chore: pre-publish cleanup — group-permission fix, fetched-permissions docs, .NET 10 nits#1305
Merged
Conversation
…laims UserPermissionService computed the effective permission set from a user's DIRECT roles only, while IdentityService.AddRoleClaimsAsync already unions direct + group-derived roles when minting the JWT. Result: a user whose only role comes via a UserGroup saw the role in their token but failed every .RequirePermission() gate (and GET /identity/permissions under-reported). Union direct roles with roles reachable via UserGroups -> GroupRoles before resolving permissions (group mutations already invalidate this cache entry). Query-only — no schema change. Tests: - GroupRolePermissionTests (integration): a group-only user's own-permissions include the group role's grants and pass the gated endpoint. - AuthorizationMetadataTests (architecture): RequiredPermissionAttribute exists exactly once implementing IRequiredPermissionMetadata, so gates can't silently fail open via a duplicate. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…he JWT The dashboard JWT carries only role names; auth-context.tsx fetches the effective permission list from GET /api/v1/identity/permissions, caches it, and exposes permissionsHydrated. Update the agent rules/skills to match the shipped behavior, and align the Playwright auth-seed helper: permissions in the fake JWT are inert (gated specs mock GET /identity/permissions instead). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Drop `dotnet workload install aspire` (devcontainer postCreate + template README prerequisite): .NET 10 ships Aspire as NuGet packages, no workload. - DbMigrator is a console Generic Host, so its env gate reads DOTNET_ENVIRONMENT, not ASPNETCORE_ENVIRONMENT — fix the seed-demo refusal message + docs that told users to set the wrong variable. - fsh CLI: the `new` example used the non-existent `--no-git`; use `--no-frontend`. - CONTRIBUTING: Node.js 20+ to match both READMEs (was 22+). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clears the working tree before the NuGet GA publish. Three independent, complete changes that had been sitting uncommitted — all verified by the full test suite (14 projects, ~1,790 tests green).
1.
fix(identity)— group-derived roles confer permissionsUserPermissionServiceresolved permissions from a user's direct roles only, but the JWT (IdentityService.AddRoleClaimsAsync) already unions direct + group-derived roles. A user whose only role came via aUserGroupsaw the role in their token yet failed every.RequirePermission()gate, andGET /identity/permissionsunder-reported. Now unions roles viaUserGroups → GroupRoles(query-only, no migration). Covered by newGroupRolePermissionTests(integration) +AuthorizationMetadataTests(architecture).2.
docs(frontend)— dashboard permissions are fetched, not in the JWTThe dashboard JWT carries only role names;
auth-context.tsxfetches the permission list fromGET /api/v1/identity/permissions(permissionsHydratedflag, cached). Updates the agent rules/skills and the Playwrightauth-seedhelper to match shipped behavior (permissions in the fake JWT are inert; gated specs mock the endpoint).3.
chore— .NET 10 housekeepingdotnet workload install aspire(devcontainer + template README) — .NET 10 ships Aspire as NuGet packages.DOTNET_ENVIRONMENT, notASPNETCORE_ENVIRONMENT; fix the seed-demo refusal message + docs.fsh newexample used the non-existent--no-git→--no-frontend.Several of these files ship inside the NuGet packages (template README, DbMigrator docs, CLI example,
UserPermissionService), so they should land before the GA packages are regenerated.🤖 Generated with Claude Code