fix(BA-5277): clean up RBAC permissions on vfolder ownership transfer#10480
Open
fix(BA-5277): clean up RBAC permissions on vfolder ownership transfer#10480
Conversation
Previously, change_vfolder_ownership only cleaned up legacy tables (vfolder_invitations, vfolder_permissions) but not the RBAC table (ObjectPermissionRow). This caused unique constraint violations when re-inviting a user after A→B→A round-trip ownership transfer. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions
bot
added
size:XL
Contributor
There was a problem hiding this comment.
Pull request overview
Cleans up RBAC ObjectPermissionRow records during vfolder ownership transfer to prevent unique-constraint conflicts on re-invite after A→B→A round-trip transfers.
Changes:
- Fetch old owner UUID during the pre-transfer query in
change_vfolder_ownership. - Delete RBAC object-permission records for both the new owner (invitee records) and old owner during transfer.
- Add regression tests covering RBAC cleanup and round-trip A→B→A behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| tests/manager/repositories/vfolder/test_vfolder_ownership_transfer.py | Adds regression tests validating RBAC cleanup behavior during ownership transfer scenarios. |
| src/ai/backend/manager/api/vfolder.py | Fetches old owner and performs RBAC object-permission cleanup for both owners during ownership transfer. |
| changes/10480.fix.md | Documents the RBAC cleanup fix in the changelog. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… transfer The try/except IntegrityError in map_entity_to_scope does not recover PostgreSQL's aborted transaction state. When a stale scope-entity mapping exists, the INSERT triggers a constraint violation that aborts the transaction, causing subsequent queries (SELECT permission_groups) to fail with InFailedSQLTransactionError. Add unmap_entity_from_scope calls for both old and new owners alongside the existing delete_object_permission_of_user calls. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Old owner cleanup alone is sufficient — the scope_id-based deletion covers both owner and invitee records since they share the same user UUID as scope_id. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Verifies that old owner RBAC cleanup during each transfer removes scope-entity mappings and object permissions, so that re-inviting the user after a round-trip does not hit IntegrityError. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ObjectPermissionRowRBAC records for both old and new owners duringchange_vfolder_ownership, preventing unique constraint violations on re-invite after A→B→A round-trip ownership transferTest plan
pants test tests/manager/repositories/vfolder/test_vfolder_ownership_transfer.pyResolves BA-5277