feat: change node ownership to namespace instead of creator
Some checks failed
Build and Publish APK Package / build-apk (amd64, x86_64) (push) Successful in 44s
Build and Publish APK Package / build-apk (arm64, aarch64) (push) Successful in 51s
Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 58s
Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 1m5s
Build and Push Docker Container / build-and-push (push) Failing after 10m5s
Some checks failed
Build and Publish APK Package / build-apk (amd64, x86_64) (push) Successful in 44s
Build and Publish APK Package / build-apk (arm64, aarch64) (push) Successful in 51s
Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 58s
Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 1m5s
Build and Push Docker Container / build-and-push (push) Failing after 10m5s
When a node is created in a namespace, the namespace now owns it rather than the creator. This allows namespaces to manage content ownership. Namespace nodes themselves remain owned by their creator. Users retain transitive ownership through their default namespace: user→has_ownership→namespace→has_ownership→node. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -117,8 +117,26 @@ func TestPermissions(t *testing.T) {
|
|||||||
if !userNode.HasRelation("has_ownership", aliceUserID) {
|
if !userNode.HasRelation("has_ownership", aliceUserID) {
|
||||||
t.Errorf("expected user node to have self-ownership, got relations: %v", userNode.Relations)
|
t.Errorf("expected user node to have self-ownership, got relations: %v", userNode.Relations)
|
||||||
}
|
}
|
||||||
if !userNode.HasRelation("has_ownership", aliceNodeID) {
|
// Nodes are now owned by the namespace they belong to, not directly by the creator.
|
||||||
t.Errorf("expected alice to own her node, got relations: %v", userNode.Relations)
|
// Alice's default namespace is owned by alice, so she retains transitive ownership.
|
||||||
|
if userNode.HasRelation("has_ownership", aliceNodeID) {
|
||||||
|
t.Errorf("alice should not directly own her node (namespace owns it), got relations: %v", userNode.Relations)
|
||||||
|
}
|
||||||
|
// Find alice's default namespace and verify it owns the node.
|
||||||
|
namespaces := alice.parseNodes(alice.mustAx("list", "--type", "namespace", "--json"))
|
||||||
|
var aliceNsID string
|
||||||
|
for _, ns := range namespaces {
|
||||||
|
if ns.Title == "alice" {
|
||||||
|
aliceNsID = ns.ID
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if aliceNsID == "" {
|
||||||
|
t.Fatal("could not find alice's default namespace")
|
||||||
|
}
|
||||||
|
nsOut := alice.mustAx("show", aliceNsID, "--json")
|
||||||
|
nsNode := alice.parseNode(nsOut)
|
||||||
|
if !nsNode.HasRelation("has_ownership", aliceNodeID) {
|
||||||
|
t.Errorf("expected alice's namespace to own her node, got relations: %v", nsNode.Relations)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|||||||
@@ -364,8 +364,9 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Edge rels.
|
// Edge rels. Track the namespace the node is placed in for ownership.
|
||||||
hasCreated := false
|
hasCreated := false
|
||||||
|
var actualNsID string
|
||||||
for _, ri := range input.Rels {
|
for _, ri := range input.Rels {
|
||||||
if ri.Target == "" {
|
if ri.Target == "" {
|
||||||
continue // already stored as tag
|
continue // already stored as tag
|
||||||
@@ -377,6 +378,9 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if ri.Type == models.RelInNamespace {
|
||||||
|
actualNsID = resolved
|
||||||
|
}
|
||||||
if ri.Type == models.RelHasOwnership {
|
if ri.Type == models.RelHasOwnership {
|
||||||
// Ownership transfer: remove existing owner of the target.
|
// Ownership transfer: remove existing owner of the target.
|
||||||
existingOwners, _ := st.FindNodes([]*models.Rel{{Type: models.RelHasOwnership, Target: resolved}})
|
existingOwners, _ := st.FindNodes([]*models.Rel{{Type: models.RelHasOwnership, Target: resolved}})
|
||||||
@@ -398,6 +402,7 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
|||||||
if err := st.AddRel(id, string(models.RelInNamespace), nsID); err != nil {
|
if err := st.AddRel(id, string(models.RelInNamespace), nsID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
actualNsID = nsID
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default created.
|
// Default created.
|
||||||
@@ -411,12 +416,19 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Grant creator ownership of the new node.
|
// Grant ownership of the new node.
|
||||||
|
// Namespace nodes are owned by their creator. All other nodes are owned
|
||||||
|
// by the namespace they belong to — the user retains transitive ownership
|
||||||
|
// through the namespace's own ownership chain (e.g. user→owns→default-ns→owns→node).
|
||||||
creatorID, err := s.resolveUserRef(st, s.userID)
|
creatorID, err := s.resolveUserRef(st, s.userID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := st.AddRel(creatorID, string(models.RelHasOwnership), id); err != nil {
|
ownerID := creatorID
|
||||||
|
if tmp.GetProperty("type") != "namespace" && actualNsID != "" {
|
||||||
|
ownerID = actualNsID
|
||||||
|
}
|
||||||
|
if err := st.AddRel(ownerID, string(models.RelHasOwnership), id); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user