Add push device update endpoints to allowed endpoints

[VihangaMunasinghe]

Purpose

The new push device update endpoint (POST /devices/{deviceId}/update) added in identity-api-user needs to be registered in the resource access control configuration. Without this, the endpoint would be blocked by the framework's access control layer.

Related Issue

• API endpoint to renew FCM token in Push Notifications product-is#26207

Related PRs

• (prerequisite) Implement device token and device name update from mobile feature wso2-extensions/identity-notification-push#25
• (prerequisite) Add endpoint to update push device from mobile identity-api-user#289

Goals

• Allow the new push device update endpoint to be accessible from both tenant and organization contexts without authentication (same as the existing registration and removal endpoints), since the request itself is authenticated via a signed JWT token.

Approach

• Added two new <Resource> entries in resource-access-control-v2.xml.j2:
  • Organization context: (.*)/o/api/users/v1/me/push/devices/(.*)/update with secured="false" for POST.
  • Tenant context: (.*)/api/users/v1/me/push/devices/(.*)/update with secured="false" for POST.
• Follows the same pattern as the existing /remove endpoint entries.

User stories

As a mobile app user, I want the device update endpoint to be accessible so that I can update my device's push notification token or device name.

Release note

Added the push device update endpoint (/devices/{deviceId}/update) to the allowed endpoints in the resource access control configuration.

Documentation

N/A - Internal framework configuration change. No user-facing documentation impact.

Training

N/A

Certification

N/A - Configuration change with no impact on certification content.

Marketing

N/A

Automation tests

• Unit tests
  N/A - Configuration file change only.
• Integration tests
  N/A

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes
• Ran FindSecurityBugs plugin and verified report? yes
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes

Samples

N/A

Migrations (if applicable)

No migrations required. Existing deployments will pick up the new resource access control entries on upgrade.

Learning

Followed the existing pattern used by the /remove endpoint for registering unsecured push device endpoints in both organization and tenant contexts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3530249c-f897-4ca3-8e5a-865ff1cab75b

📥 Commits

Reviewing files that changed from the base of the PR and between 66b5a3d and 8dade4e.

📒 Files selected for processing (1)

• features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2

---

📝 Walkthrough

Walkthrough

A Jinja2 XML template for resource access control is updated to extend the copyright year to 2026 and reorganize Push Device Management API resource mappings. The organization-scoped PUT endpoint is moved to group with non-organization POST and remove endpoints, and a corresponding non-organization POST endpoint is added.

Changes

Resource Access Control Configuration

Layer / File(s)	Summary
Template Metadata features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2	Copyright year range extended from 2023-2025 to 2023-2026.
Push Device Management API Resources features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/resource-access-control-v2.xml.j2	Organization /o/api/.../push/devices/(.*)/update PUT resource is repositioned into the non-organization Push Device Management block; new /api/.../push/devices/(.*)/update POST resource is added to non-organization section alongside existing remove entries.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding push device update endpoints to allowed endpoints in the resource access control configuration.
Description check	✅ Passed	The description covers all required sections from the template with sufficient detail, including Purpose, Goals, Approach, User stories, Release note, and relevant N/A entries for non-applicable sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.14%. Comparing base (ff0a7a6) to head (8dade4e).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #8086      +/-   ##
============================================
- Coverage     53.15%   53.14%   -0.01%     
+ Complexity    20527    20517      -10     
============================================
  Files          2147     2147              
  Lines        125919   125904      -15     
  Branches      18044    17972      -72     
============================================
- Hits          66930    66910      -20     
- Misses        50781    50792      +11     
+ Partials       8208     8202       -6     

Flag	Coverage Δ
unit	37.77% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.