fix: Update rbac for deployment version channel

[adityachoudhari26]

Summary by CodeRabbit

• Refactor

  • Improved access control for deployment version channel operations by aligning permissions across create, update, delete, list, and retrieve actions.

• Chores

  • Updated database schema and configuration to support the refined deployment version channel functionality.

[coderabbitai]

Walkthrough

This pull request updates several permission checks, renaming and refactoring references from “release channels” to “deployment version channels.” The changes span API routes, RBAC utility functions, database schemas, and validators. The overall control flow and response handling remain intact, with adjustments made to ensure that permission validations are now correctly scoped to operations on deployment version channels.

Changes

File(s)	Summary of Changes
apps/webservice/src/app/api/v1/deployments/[deploymentId]/release-channels/name/[name]/route.ts apps/webservice/src/app/api/v1/release-channels/route.ts	Updated permission checks in DELETE and POST handlers: - Changed from Permission.ReleaseChannelDelete to Permission.DeploymentVersionChannelDelete - Changed from Permission.ReleaseChannelCreate to Permission.DeploymentVersionChannelCreate
packages/api/src/router/deployment.ts	Modified permission checks within the releaseChannelRouter: - Create: ReleaseChannelCreate → DeploymentVersionChannelCreate - Update: ReleaseChannelUpdate → DeploymentVersionChannelUpdate (type changed to "deploymentVersionChannel") - Delete: ReleaseChannelDelete → DeploymentVersionChannelDelete (type changed to "deploymentVersionChannel") - List: ReleaseChannelList → DeploymentVersionChannelList - Get: ReleaseChannelGet → DeploymentVersionChannelGet (type changed to "deploymentVersionChannel")
packages/auth/src/utils/rbac.ts	Renamed function and modified its return type: - getReleaseChannelScopes → getDeploymentVersionChannelScopes - Return type now specifies type: "deploymentVersionChannel" and retrieves data accordingly
packages/db/drizzle/0077_lowly_sauron.sql packages/db/drizzle/meta/_journal.json packages/db/src/schema/rbac.ts	Database schema updates: - Added enum values 'deploymentVersion' and 'deploymentVersionChannel' to the PostgreSQL scope_type - Updated enum value "releaseChannel" to "deploymentVersionChannel" in RBAC schema - Added a corresponding journal entry in _journal.json
packages/validators/src/auth/index.ts	Replaced five permission definitions: - Removed: ReleaseChannelGet, ReleaseChannelList, ReleaseChannelCreate, ReleaseChannelUpdate, ReleaseChannelDelete - Added: DeploymentVersionChannelGet, DeploymentVersionChannelList, DeploymentVersionChannelCreate, DeploymentVersionChannelUpdate, DeploymentVersionChannelDelete

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant API
  participant Auth
  participant DB
  
  Client->>API: Send request (CREATE/DELETE/UPDATE)
  API->>Auth: Check DeploymentVersionChannel permission
  Auth-->>API: Return permission result
  API->>DB: Execute operation if authorized
  DB-->>API: Return operation result
  API-->>Client: Send response

Loading

Possibly related PRs

• fix: Select release channel filter on deployment page #214: Updates permission checks for deletion and creation, transitioning from release channels to deployment version channels.
• fix: Create deployment endpoints #296: Modifies DELETE operation permissions, aligning them with deployment version channel requirements.
• fix: Init release channels ui #181: Adjusts permission handling for creation and deletion operations by replacing release channel permissions with deployment version channel permissions.

Suggested reviewers

• jsbroks

Poem

Hop, hop—the code is light,
New channels bloom in digital night.
From release to deployment we jump with glee,
Permissions refined like a crisp carrot spree.
In every line, a bunny’s tune so bright.
🐇🌟 Code hops on through the moonlit byte!

Tip

⚡🧪 Multi-step agentic review comment chat (experimental)

• We're introducing multi-step agentic chat in review comments. This experimental feature enhances review discussions with the CodeRabbit agentic chat by enabling advanced interactions, including the ability to create pull requests directly from comments.
  - To enable this feature, set early_access to true under in the settings.

