Add granular scope feature#8178
Open
mpmadhavig wants to merge 2 commits into
Open
Conversation
Contributor
📝 WalkthroughWalkthroughThis PR adds granular console permission support across API resource collection contracts, configuration parsing, manager bucket population, and console scope definitions. It also introduces the configuration flag in identity-core defaults and expands tests for the new scope handling. ChangesGranular console permissions
Suggested reviewers
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8178 +/- ##
============================================
+ Coverage 52.81% 52.83% +0.02%
- Complexity 21178 21250 +72
============================================
Files 2197 2197
Lines 130615 131048 +433
Branches 19622 19769 +147
============================================
+ Hits 68978 69241 +263
- Misses 53241 53392 +151
- Partials 8396 8415 +19
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
coderabbitai
Bot
requested review from
SujanSanjula96,
ThaminduR and
pavinduLakshan
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml (1)
799-807: 🗄️ Data Integrity & Integration | 🟠 MajorShipped XML is missing new sibling scopes defined in the template.
The
<Update>blocks infeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xmllack theconsole:applications_create,console:applications_update, andconsole:applications_deletescopes present in theapi-resource-collection.xml.j2template.Specific discrepancies confirmed:
- applicationAuthenticationScript: The
<Update>block containinginternal_application_script_updatehas onlyconsole:applications_editin the generated file, whereas the template definesconsole:applications_editpluscreate,update, anddelete.- applicationClientSecretManagement: Similarly missing the expanded
console:applications_create/update/deletescopes in the generated version.- Total Impact: The generated file is missing 44 scopes found in the template.
Ensure this artifact is regenerated from the template or manually updated to include these missing permissions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml` around lines 799 - 807, The generated api-resource-collection.xml is out of sync with the api-resource-collection.xml.j2 template and is missing sibling console application scopes in several <Update> blocks. Regenerate the artifact from the template, or manually update the affected sections such as applicationAuthenticationScript and applicationClientSecretManagement to include the missing console:applications_create, console:applications_update, and console:applications_delete scopes alongside the existing entries, ensuring all template-defined permissions are present.
🧹 Nitpick comments (2)
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java (2)
174-209: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueUnresolved holder scopes are silently dropped.
When a holder scope under
<Read>/<Create>/<Update>/<Delete>is not owned by any collection's<Feature>block,holderResolutionMap.getOrDefault(scopeName, Collections.emptySet())contributes nothing and the holder name is removed, so a misconfigured/unknown holder vanishes with no diagnostics. Consider a guarded debug log to aid troubleshooting of misconfigured console scopes.As per path instructions: "Suggest log statements at error handling boundaries" and around "key decision points".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java` around lines 174 - 209, Unresolved holder scopes are being dropped silently in APIResourceCollectionMgtConfigBuilder while resolving Read/Create/Update/Delete scopes. Update the holder-scope handling in the action branches to detect when holderResolutionMap has no entry for scopeName, preserve or report that unresolved scope, and add a guarded debug log at this decision point so misconfigured console scopes are visible during troubleshooting.Source: Path instructions
415-441: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
resolveOwnerActionScopesreturnsnullfor unrecognized feature scopes.SonarCloud flags the
return nullat the end of this method. The caller (buildHolderResolutionMap) does null-check it, so this is functionally safe; thenullmeaningfully signals "not a recognized feature scope" versus an owned holder with no leaves. If you prefer to satisfy the static-analysis rule, document the intent or have the caller filter rather than relying on the sentinel.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java` around lines 415 - 441, resolveOwnerActionScopes currently uses a null sentinel for unrecognized feature scopes, which triggers static-analysis warnings. Update APIResourceCollectionMgtConfigBuilder so the intent is explicit: either return an empty set instead of null and have buildHolderResolutionMap treat empty results as “not recognized,” or keep the sentinel but document and centralize the null handling at the caller. Use the resolveOwnerActionScopes and buildHolderResolutionMap symbols to make the behavior clear and avoid relying on an undocumented null return.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java`:
- Around line 73-76: The granular console permissions flag is parsed directly
from IdentityUtil.getProperty(...) in
APIResourceCollectionManagementUtil.isGranularConsolePermissionsEnabled(), so
whitespace-padded config values can be misread as false. Trim the property value
before passing it to Boolean.parseBoolean, and apply the same normalization
anywhere else this helper’s result is used by the manager path so both paths
interpret the config consistently.
