fix: remove unused user and org relations from app/pat schema#1741
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe ChangesSchema cleanup
Estimated code review effort: 1 (Trivial) | ~3 minutes Related IssuesFixes: Suggested Labelsschema, cleanup Suggested ReviewersNone Poem A rabbit hopped through schema's floor, 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Coverage Report for CI Build 28921410391Coverage remained the same at 44.879%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
Manual E2E test — PAT flowRan the full PAT lifecycle against a local server that already has this change live ( Setup
Results
Conclusion No functional impact. The removed relations were not in any permission path. |
The app/pat definition declared `user` and `org` relations that are never used. A PAT stores its owning user and org as columns on the pat Postgres table, not as SpiceDB tuples, and no permission reads `pat->user` or `pat->org`. Listing PATs by user or org is a SQL query. Replace the block with an empty definition. app/pat stays valid as a subject type, so it can still appear as `app/pat:*` in role relations and as a bearer on rolebindings. Update the generator test fixture to match. No access impact: these relations sit in no permission rule. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
6609ed0 to
20308e3
Compare
What
The
app/patdefinition in the base SpiceDB schema declared two relations,userandorg, that are never used. This removes them.Why they are unused
patPostgres table (user_id,org_id). The code never writes anapp/pat#userorapp/pat#orgtuple. The only SpiceDB writes for a PAT are its role scopes, where the PAT is the subject (the bearer of a role).pat->userorpat->org.pattable.Impact
None on access. These relations sit in no permission rule, so removing them cannot change any permission check.
app/patstays valid as a subject type (likeapp/user {}), so it still appears asapp/pat:*in role relations and as abeareron rolebindings.Closes #1740
🤖 Generated with Claude Code