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

packages/api/src/router/deployment.ts (1)

30-152: 💡 Verification agent

🧩 Analysis chain

Consider updating variable and method naming in releaseChannelRouter

While all the permissions and scope types have been correctly updated, the router is still named releaseChannelRouter and uses variables like channels, rc, etc. that refer to release channels. Consider updating these names for consistency with the terminology change.

Check for other instances of "release channel" terminology that might need updating:

---

🏁 Script executed:

#!/bin/bash
# Search for variable names, comments, and other instances that might still use "release" terminology

# Look for variable names containing "release" 
rg -i '\b(const|let|var)\s+release[a-zA-Z]*\b' --type ts

# Look for method/function names containing "release"
rg -i '\bfunction\s+release[a-zA-Z]*\b|\b[a-zA-Z]+\.release[a-zA-Z]*\b' --type ts

# Look for comments containing "release channel"
rg -i '//.*release channel|/\*.*release channel.*\*/' --type ts

Length of output: 72574

---

Action Required: Update Naming in Deployment Router

In the file packages/api/src/router/deployment.ts (lines 30–152), the router and variable names still use the legacy "release" terminology (e.g., releaseChannelRouter, channels, and rc). Although the permissions and scope types have been updated to reflect deployment concepts, these naming inconsistencies could lead to confusion. To align with the updated terminology, please consider:

• Renaming releaseChannelRouter (and any related endpoint identifiers) to something like deploymentVersionChannelRouter.
• Updating variable names (e.g., changing channels to deploymentChannels and replacing the ambiguous rc with a more descriptive name) for clarity and consistency.
• Reviewing related files for any other lingering "release" nomenclature that should be updated to match the deployment terminology.

🧹 Nitpick comments (3)

apps/webservice/src/app/api/v1/deployments/[deploymentId]/release-channels/name/[name]/route.ts (1)

10-45: Consider updating route path and response messages for naming consistency

While the permission has been updated to use "DeploymentVersionChannel", the route path still uses "release-channels" and the response messages still mention "Release channel". Consider updating these for complete naming consistency.

apps/webservice/src/app/api/v1/release-channels/route.ts (2)

25-40: Consider updating variable naming for consistency

While the permission has been updated to use "DeploymentVersionChannel", the variable names still use "releaseChannel". For better code clarity and consistency, consider updating variable names to match the new terminology.

-      const releaseChannel = await db
+      const deploymentVersionChannel = await db
        .select()
        .from(SCHEMA.deploymentVersionChannel)
        .where(
          and(
            eq(SCHEMA.deploymentVersionChannel.deploymentId, body.deploymentId),
            eq(SCHEMA.deploymentVersionChannel.name, body.name),
          ),
        )
        .then(takeFirstOrNull);

-      if (releaseChannel)
+      if (deploymentVersionChannel)
        return NextResponse.json(
-          { error: "Release channel already exists", id: releaseChannel.id },
+          { error: "Deployment version channel already exists", id: deploymentVersionChannel.id },
          { status: 409 },
        );

---

42-48: Update variable naming in response handling

For consistency with the permission updates, consider renaming the variable in the response handling as well.

      return db
        .insert(SCHEMA.deploymentVersionChannel)
        .values(body)
        .returning()
        .then(takeFirst)
-        .then((releaseChannel) => NextResponse.json(releaseChannel))
+        .then((deploymentVersionChannel) => NextResponse.json(deploymentVersionChannel))
        .catch((error) => NextResponse.json({ error }, { status: 500 }));

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 76b4f35 and 6e782ae.

📒 Files selected for processing (8)

• apps/webservice/src/app/api/v1/deployments/[deploymentId]/release-channels/name/[name]/route.ts (1 hunks)
• apps/webservice/src/app/api/v1/release-channels/route.ts (1 hunks)
• packages/api/src/router/deployment.ts (5 hunks)
• packages/auth/src/utils/rbac.ts (3 hunks)
• packages/db/drizzle/0077_lowly_sauron.sql (1 hunks)
• packages/db/drizzle/meta/_journal.json (1 hunks)
• packages/db/src/schema/rbac.ts (1 hunks)
• packages/validators/src/auth/index.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

`**/*.{ts,tsx}`: **Note on Error Handling:** Avoid strict en...

**/*.{ts,tsx}: Note on Error Handling:
Avoid strict enforcement of try/catch blocks. Code may use early returns, Promise chains (.then().catch()), or other patterns for error handling. These are acceptable as long as they maintain clarity and predictability.

• packages/db/src/schema/rbac.ts
• apps/webservice/src/app/api/v1/deployments/[deploymentId]/release-channels/name/[name]/route.ts
• apps/webservice/src/app/api/v1/release-channels/route.ts
• packages/validators/src/auth/index.ts
• packages/auth/src/utils/rbac.ts
• packages/api/src/router/deployment.ts

🧠 Learnings (2)

packages/db/src/schema/rbac.ts (1)

Learnt from: adityachoudhari26
PR: ctrlplanedev/ctrlplane#181
File: packages/auth/src/utils/rbac.ts:102-118
Timestamp: 2025-03-12T21:38:05.696Z
Learning: The `releaseChannel` scope type is included in the `scopeType` enum in `packages/db/src/schema/rbac.ts`.

packages/auth/src/utils/rbac.ts (1)

Learnt from: adityachoudhari26
PR: ctrlplanedev/ctrlplane#181
File: packages/auth/src/utils/rbac.ts:102-118
Timestamp: 2025-03-12T21:38:05.696Z
Learning: The `releaseChannel` scope type is included in the `scopeType` enum in `packages/db/src/schema/rbac.ts`.

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Typecheck
• GitHub Check: build (linux/amd64)
• GitHub Check: Lint

🔇 Additional comments (13)

packages/db/drizzle/0077_lowly_sauron.sql (1)

1-2: LGTM: Appropriate scope type additions

The addition of 'deploymentVersion' and 'deploymentVersionChannel' to the scope_type enum is consistent with the PR objective of updating RBAC for deployment version channels.

packages/db/drizzle/meta/_journal.json (1)

543-550: LGTM: Proper migration journal entry

The new journal entry for "0077_lowly_sauron" correctly tracks the migration that adds the new scope types.

packages/db/src/schema/rbac.ts (1)

37-37: LGTM: Consistent naming update

The renamed scope type from "releaseChannel" to "deploymentVersionChannel" maintains consistency with the database migration and aligns with the broader terminology updates in the PR.

apps/webservice/src/app/api/v1/deployments/[deploymentId]/release-channels/name/[name]/route.ts (1)

15-15: LGTM: Permission updated to match new naming convention

The permission check has been correctly updated from ReleaseChannelDelete to DeploymentVersionChannelDelete.

apps/webservice/src/app/api/v1/release-channels/route.ts (1)

19-19: Permission change looks good

The permission has been properly updated from ReleaseChannelCreate to DeploymentVersionChannelCreate to align with the new naming convention.

packages/auth/src/utils/rbac.ts (2)

112-134: Function rename and type updates look good

The function has been properly renamed from getReleaseChannelScopes to getDeploymentVersionChannelScopes and the return type has been updated to use "deploymentVersionChannel" instead of "releaseChannel". This aligns with the broader refactoring to use consistent terminology.

---

402-402: Handler map update is correct

The scopeHandlers map has been correctly updated to use deploymentVersionChannel as the key instead of releaseChannel, pointing to the renamed function.

packages/validators/src/auth/index.ts (1)

90-94: Permission enum updates are complete

The permissions for release channels have been properly replaced with equivalent permissions for deployment version channels. This ensures consistent terminology throughout the codebase and properly reflects the actual entities being operated on.

packages/api/src/router/deployment.ts (5)

35-36: Permission update for create operation looks good

The permission check has been properly updated from ReleaseChannelCreate to DeploymentVersionChannelCreate.

---

54-55: Permission and scope type updates for update operation are correct

Both the permission (DeploymentVersionChannelUpdate) and scope type (deploymentVersionChannel) have been updated correctly for the update operation.

---

70-71: Permission and scope type updates for delete operation are correct

Both the permission (DeploymentVersionChannelDelete) and scope type (deploymentVersionChannel) have been updated correctly for the delete operation.

---

85-86: Permission update for list operation looks good

The permission check has been properly updated from ReleaseChannelList to DeploymentVersionChannelList.

---

118-119: Permission and scope type updates for get operation are correct

Both the permission (DeploymentVersionChannelGet) and scope type (deploymentVersionChannel) have been updated correctly for the get operation.