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java`:
- Around line 1-17: The license header in
APIResourceCollectionManagementUtilTest is using an outdated copyright year for
a newly added Java file. Update the header at the top of the file so the year
reflects the current year or a range ending in the current year, matching the
project’s Java license header convention.
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java`:
- Around line 297-310: `assertBucketScopes` in
`APIResourceCollectionManagerTest` only verifies that expected scopes are
present, so it can miss accidental scope leakage between buckets. Update this
helper to also assert isolation by checking that the collected scope set for the
bucket matches exactly the `expectedScopes` set, using `assertEquals` or
equivalent, so `CREATE`, `UPDATE`, and `DELETE` buckets do not contain extra
scopes.
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2`:
- Around line 841-843: The scope names in the API resource templates are
inconsistent: `api-resource-collection.xml.j2` references
`console:apiResources*` scopes while `system-api-resource.xml.j2` defines
`internal_*` scopes. Update the scope declarations in
`system-api-resource.xml.j2` (and any related references in the collection
template) so the names match exactly, including `console:apiResources`,
`console:apiResources_view`, `console:apiResources_create`,
`console:apiResources_update`, and `console:apiResources_delete`, using the
existing resource/template symbols to keep the definitions aligned.
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2`:
- Around line 2044-2049: The `Scope` entries for `console:userSharing_create`
and `console:userSharing_delete` in `system-api-resource.xml.j2` are using the
wrong description text copied from the update scope. Update the descriptions in
the template to match the intended create/delete wording already used by the
generated `system-api-resource.xml`, and keep the `console:userSharing_update`
description unchanged.
In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json`:
- Around line 413-419: The preserved-behavior override for console granular
permissions is missing for IS_7.0.0, so add the same pinned-off settings used
for the newer preserved versions in this infer JSON. Update the identity feature
mapping around the existing
console.console_settings.use_granular_console_permissions and
console.console_settings.disabled_features entries to include IS_7.0.0 as well,
matching the behavior already backfilled for IS_7.1.0 and IS_7.2.0.
---
Outside diff comments:
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml`:
- Around line 799-807: The generated api-resource-collection.xml is out of sync
with the api-resource-collection.xml.j2 template and is missing sibling console
application scopes in several <Update> blocks. Regenerate the artifact from the
template, or manually update the affected sections such as
applicationAuthenticationScript and applicationClientSecretManagement to include
the missing console:applications_create, console:applications_update, and
console:applications_delete scopes alongside the existing entries, ensuring all
template-defined permissions are present.
---
Nitpick comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java`:
- Around line 174-209: Unresolved holder scopes are being dropped silently in
APIResourceCollectionMgtConfigBuilder while resolving Read/Create/Update/Delete
scopes. Update the holder-scope handling in the action branches to detect when
holderResolutionMap has no entry for scopeName, preserve or report that
unresolved scope, and add a guarded debug log at this decision point so
misconfigured console scopes are visible during troubleshooting.
