Skip to content

feat: implement permissions management with WASM backend and in-memory support#6

Merged
pikann merged 1 commit into
masterfrom
feature/implement-permission-management
Jul 15, 2026
Merged

feat: implement permissions management with WASM backend and in-memory support#6
pikann merged 1 commit into
masterfrom
feature/implement-permission-management

Conversation

@pikann

@pikann pikann commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

This pull request adds a Permissions API for plugins to check the current caller's effective permissions, and hardens plugintest's in-memory DB WHERE-clause matching to support multi-condition AND and IS [NOT] NULL predicates.

New Permissions API:

  • Added PermissionBackend interface and Permissions type to backends.go, exposed via Context.Permissions().Check(permission) so route handlers can enforce authorization finer-grained than the single all-or-nothing scope declared on the route's manifest entry — e.g. "is the caller the record's owner OR do they hold time_logging.manage_all".
  • Wired the new backend through newContext/NewContextForTest (context.go, testing.go) and the WASM dispatcher (dispatch.go).
  • Implemented wasmPermissionBackend in wasm_backends.go, backed by a new paca.permission_check host import declared in wasm_imports.go.
  • Added a stubPermissionBackend in native_backends.go that always denies, so non-WASM builds compile and fail closed.
  • Added FakePermissions to plugintest/backends.go — an in-memory PermissionBackend with Grant/Revoke methods, denied by default — and exposed it as Context.Permissions in plugintest/plugintest.go.

In-memory DB WHERE-clause fixes:

  • Replaced parseSimpleSelect/parseSimpleWhere (single-condition only) with a shared parseTableAndConditions, and renamed rowMatchesConditions to matchesConditions, so SELECT and DELETE now evaluate the full WHERE clause instead of silently checking only the first AND-ed condition.
  • Added support for IS NULL / IS NOT NULL conditions, matching patterns like deleted_at IS NULL commonly used for soft-delete checks.
  • Added plugintest/backends_test.go covering multi-condition SELECT/DELETE and IS [NOT] NULL, including a regression test guarding against a WHERE evaluator that only checks the first condition.

Also includes minor //nolint comment-placement fixes in native_protocol.go and plugin.go from gofmt.

@pikann pikann changed the title feat: implement permissions management with WASM backend and in-memor… feat: implement permissions management with WASM backend and in-memory support Jul 15, 2026
@pikann
pikann merged commit 15a4879 into master Jul 15, 2026
3 checks passed
@pikann
pikann deleted the feature/implement-permission-management branch July 15, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant