[Task] Apply hierarchical allow/deny policy before connector access #8

Closed
opened 2026-07-06 11:36:10 +02:00 by zemion · 1 comment
Owner

Imported from the consolidated GovOPlaN product backlog.

  • Source: /mnt/DATA/Nextcloud/ADD ideas UG/Products/govoplan/backlog.md
  • Line: 121
  • Section: Milestones > Milestone 6 - External Storage Connectors
  • Source status: OPEN.

Imported backlog item:

- [ ] Apply hierarchical allow/deny policy before connector access.
<!-- codex-backlog-fingerprint:5f06d3d43e29404161f4b04e --> Imported from the consolidated GovOPlaN product backlog. - Source: `/mnt/DATA/Nextcloud/ADD ideas UG/Products/govoplan/backlog.md` - Line: `121` - Section: `Milestones > Milestone 6 - External Storage Connectors` - Source status: `OPEN.` Imported backlog item: ```markdown - [ ] Apply hierarchical allow/deny policy before connector access. ```
zemion added this to the Milestone 6 - External Storage Connectors milestone 2026-07-06 13:23:12 +02:00
Author
Owner

Codex State: done

Summary

  • Added a files-owned connector policy evaluator that returns the shared PolicyDecision shape with source_path provenance for ordered system/tenant/user/group/campaign policy sources.
  • Added POST /api/v1/files/connector-policy/evaluate for read-only connector preflight checks and wired provenance-bearing uploads/ZIP imports to enforce connector_policy_json before file content is read.
  • Denied connector imports now return HTTP 403 with the policy decision payload, so provider code can block access before remote fetch/import work starts.

Changed Files

  • README.md
  • src/govoplan_files/backend/router.py
  • src/govoplan_files/backend/schemas.py
  • src/govoplan_files/backend/storage/connector_policy.py
  • webui/src/api/files.ts
  • ../govoplan-core/tests/test_api_smoke.py

Verification

  • ./.venv/bin/python -m py_compile /mnt/DATA/git/govoplan-files/src/govoplan_files/backend/router.py /mnt/DATA/git/govoplan-files/src/govoplan_files/backend/schemas.py /mnt/DATA/git/govoplan-files/src/govoplan_files/backend/storage/connector_policy.py
  • ./.venv/bin/python -m unittest tests.test_api_smoke.ApiSmokeTests.test_managed_file_runtime_flow tests.test_api_smoke.ApiSmokeTests.test_managed_attachment_patterns_preview_build_and_mock_send tests.test_api_smoke.ApiSmokeTests.test_managed_attachment_send_uses_frozen_build_artifact_after_file_changes tests.test_api_smoke.ApiSmokeTests.test_admin_audit_supports_lazy_pagination_sorting_and_filters
  • PATH=/mnt/DATA/git/govoplan-core/webui/node_modules/.bin:/home/zemion/.nvm/versions/node/v22.22.3/bin:/home/zemion/.local/bin:/home/zemion/.codex/tmp/arg0/codex-arg0EWzbZZ:/app/bin:/app/bin:/app/bin:/usr/bin:/usr/lib/sdk/openjdk25/bin:/home/zemion/.var/app/com.vscodium.codium/data/node/bin:/home/zemion/.var/app/com.vscodium.codium/data/cargo/bin:/home/zemion/.var/app/com.vscodium.codium/data/python/bin:/home/zemion/.var/app/com.vscodium.codium/data/codium/extensions/openai.chatgpt-26.5623.101652-linux-x64/bin/linux-x86_64 /home/zemion/.nvm/versions/node/v22.22.3/bin/npm run build
## Codex State: done ### Summary - Added a files-owned connector policy evaluator that returns the shared PolicyDecision shape with source_path provenance for ordered system/tenant/user/group/campaign policy sources. - Added POST /api/v1/files/connector-policy/evaluate for read-only connector preflight checks and wired provenance-bearing uploads/ZIP imports to enforce connector_policy_json before file content is read. - Denied connector imports now return HTTP 403 with the policy decision payload, so provider code can block access before remote fetch/import work starts. ### Changed Files - `README.md` - `src/govoplan_files/backend/router.py` - `src/govoplan_files/backend/schemas.py` - `src/govoplan_files/backend/storage/connector_policy.py` - `webui/src/api/files.ts` - `../govoplan-core/tests/test_api_smoke.py` ### Verification - `./.venv/bin/python -m py_compile /mnt/DATA/git/govoplan-files/src/govoplan_files/backend/router.py /mnt/DATA/git/govoplan-files/src/govoplan_files/backend/schemas.py /mnt/DATA/git/govoplan-files/src/govoplan_files/backend/storage/connector_policy.py` - `./.venv/bin/python -m unittest tests.test_api_smoke.ApiSmokeTests.test_managed_file_runtime_flow tests.test_api_smoke.ApiSmokeTests.test_managed_attachment_patterns_preview_build_and_mock_send tests.test_api_smoke.ApiSmokeTests.test_managed_attachment_send_uses_frozen_build_artifact_after_file_changes tests.test_api_smoke.ApiSmokeTests.test_admin_audit_supports_lazy_pagination_sorting_and_filters` - `PATH=/mnt/DATA/git/govoplan-core/webui/node_modules/.bin:/home/zemion/.nvm/versions/node/v22.22.3/bin:/home/zemion/.local/bin:/home/zemion/.codex/tmp/arg0/codex-arg0EWzbZZ:/app/bin:/app/bin:/app/bin:/usr/bin:/usr/lib/sdk/openjdk25/bin:/home/zemion/.var/app/com.vscodium.codium/data/node/bin:/home/zemion/.var/app/com.vscodium.codium/data/cargo/bin:/home/zemion/.var/app/com.vscodium.codium/data/python/bin:/home/zemion/.var/app/com.vscodium.codium/data/codium/extensions/openai.chatgpt-26.5623.101652-linux-x64/bin/linux-x86_64 /home/zemion/.nvm/versions/node/v22.22.3/bin/npm run build`
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-files#8
No description provided.