- Around line 415-441: resolveOwnerActionScopes currently uses a null sentinel
for unrecognized feature scopes, which triggers static-analysis warnings. Update
APIResourceCollectionMgtConfigBuilder so the intent is explicit: either return
an empty set instead of null and have buildHolderResolutionMap treat empty
results as “not recognized,” or keep the sentinel but document and centralize
the null handling at the caller. Use the resolveOwnerActionScopes and
buildHolderResolutionMap symbols to make the behavior clear and avoid relying on
an undocumented null return.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: 88ccc6e2-c3bf-4b48-9ef3-817eb2a3c6b6
📒 Files selected for processing (20)
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/pom.xmlcomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerImpl.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/constant/APIResourceCollectionManagementConstants.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/model/APIResourceCollection.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionTest.javacomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/repository/conf/api-resource-collection.xmlcomponents/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/testng.xmlfeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xmlfeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xmlfeatures/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xmlfeatures/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.jsonfeatures/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json
Comment on lines
+73
to
+76
| public static boolean isGranularConsolePermissionsEnabled() { | ||
|
|
||
| return Boolean.parseBoolean(IdentityUtil.getProperty( | ||
| APIResourceCollectionManagementConstants.USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG)); |
Contributor
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Trim the config value before parsing.
Boolean.parseBoolean returns false for whitespace-padded values, and IdentityUtil.getProperty(...) does not normalize the string in the provided context. A value like " true " would silently disable granular permissions here and in the manager path that depends on this helper.
Proposed fix
- return Boolean.parseBoolean(IdentityUtil.getProperty(
- APIResourceCollectionManagementConstants.USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG));
+ String value = IdentityUtil.getProperty(
+ APIResourceCollectionManagementConstants.USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG);
+ return value != null && Boolean.parseBoolean(value.trim());📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| public static boolean isGranularConsolePermissionsEnabled() { | |
| return Boolean.parseBoolean(IdentityUtil.getProperty( | |
| APIResourceCollectionManagementConstants.USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG)); | |
| public static boolean isGranularConsolePermissionsEnabled() { | |
| String value = IdentityUtil.getProperty( | |
| APIResourceCollectionManagementConstants.USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG); | |
| return value != null && Boolean.parseBoolean(value.trim()); |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java`
around lines 73 - 76, The granular console permissions flag is parsed directly
from IdentityUtil.getProperty(...) in
APIResourceCollectionManagementUtil.isGranularConsolePermissionsEnabled(), so
whitespace-padded config values can be misread as false. Trim the property value
before passing it to Boolean.parseBoolean, and apply the same normalization
anywhere else this helper’s result is used by the manager path so both paths
interpret the config consistently.
Comment on lines
+1
to
+17
| /* | ||
| * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com). | ||
| * | ||
| * WSO2 LLC. licenses this file to you under the Apache License, | ||
| * Version 2.0 (the "License"); you may not use this file except | ||
| * in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ |
Contributor
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Update the license header year for this new file.
The header still says 2025, but new Java files here need the current year or a range ending in 2026. As per coding guidelines, **/*.java: Ensure that all Java files contain the appropriate license header at the top with copyright year as the current year or a range ending in the current year (e.g., 2018-2026).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java`
around lines 1 - 17, The license header in
APIResourceCollectionManagementUtilTest is using an outdated copyright year for
a newly added Java file. Update the header at the top of the file so the year
reflects the current year or a range ending in the current year, matching the
project’s Java license header convention.
Source: Coding guidelines
Comment on lines
+297
to
+310
| private static void assertBucketScopes(Map<String, List<APIResource>> apiResources, String bucketKey, | ||
| String... expectedScopes) { | ||
|
|
||
| List<APIResource> bucket = apiResources.get(bucketKey); | ||
| Assert.assertNotNull(bucket, "Bucket should be present: " + bucketKey); | ||
| Set<String> scopeNames = new HashSet<>(); | ||
| for (APIResource apiResource : bucket) { | ||
| for (Scope scope : apiResource.getScopes()) { | ||
| scopeNames.add(scope.getName()); | ||
| } | ||
| } | ||
| for (String expectedScope : expectedScopes) { | ||
| Assert.assertTrue(scopeNames.contains(expectedScope), | ||
| "Bucket '" + bucketKey + "' should expose scope '" + expectedScope + "' but had " + scopeNames); |
Contributor
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Make this helper assert isolation, not just presence.
assertBucketScopes only checks containment. If CREATE accidentally included UPDATE or DELETE scopes, these tests would still pass even though this PR’s contract is that granular buckets must not bleed into each other.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java`
around lines 297 - 310, `assertBucketScopes` in
`APIResourceCollectionManagerTest` only verifies that expected scopes are
present, so it can miss accidental scope leakage between buckets. Update this
helper to also assert isolation by checking that the collected scope set for the
bucket matches exactly the `expectedScopes` set, using `assertEquals` or
equivalent, so `CREATE`, `UPDATE`, and `DELETE` buckets do not contain extra
scopes.
