Issue
Currently, the permission model for route destination operations is inconsistent with respect to the app's space. The table below shows which roles in the app's
space/org are sufficient (assuming the user already has space_developer in the route's space and the route has been explicitly shared with the app's space):
| Role in app's space/org |
Add destination |
Replace destinations |
Update destination |
Delete destination |
space_developer |
✅ |
✅ |
✅ |
✅ |
space_supporter |
✅ |
✅ |
✅ |
✅ |
space_manager |
✅ |
✅ |
✅ |
✅ |
space_auditor |
✅ |
✅ |
✅ |
✅ |
org_manager |
✅ |
✅ |
✅ |
✅ |
org_auditor |
❌ |
❌ |
✅ |
✅ |
org_billing_manager |
❌ |
❌ |
✅ |
✅ |
no role |
❌ |
❌ |
✅ |
✅ |
admin |
✅ |
✅ |
✅ |
✅ |
admin_read_only |
✅ |
✅ |
✅ |
✅ |
global_auditor |
✅ |
✅ |
✅ |
✅ |
Three problems stand out:
- Add/Replace: read-only roles (
space_manager, space_auditor, org_manager) are sufficient to wire up routing to an app they cannot write to.
- Update/Delete: no role in the app's space is required at all — any user with write access to the route's space can modify or remove destinations regardless of
which space the app lives in.
admin_read_only and global_auditor: these read-only global roles can perform all four mutating operations, which contradicts their intended purpose.
Context
No response
Steps to Reproduce
see #5284
Expected Result
No response
Current Result
No response
Possible Fix
Proposed change: All four operations should require space_developer or space_supporter in the app's space. Only admin should be exempt as the global write role.
admin_read_only and global_auditor should be denied just like any other role without write access to the app's space.
Issue
Currently, the permission model for route destination operations is inconsistent with respect to the app's space. The table below shows which roles in the app's
space/org are sufficient (assuming the user already has
space_developerin the route's space and the route has been explicitly shared with the app's space):space_developerspace_supporterspace_managerspace_auditororg_managerorg_auditororg_billing_managerno roleadminadmin_read_onlyglobal_auditorThree problems stand out:
space_manager,space_auditor,org_manager) are sufficient to wire up routing to an app they cannot write to.which space the app lives in.
admin_read_onlyandglobal_auditor: these read-only global roles can perform all four mutating operations, which contradicts their intended purpose.Context
No response
Steps to Reproduce
see #5284
Expected Result
No response
Current Result
No response
Possible Fix
Proposed change: All four operations should require
space_developerorspace_supporterin the app's space. Onlyadminshould be exempt as the global write role.admin_read_onlyandglobal_auditorshould be denied just like any other role without write access to the app's space.