Skip to content

fix(backend): allow users with read access level to revoke their own access on shared workflows #4143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
seongjinyoon wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(backend): allow users with read access level to revoke their own access on shared workflows #4143

seongjinyoon wants to merge 4 commits into from
+409 −11

Conversation

@seongjinyoon
Copy link
Contributor

@seongjinyoon seongjinyoon commented Dec 30, 2025
edited
Loading

What changes were proposed in this PR?

This PR fixes a permission issue where users with READ access to a workflow could not revoke their own access.

Changes:

  • Updated revokeAccess() method in WorkflowAccessResource.scala to allow users to revoke their own access regardless of privilege level (READ or WRITE).
  • Added owner protection which prevents workflow owners from revoking their own access to avoid orphaned workflows.
  • Added test cases for the revokeAccess() method in WorkflowAccessResourceSpec.scala.

Before:

  • Backend requires WRITE privilege for self-revocation.
  • READ users received error when revoking their own access.

After:

  • READ users can revoke their own access to a shared workflow (leave shared workflows).
  • Owners cannot revoke their own access (prevent orphaned workflows).

Demo:

Screen.Recording.2025-12-29.at.6.13.00.PM.mov

Any related issues, documentation, discussions?

Fixes #4141.

How was this PR tested?

Run sbt "WorkflowExecutionService/testOnly *WorkflowAccessResourceSpec"

The test cases cover the following scenarios:

  • Users with WRITE access can revoke other users' access.
  • Users with READ access cannot revoke other users' access.
  • Users can revoke their own access regardless of access level.
  • Owner's access cannot be revoked by others.
  • Owner cannot revoke their own access.
  • Error handling for non-existing users.
  • Revoking access does not affect other users' access level.
  • Revoke access of a user who does not have access.

Was this PR authored or co-authored using generative AI tooling?

No.

@seongjinyoon seongjinyoon changed the title Fix/revoke access depends on level fix(backend): allow users with read access level to revoke their own access on shared workflows Dec 30, 2025
@chenlica
Copy link
Contributor

chenlica commented Dec 30, 2025

Thanks for the PR. A few comments:

  1. In the video the user clicked the share button for the computing unit. If so, I think it should show something related to a workflow.

  2. Can we add some test cases to replace manual testing?

@seongjinyoon
Copy link
Contributor Author

seongjinyoon commented Dec 30, 2025

What changes were proposed in this PR?

This PR fixes a permission issue where users with READ access to a workflow could not revoke their own access.

Changes:

  • Updated revokeAccess() method in WorkflowAccessResource.scala to allow users to revoke their own access regardless of privilege level (READ or WRITE).
  • Added owner protection which prevents workflow owners from revoking their own access to avoid orphaned workflows.

Before:

  • Backend requires WRITE privilege for self-revocation.
  • READ users received error when revoking their own access.

After:

  • READ users can revoke their own access to a shared workflow (leave shared workflows).
  • Owners cannot revoke their own access (prevent orphaned workflows).

Demo:

Screen.Recording.2025-12-29.at.6.13.00.PM.mov

Any related issues, documentation, discussions?

Fixes #4141.

How was this PR tested?

Manually tested.

Was this PR authored or co-authored using generative AI tooling?

No.

Thanks for the PR. A few comments:

  1. In the video the user clicked the share button for the computing unit. If so, I think it should show something related to a workflow.
  2. Can we add some test cases to replace manual testing?

For 1. In the video, the user clicks on the share button for the workflow.
For 2. I will add test cases for this PR.

@seongjinyoon
Copy link
Contributor Author

seongjinyoon commented Dec 30, 2025

@chenlica I have added test cases.

@chenlica chenlica requested a review from aicam December 31, 2025 01:32
@chenlica
Copy link
Contributor

chenlica commented Dec 31, 2025

@aicam Please review it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aicam aicam Awaiting requested review from aicam

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

engine fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Users with read access to workflows cannot revoke the access to that workflow.

2 participants

@seongjinyoon @chenlica