Comment on lines
+841
to
+843
| <Scope name="console:apiResources_create"/> | ||
| <Scope name="console:apiResources_update"/> | ||
| <Scope name="console:apiResources_delete"/> |
Contributor
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🔴 Critical
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
COL=$(fd -g 'api-resource-collection.xml.j2')
SYS=$(fd -g 'system-api-resource.xml.j2')
rg -o 'name="(console:[^"]+)"' "$COL" -r '$1' | sort -u > /tmp/used.txt
rg -o 'name="(console:[^"]+)"' "$SYS" -r '$1' | sort -u > /tmp/defined.txt
echo "Console scopes referenced in the collection template but NOT defined in the system resource template:"
comm -23 /tmp/used.txt /tmp/defined.txtRepository: wso2/carbon-identity-framework
Length of output: 656
🏁 Script executed:
#!/bin/bash
SYS=$(fd -g 'system-api-resource.xml.j2')
rg -n '<Scope name="console:[^"]+"' "$SYS"Repository: wso2/carbon-identity-framework
Length of output: 168
🏁 Script executed:
#!/bin/bash
SYS=$(fd -g 'system-api-resource.xml.j2')
# Check if file exists and print first 50 lines to understand the structure
if [ -n "$SYS" ]; then
echo "File found: $SYS"
head -n 100 "$SYS"
else
echo "File system-api-resource.xml.j2 not found"
fiRepository: wso2/carbon-identity-framework
Length of output: 6165
🏁 Script executed:
#!/bin/bash
COL=$(fd -g 'api-resource-collection.xml.j2')
# Read lines 830-860 to see context around the scopes
sed -n '830,860p' "$COL"Repository: wso2/carbon-identity-framework
Length of output: 1380
Verify and correct scope name mismatches between api-resource-collection.xml.j2 and system-api-resource.xml.j2.
The scopes console:apiResources_create, console:apiResources_update, and console:apiResources_delete referenced in api-resource-collection.xml.j2 are not defined in system-api-resource.xml.j2.
The system resource template currently defines internal-prefixed scopes (e.g., internal_api_resource_create) instead of the console:-prefixed scopes declared in the collection file. Ensure the scope names match exactly to prevent feature resolution failures.
Missing Scope Definitions
The following scopes are used in the collection file but missing in the system template:
console:apiResources_createconsole:apiResources_updateconsole:apiResources_delete- (Also
console:apiResourcesandconsole:apiResources_vieware missing)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2`
around lines 841 - 843, The scope names in the API resource templates are
inconsistent: `api-resource-collection.xml.j2` references
`console:apiResources*` scopes while `system-api-resource.xml.j2` defines
`internal_*` scopes. Update the scope declarations in
`system-api-resource.xml.j2` (and any related references in the collection
template) so the names match exactly, including `console:apiResources`,
`console:apiResources_view`, `console:apiResources_create`,
`console:apiResources_update`, and `console:apiResources_delete`, using the
existing resource/template symbols to keep the definitions aligned.
Comment on lines
+2044
to
+2049
| <Scope displayName="User Sharing Management Update Feature" name="console:userSharing_update" | ||
| description="Update user sharing status from the Console"/> | ||
| <Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create" | ||
| description="Update user sharing status from the Console"/> | ||
| <Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete" | ||
| description="Update user sharing status from the Console"/> |
Contributor
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Copy-paste error in console:userSharing create/delete descriptions.
