Skip to content

feat(authz): prevent non-owners from managing owner memberships#2776

Merged
migmartri merged 3 commits intochainloop-dev:mainfrom
migmartri:migmartri/admin-role-guard
Feb 24, 2026
Merged

feat(authz): prevent non-owners from managing owner memberships#2776
migmartri merged 3 commits intochainloop-dev:mainfrom
migmartri:migmartri/admin-role-guard

Conversation

@migmartri
Copy link
Member

@migmartri migmartri commented Feb 23, 2026

Summary

  • Add a new PolicyOrganizationManageOwners authorization policy granted exclusively to the owner role
  • Guard DeleteOther and UpdateRole in the membership use case so only owners can promote/demote/remove owner memberships
  • Pass the caller's authorization role from the service layer into the use case methods

Closes #2775

@migmartri
fix(authz): use ErrUnauthorized for owner guard denial
0907c14 
Return 403 Forbidden instead of 400 Bad Request when a non-owner
attempts to manage owner memberships, and update test assertions
accordingly.

Signed-off-by: Miguel Martinez <[email protected]>
matiasinsaurralde
matiasinsaurralde approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@matiasinsaurralde matiasinsaurralde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@migmartri
Copy link
Member Author

migmartri commented Feb 24, 2026

@cubic-dev-ai review

@cubic-dev-ai
Copy link

cubic-dev-ai bot commented Feb 24, 2026

@cubic-dev-ai review

@migmartri I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 6 files

@migmartri migmartri merged commit 2a39893 into chainloop-dev:main Feb 24, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@matiasinsaurralde matiasinsaurralde matiasinsaurralde approved these changes

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prevent non-owner members from managing owner-level memberships

2 participants

@migmartri @matiasinsaurralde