fix: remove ABAC

CasLubbers · CasLubbers · commit becaabb2dc59 · 2025-11-10T09:09:37.000+01:00
diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ npm run build:spec   # Build OpenAPI specification
 
 - **Git-as-Database**: All configuration stored as YAML in Git repository
 - **OpenAPI-First**: All endpoints auto-generated from `src/openapi/*.yaml` specs
-- **Multi-Tenant**: Team isolation with RBAC/ABAC authorization
+- **Multi-Tenant**: Team isolation with RBAC authorization
 - **Real-time**: WebSocket updates for live status monitoring
 
 ### Key Components
@@ -79,7 +79,7 @@ npm run build:spec   # Build OpenAPI specification
 - **Headers required**: `Authorization`, `Auth-Group`
 - **Mock users** available for testing
 
-### Authorization (RBAC + ABAC)
+### Authorization (RBAC)
 
 - **platformAdmin**: Full system access
 - **teamAdmin**: Manage own team resources
diff --git a/src/authz.test.ts b/src/authz.test.ts
@@ -267,34 +267,6 @@ describe('Platform admin, team admin and team member scenarios', () => {
   })
 })
 
-describe('ABAC attribute denial', () => {
-  const spec: OpenAPIDoc = {
-    components: {
-      schemas: {
-        Team: { type: 'object', 'x-acl': { teamMember: ['update'] }, properties: {} },
-      },
-    },
-    paths: {},
-    security: [],
-  }
-  const teamId = 'teamA'
-  let authz: Authz
-  beforeEach(() => {
-    authz = new Authz(spec).init(sessionTeam)
-    sessionTeam.authz = { [teamId]: { deniedAttributes: { Team: ['foo', 'bar'] } } }
-  })
-  test('Denied attributes are respected', () => {
-    expect(() => authz.hasSelfService(teamId, 'foo')).not.toThrow()
-    expect(() => authz.hasSelfService(teamId, 'bar')).not.toThrow()
-  })
-  test('Allowed attribute is not denied', () => {
-    expect(() => authz.hasSelfService(teamId, 'baz')).not.toThrow()
-  })
-  afterEach(() => {
-    sessionTeam.authz = {}
-  })
-})
-
 describe('Fallback to CASL when no self-service permission', () => {
   const spec: OpenAPIDoc = {
     components: {
diff --git a/src/middleware/authz.ts b/src/middleware/authz.ts
@@ -11,7 +11,7 @@ const HttpMethodMapping: Record<string, string> = {
 }
 
 /**
- * Authorize a request based on RBAC and ABAC rules.
+ * Authorize a request based on RBAC rules.
  * Called by the security handler.
  * Throws HttpError if authorization fails.
  */

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ const HttpMethodMapping: Record<string, string> = {`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`/**`
`14`		`- * Authorize a request based on RBAC and ABAC rules.`
	`14`	`+ * Authorize a request based on RBAC rules.`
`15`	`15`	`* Called by the security handler.`
`16`	`16`	`* Throws HttpError if authorization fails.`
`17`	`17`	`*/`