Skip to content

fix(backend): allow users with read access level to revoke their own access on shared workflows#4143

Merged
aicam merged 13 commits intoapache:mainfrom
seongjinyoon:fix/revoke-access-depends-on-level
Jan 7, 2026
Merged

fix(backend): allow users with read access level to revoke their own access on shared workflows#4143
aicam merged 13 commits intoapache:mainfrom
seongjinyoon:fix/revoke-access-depends-on-level

Conversation

@seongjinyoon
Copy link
Contributor

@seongjinyoon seongjinyoon commented Dec 30, 2025
edited
Loading

What changes were proposed in this PR?

This PR fixes a permission issue where users with READ access to a workflow could not revoke their own access.

Changes:

  • Updated revokeAccess() method in WorkflowAccessResource.scala to allow users to revoke their own access regardless of privilege level (READ or WRITE).
  • Added owner protection which prevents workflow owners from revoking their own access to avoid orphaned workflows.

Before:

  • Backend requires WRITE privilege for self-revocation.
  • READ users received error when revoking their own access.

After:

  • READ users can revoke their own access to a shared workflow (leave shared workflows).
  • Owners cannot revoke their own access (prevent orphaned workflows).

Demo:

Screen.Recording.2025-12-29.at.6.13.00.PM.mov

Any related issues, documentation, discussions?

Fixes #4141.

How was this PR tested?

Run sbt "WorkflowExecutionService/testOnly *WorkflowAccessResourceSpec"

Was this PR authored or co-authored using generative AI tooling?

No.

@seongjinyoon seongjinyoon changed the title Fix/revoke access depends on level fix(backend): allow users with read access level to revoke their own access on shared workflows Dec 30, 2025
@chenlica
Copy link
Contributor

chenlica commented Dec 30, 2025

Thanks for the PR. A few comments:

  1. In the video the user clicked the share button for the computing unit. If so, I think it should show something related to a workflow.

  2. Can we add some test cases to replace manual testing?

@seongjinyoon
Copy link
Contributor Author

seongjinyoon commented Dec 30, 2025

What changes were proposed in this PR?

This PR fixes a permission issue where users with READ access to a workflow could not revoke their own access.

Changes:

  • Updated revokeAccess() method in WorkflowAccessResource.scala to allow users to revoke their own access regardless of privilege level (READ or WRITE).
  • Added owner protection which prevents workflow owners from revoking their own access to avoid orphaned workflows.

Before:

  • Backend requires WRITE privilege for self-revocation.
  • READ users received error when revoking their own access.

After:

  • READ users can revoke their own access to a shared workflow (leave shared workflows).
  • Owners cannot revoke their own access (prevent orphaned workflows).

Demo:

Screen.Recording.2025-12-29.at.6.13.00.PM.mov

Any related issues, documentation, discussions?

Fixes #4141.

How was this PR tested?

Manually tested.

Was this PR authored or co-authored using generative AI tooling?

No.

Thanks for the PR. A few comments:

  1. In the video the user clicked the share button for the computing unit. If so, I think it should show something related to a workflow.
  2. Can we add some test cases to replace manual testing?

For 1. In the video, the user clicks on the share button for the workflow.
For 2. I will add test cases for this PR.

@seongjinyoon
Copy link
Contributor Author

seongjinyoon commented Dec 30, 2025

@chenlica I have added test cases.

@chenlica chenlica requested a review from aicam December 31, 2025 01:32
@chenlica
Copy link
Contributor

chenlica commented Dec 31, 2025

@aicam Please review it.

aicam
aicam approved these changes Jan 5, 2026
View reviewed changes
Copy link
Contributor

@aicam aicam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot added the dependencies Pull requests that update a dependency file label Jan 6, 2026
@github-actions github-actions bot removed the dependencies Pull requests that update a dependency file label Jan 6, 2026
@seongjinyoon
Copy link
Contributor Author

seongjinyoon commented Jan 6, 2026
edited
Loading

@chenlica After some investigation, I found that MockTexeraDB has a bug that does not allow the test cases to pass when running the full test suite (test cases pass when ran individually). I suggest removing the test cases for this PR, investigate the issue deeper and fix it, then add the test cases back in a separate PR.

@chenlica
Copy link
Contributor

chenlica commented Jan 6, 2026

@carloea2 Is it related to a recent finding you have related to MockTexeraDB?

@carloea2
Copy link
Contributor

carloea2 commented Jan 6, 2026
edited
Loading

@carloea2 Is it related to a recent finding you have related to MockTexeraDB?

Yes, I suggest he tries to add his new test cases into a test file accessing the same resources (ad-hoc solution) and later investigate what is the reason.

@aicam aicam enabled auto-merge (squash) January 7, 2026 19:27
auto-merge was automatically disabled January 7, 2026 19:35

Head branch was pushed to by a user without write access

@aicam aicam merged commit b9fc0d2 into apache:main Jan 7, 2026
10 checks passed
@seongjinyoon seongjinyoon deleted the fix/revoke-access-depends-on-level branch January 13, 2026 01:37
@seongjinyoon seongjinyoon mentioned this pull request Jan 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aicam aicam aicam approved these changes

Assignees

No one assigned

Labels

engine fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Users with read access to workflows cannot revoke the access to that workflow.

4 participants

@seongjinyoon @chenlica @carloea2 @aicam