Skip to content

fix: add ownership checks to promote and delete agent routes#3215

Closed
rrbanda wants to merge 1 commit into
redhat-developer:mainfrom
rrbanda:pr/ownership-checks
Closed

fix: add ownership checks to promote and delete agent routes#3215
rrbanda wants to merge 1 commit into
redhat-developer:mainfrom
rrbanda:pr/ownership-checks

Conversation

@rrbanda
Copy link
Copy Markdown
Contributor

@rrbanda rrbanda commented May 21, 2026

Summary

  • On draft→review promote: verifies createdBy matches caller for non-admins, preventing users from submitting other people's drafts for review
  • Adds DELETE /agents/:agentId route that only allows deletion of draft agents, with ownership verification for non-admin callers (admins can delete any draft)
  • Adds deleteAgentConfig to frontend AugmentApi interface and implementation
  • Adds createdBy field to ChatAgentConfig type (prerequisite for ownership checks)
  • Returns 403 with clear error messages: "You can only submit/delete your own agents"

Part of Epic #3208

Test plan

  • Non-admin user attempts to promote another user's draft → gets 403
  • Non-admin user promotes their own draft → succeeds
  • Non-admin user attempts to delete another user's draft → gets 403
  • Non-admin user deletes their own draft → succeeds
  • Admin can promote/delete any agent regardless of ownership
  • Attempting to delete a non-draft agent → gets InputError

@rrbanda
fix: add ownership checks to promote and delete agent routes
f13d5ac 
- On draft→review promote: verify createdBy matches caller for non-admins,
  preventing users from submitting other people's drafts for review
- Add DELETE /agents/:agentId route that only allows deletion of draft
  agents, with ownership verification for non-admin callers
- Add deleteAgentConfig to frontend AugmentApi interface and implementation
- Add createdBy field to ChatAgentConfig (prerequisite for ownership checks)
- Add agent.delete audit action type
- Update report.api.md files

Part of Epic redhat-developer#3208
@rrbanda rrbanda requested review from a team and pkliczewski as code owners May 21, 2026 15:50
@rhdh-gh-app
Copy link
Copy Markdown

rhdh-gh-app Bot commented May 21, 2026

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

  • @red-hat-developer-hub/backstage-plugin-augment-backend
  • @red-hat-developer-hub/backstage-plugin-augment-common
  • @red-hat-developer-hub/backstage-plugin-augment

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name Package Path Changeset Bump Current Version
@red-hat-developer-hub/backstage-plugin-augment-backend workspaces/augment/plugins/augment-backend none v0.1.0
@red-hat-developer-hub/backstage-plugin-augment-common workspaces/augment/plugins/augment-common none v0.1.0
@red-hat-developer-hub/backstage-plugin-augment workspaces/augment/plugins/augment none v0.1.0

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 21, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
6.7% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@rrbanda
Copy link
Copy Markdown
Contributor Author

rrbanda commented May 21, 2026

Closing: superseded by Phase 1 (#3222) which consolidates ownership checks with createdBy persistence, phantom draft blocking, and GET scoping.

@rrbanda rrbanda closed this May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pkliczewski pkliczewski Awaiting requested review from pkliczewski pkliczewski is a code owner

Assignees

No one assigned

Labels

workspace/augment

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rrbanda