[APIView] Lightweight App Permissions #13496
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AlitzelMendez
requested review from
helen229,
maririos,
praveenkuttappan and
tjprescott
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements a lightweight role-based access control (RBAC) system for APIView to manage user permissions through groups. The system introduces five role types (Service Team, SDK Team, Deputy Architect, Architect, and Admin) that can be assigned globally or scoped to specific programming languages. The implementation includes a comprehensive admin UI for managing permission groups, members, and role assignments.
Key changes:
- Backend permission system with Cosmos DB storage, caching layer, and RESTful API
- Frontend admin page with group management, role assignment, and member management capabilities
- Integration with existing user profile system to include permissions data
- Comprehensive test coverage for both backend and frontend components
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/apiview/parsers/apiview-treestyle-parser-schema/permissions.tsp | TypeSpec schema defining permission models and role types |
| src/dotnet/APIView/APIViewWeb/LeanModels/PermissionsModels.cs | C# models for permissions with polymorphic role assignments |
| src/dotnet/APIView/APIViewWeb/Repositories/CosmosPermissionsRepository.cs | Cosmos DB repository for CRUD operations on permission groups |
| src/dotnet/APIView/APIViewWeb/Managers/PermissionsManager.cs | Business logic layer with caching for permission operations |
| src/dotnet/APIView/APIViewWeb/LeanControllers/PermissionsController.cs | REST API endpoints with admin authorization checks |
| src/dotnet/APIView/APIViewWeb/Startup.cs | Dependency injection configuration for new services |
| src/dotnet/APIView/ClientSPA/src/app/_models/permissions.ts | TypeScript models matching backend schema |
| src/dotnet/APIView/ClientSPA/src/app/_services/permissions/permissions.service.ts | Angular service for permissions API and helper methods |
| src/dotnet/APIView/ClientSPA/src/app/_components/admin-permissions-page/* | Complete admin UI with group management, role assignment, and member management |
| src/dotnet/APIView/ClientSPA/src/app/_components/shared/nav-bar/* | Integration of admin link visible only to admins |
| src/dotnet/APIView/APIViewUnitTests/PermissionsManagerTests.cs | Comprehensive backend unit tests |
| src/dotnet/APIView/ClientSPA/src/app/_services/permissions/permissions.service.spec.ts | Frontend service unit tests |
| src/dotnet/APIView/ClientSPA/src/app/_components/admin-permissions-page/*.spec.ts | Admin page component unit tests |
...iew/ClientSPA/src/app/_components/admin-permissions-page/admin-permissions-page.component.ts
Outdated
Show resolved
Hide resolved
...iew/ClientSPA/src/app/_components/admin-permissions-page/admin-permissions-page.component.ts
Show resolved
Hide resolved
...iew/ClientSPA/src/app/_components/admin-permissions-page/admin-permissions-page.component.ts
Outdated
Show resolved
Hide resolved
...iew/ClientSPA/src/app/_components/admin-permissions-page/admin-permissions-page.component.ts
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes: #13004
Implements a group-based Role-Based Access Control (RBAC) system for APIView that replaces the current simple "approvers" configuration list with a more robust permissions model.
Problem
The current APIView permissions model has several limitations:
Solution
This PR implements a group-based permissions system with:
Two types of roles:
ServiceTeam,SdkTeam,Admin) - apply to all languagesArchitect,DeputyArchitect) - must be assigned to a specific languageKey Features:
PermissionsCosmos DB containerAPI Endpoints
/api/permissions/me/api/permissions/groups/api/permissions/groups/{groupId}/api/permissions/groups/api/permissions/groups/{groupId}/api/permissions/groups/{groupId}/api/permissions/groups/{groupId}/members/api/permissions/groups/{groupId}/members/{userId}Screenshots
Button only visible to Admins
Page only accessible to Admins
