fix: updateRepoPermissions to cleanup old permissions #5790
Conversation
henkka
force-pushed
the
repo-permissions-cleanup-old
branch
from
5b64bab to
9d95a1b
Compare
|
Surge PR preview deployment succeeded. View it at https://woodpecker-ci-woodpecker-pr-5790.surge.sh |
|
Looks good to me - but it will likely take even more time when you login (#5665)… Can you check the tests? |
I'd say really marginally as we're only doing DB calls. I wasn't aware of the mentioned PR, but I really like the async feature flag implemented there👍
Oops, fixed tests and added new test for this case. |
|
Is it actually necessary to get the current repos? Couldn't you do a |
henkka
force-pushed
the
repo-permissions-cleanup-old
branch
from
df16671 to
47c0784
Compare
good point! Refactored the whole implementation with that in mind |
henkka
force-pushed
the
repo-permissions-cleanup-old
branch
3 times, most recently
from
1fc9a65 to
be10cff
Compare
henkka
force-pushed
the
repo-permissions-cleanup-old
branch
from
be10cff to
238e52d
Compare
|
The test still seems to fail. Otherwise it looks good to me |
|
Great! The mock expectation has been updated now |
3 participants
Problem
Currently, the repository permission synchronization process is effective only for adding access, not removing it. When a user loses access to a repository on the forge, the system fails to remove the corresponding entry from the perms table. This results in stale permissions persisting in the database, allowing users to retain CI access to repositories they should no longer be able to view or interact with.
Solution
Reworked the
updateRepoPermissionslogic to perform a full reconciliation of user permissions. In addition to upserting new permissions, it now compares the fetch results against stored data and actively deletes permissions for repositories that are no longer present on the forge. This ensures that local access rights accurately reflect the current state of the user's permissions on the forge.