[Feature] Move access permissions and default role templates into the access manifest #77

Closed
opened 2026-07-06 15:05:26 +02:00 by zemion · 2 comments
Owner

Imported from a backlog-like text file.

  • Source: /mnt/DATA/Nextcloud/ADD ideas UG/Products/govoplan/split-concept-action-plan.md
  • Line: 151
  • Source kind: product
  • Section: GovOPlaN Split Concept and Action Plan > Staged Refactor Plan > Phase 2: Extract Access

Imported item:

Move access permissions and default role templates into the access manifest.
<!-- codex-generic-backlog-fingerprint:5c7773897d4a2ae2af38b12d --> Imported from a backlog-like text file. - Source: `/mnt/DATA/Nextcloud/ADD ideas UG/Products/govoplan/split-concept-action-plan.md` - Line: `151` - Source kind: `product` - Section: `GovOPlaN Split Concept and Action Plan > Staged Refactor Plan > Phase 2: Extract Access` Imported item: ```text Move access permissions and default role templates into the access manifest. ```
zemion added this to the Phase 2: Extract Access milestone 2026-07-06 15:05:26 +02:00
zemion added the
type
feature
priority
p2
source/backlog-import
codex/ready
labels 2026-07-07 23:26:10 +02:00
zemion added the
status
triage
label 2026-07-08 02:54:16 +02:00
Author
Owner

Codex State: progress

Summary

  • Access manifest now declares access permissions and role templates, but the runtime is not fully migrated yet.

Next / Blocked

  • Access admin routes/default role seeding still consume govoplan_core.security.permissions and old admin:/system: scope names. Keep this issue open until those paths use the active module registry catalogue/templates or an explicit compatibility layer.
  • Related legacy catalogue cleanup should be handled with #40 so upgraded role data remains compatible.

Suggested status label: status/in-progress

## Codex State: progress ### Summary - Access manifest now declares access permissions and role templates, but the runtime is not fully migrated yet. ### Next / Blocked - Access admin routes/default role seeding still consume govoplan_core.security.permissions and old admin:/system: scope names. Keep this issue open until those paths use the active module registry catalogue/templates or an explicit compatibility layer. - Related legacy catalogue cleanup should be handled with #40 so upgraded role data remains compatible. Suggested status label: `status/in-progress`
Author
Owner

Codex State: done

Summary

  • Access now owns the permission catalog helpers, legacy access aliases, permission validation/delegation helpers, and role-template lookup.
  • Access default role seeding now reads access manifest role templates instead of core DEFAULT_* role definitions; editable system templates remain editable while protected owner templates stay code-managed.
  • Core only retains compatibility scope mapping so old scopes and canonical access scopes keep working during migration.

Changed Files

  • /mnt/DATA/git/govoplan-access/src/govoplan_access/backend/permissions/catalog.py
  • /mnt/DATA/git/govoplan-access/src/govoplan_access/backend/manifest.py
  • /mnt/DATA/git/govoplan-access/src/govoplan_access/backend/admin/service.py
  • /mnt/DATA/git/govoplan-core/src/govoplan_core/security/module_permissions.py
  • /mnt/DATA/git/govoplan-core/webui/src/utils/permissions.ts
  • /mnt/DATA/git/govoplan-core/tests/test_module_system.py

Verification

  • python -m py_compile src/govoplan_core/security/module_permissions.py
  • python -m py_compile src/govoplan_access/backend/permissions/catalog.py src/govoplan_access/backend/admin/service.py src/govoplan_access/backend/api/v1/routes.py
  • /mnt/DATA/git/govoplan-core/.venv/bin/python -m unittest tests.test_access_contracts tests.test_module_system
  • npm run build (govoplan-core/webui; passes with existing npm tmp warning)
## Codex State: done ### Summary - Access now owns the permission catalog helpers, legacy access aliases, permission validation/delegation helpers, and role-template lookup. - Access default role seeding now reads access manifest role templates instead of core DEFAULT_* role definitions; editable system templates remain editable while protected owner templates stay code-managed. - Core only retains compatibility scope mapping so old scopes and canonical access scopes keep working during migration. ### Changed Files - `/mnt/DATA/git/govoplan-access/src/govoplan_access/backend/permissions/catalog.py` - `/mnt/DATA/git/govoplan-access/src/govoplan_access/backend/manifest.py` - `/mnt/DATA/git/govoplan-access/src/govoplan_access/backend/admin/service.py` - `/mnt/DATA/git/govoplan-core/src/govoplan_core/security/module_permissions.py` - `/mnt/DATA/git/govoplan-core/webui/src/utils/permissions.ts` - `/mnt/DATA/git/govoplan-core/tests/test_module_system.py` ### Verification - `python -m py_compile src/govoplan_core/security/module_permissions.py` - `python -m py_compile src/govoplan_access/backend/permissions/catalog.py src/govoplan_access/backend/admin/service.py src/govoplan_access/backend/api/v1/routes.py` - `/mnt/DATA/git/govoplan-core/.venv/bin/python -m unittest tests.test_access_contracts tests.test_module_system` - `npm run build (govoplan-core/webui; passes with existing npm tmp warning)`
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#77
No description provided.