegates to security extension for change access mode', async () => {
         const params = setup({
-          objects: [{ type: READ_ONLY_TYPE, id: 'id-1' }],
+          objects: [{ type: ACCESS_CONTROL_TYPE, id: 'id-1' }],
         });
         mockMgetResults([
           {
             found: true,
             namespaces: ['default'],
-            type: READ_ONLY_TYPE,
+            type: ACCESS_CONTROL_TYPE,
             id: 'id-1',
             accessControl: {
               owner: 'new-owner',
@@ -318,7 +318,7 @@ describe('changeObjectAccessControl', () => {
         await changeObjectAccessControl({
           ...params,
           securityExtension: params.securityExtension,
-          options: { accessMode: 'read_only', namespace: 'default' },
+          options: { accessMode: 'write_restricted', namespace: 'default' },
           actionType: 'changeAccessMode',
           currentUserProfileUid: mockUserProfileId,
         });
@@ -327,7 +327,7 @@ describe('changeObjectAccessControl', () => {
             namespace: 'default',
             objects: [
               {
-                type: READ_ONLY_TYPE,
+                type: ACCESS_CONTROL_TYPE,
                 id: 'id-1',
                 accessControl: {
                   owner: 'new-owner',