The new _update, _create, and _delete scopes all reuse "Update user sharing status from the Console". The generated system-api-resource.xml already uses the correct "Manage creates/deletes" wording for these, so the template should match.
📝 Proposed fix
<Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create"
- description="Update user sharing status from the Console"/>
+ description="Manage creates of user sharing from the Console"/>
<Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete"
- description="Update user sharing status from the Console"/>
+ description="Manage deletes of user sharing from the Console"/>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| <Scope displayName="User Sharing Management Update Feature" name="console:userSharing_update" | |
| description="Update user sharing status from the Console"/> | |
| <Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create" | |
| description="Update user sharing status from the Console"/> | |
| <Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete" | |
| description="Update user sharing status from the Console"/> | |
| <Scope displayName="User Sharing Management Update Feature" name="console:userSharing_update" | |
| description="Update user sharing status from the Console"/> | |
| <Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create" | |
| description="Manage creates of user sharing from the Console"/> | |
| <Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete" | |
| description="Manage deletes of user sharing from the Console"/> |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2`
around lines 2044 - 2049, The `Scope` entries for `console:userSharing_create`
and `console:userSharing_delete` in `system-api-resource.xml.j2` are using the
wrong description text copied from the update scope. Update the descriptions in
the template to match the intended create/delete wording already used by the
generated `system-api-resource.xml`, and keep the `console:userSharing_update`
description unchanged.
Comment on lines
+413
to
+419
| "saas.enable_cross_tenant_operations": false, | ||
| "console.console_settings.use_granular_console_permissions": false, | ||
| "console.console_settings.disabled_features": [ | ||
| "consoleSettings.invitedExternalAdmins", | ||
| "consoleSettings.privilegedUsers", | ||
| "consoleSettings.useGranularConsolePermissions" | ||
| ] |
Contributor
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Backfill this preserved-behavior override for IS_7.0.0 too.
org.wso2.carbon.identity.core.server.feature.default.json now enables granular console permissions globally, but this file only pins the new flag/UI toggle off for IS_7.1.0 and IS_7.2.0. Upgrades preserving IS_7.0.0 behavior will therefore inherit the new default and get an unexpected behavior/UI change.
Also applies to: 450-456
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json`
around lines 413 - 419, The preserved-behavior override for console granular
permissions is missing for IS_7.0.0, so add the same pinned-off settings used
for the newer preserved versions in this infer JSON. Update the identity feature
mapping around the existing
console.console_settings.use_granular_console_permissions and
console.console_settings.disabled_features entries to include IS_7.0.0 as well,
matching the behavior already backfilled for IS_7.1.0 and IS_7.2.0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Resolve console feature action scopes (e.g.
console:applications_edit,console:applications_create) as holders when they appear inside another collection's<Read>/<Create>/<Update>/<Delete>block. The holder is replaced by the leaf scopes from the matching action block of the owning collection, and the holder name itself is dropped from the bucket — so theapiResourcespayload of/api-resource-collections/{id}surfaces the underlying internal scopes (and their owning API resource) instead of an opaque console scope that no API resource owns.Changes
APIResourceCollectionMgtConfigBuilder): pre-build aholder → leaf scopesmap from each collection's<Feature>block + matching action block._view→ owner Read,_create/_update/_delete→ matching owner block,_edit→ owner Create + Update + Delete (legacy coarse write). Resolution is recursive with cycle protection + memoisation so an owner's action block can itself reference another holder.api-resource-collection.xml.j2: declare_create/_update/_deletesiblings next to every_editholder inside non-<Feature>blocks (8 sites:applicationAuthenticationScript,applicationClientSecretManagement,applicationInternalAPIAuthorization,userSharingV2, and the fourorg_*counterparts).APIResourceCollectionMgtConfigBuilderTest— update/view/edit holder resolution, write-bucket propagation, transitive recursion, literal scopes preserved alongside holders, owner collection unaffected.Related Issues