From b0220292a706c8256c0c61c6a8d506f37cd97ff8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 5 May 2026 12:58:06 +0200 Subject: [PATCH 1/3] Rename policies to prevent double scope usease --- app/config/roles.php | 4 ++-- app/config/scopes/project.php | 14 +++++++++++++- .../Modules/Project/Http/Project/Policies/Get.php | 2 +- .../Project/Http/Project/Policies/XList.php | 2 +- src/Appwrite/Platform/Workers/Migrations.php | 4 ++-- tests/e2e/Scopes/ProjectCustom.php | 4 ++-- 6 files changed, 21 insertions(+), 9 deletions(-) diff --git a/app/config/roles.php b/app/config/roles.php index 8fba27e503..04175ac1d5 100644 --- a/app/config/roles.php +++ b/app/config/roles.php @@ -59,8 +59,8 @@ $admins = [ 'oauth2.write', 'mocks.read', 'mocks.write', - 'policies.read', - 'policies.write', + 'project.policies.read', + 'project.policies.write', 'templates.read', 'templates.write', 'projects.write', diff --git a/app/config/scopes/project.php b/app/config/scopes/project.php index a048920de9..6e019e7b93 100644 --- a/app/config/scopes/project.php +++ b/app/config/scopes/project.php @@ -44,11 +44,23 @@ return [ "category" => "Project", ], "policies.read" => [ + "description" => + "Access to read project\'s policies. Replaced by \'project.policies.read\' for more granular control.", + "category" => "Project", + 'deprecated' => true, + ], + "policies.write" => [ + "description" => + "Access to update project\'s policies. Replaces by \'project.policies.read\' for more granular control.", + "category" => "Project", + 'deprecated' => true, + ], + "project.policies.read" => [ "description" => "Access to read project\'s policies", "category" => "Project", ], - "policies.write" => [ + "project.policies.write" => [ "description" => "Access to update project\'s policies", "category" => "Project", diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/Get.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/Get.php index 3ffe30f1fa..21342332d9 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/Get.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/Get.php @@ -27,7 +27,7 @@ class Get extends Action ->setHttpPath('/v1/project/policies/:policyId') ->desc('Get project policy') ->groups(['api', 'project']) - ->label('scope', 'policies.read') + ->label('scope', ['policies.read', 'project.policies.read']) ->label('sdk', new Method( namespace: 'project', group: 'policies', diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/XList.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/XList.php index 893b28fef2..3020fa79dd 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/XList.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/XList.php @@ -33,7 +33,7 @@ class XList extends Action ->setHttpPath('/v1/project/policies') ->desc('List project policies') ->groups(['api', 'project']) - ->label('scope', 'policies.read') + ->label('scope', ['policies.read', 'project.policies.read']) ->label('sdk', new Method( namespace: 'project', group: 'policies', diff --git a/src/Appwrite/Platform/Workers/Migrations.php b/src/Appwrite/Platform/Workers/Migrations.php index c25a83c231..3fd86baea9 100644 --- a/src/Appwrite/Platform/Workers/Migrations.php +++ b/src/Appwrite/Platform/Workers/Migrations.php @@ -380,8 +380,8 @@ class Migrations extends Action 'oauth2.write', 'mocks.read', 'mocks.write', - 'policies.read', - 'policies.write', + 'project.policies.read', + 'project.policies.write', 'templates.read', 'templates.write', ]; diff --git a/tests/e2e/Scopes/ProjectCustom.php b/tests/e2e/Scopes/ProjectCustom.php index 3071ddfa2a..99219ebf99 100644 --- a/tests/e2e/Scopes/ProjectCustom.php +++ b/tests/e2e/Scopes/ProjectCustom.php @@ -173,8 +173,8 @@ trait ProjectCustom 'oauth2.write', 'mocks.read', 'mocks.write', - 'policies.read', - 'policies.write', + 'project.policies.read', + 'project.policies.write', 'templates.read', 'templates.write', ], From 32d30dfd9d1e9a823611296859afa5168b3a0639 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 5 May 2026 13:06:57 +0200 Subject: [PATCH 2/3] Fix copy --- app/config/scopes/project.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/config/scopes/project.php b/app/config/scopes/project.php index 6e019e7b93..7a61524b87 100644 --- a/app/config/scopes/project.php +++ b/app/config/scopes/project.php @@ -45,13 +45,13 @@ return [ ], "policies.read" => [ "description" => - "Access to read project\'s policies. Replaced by \'project.policies.read\' for more granular control.", + "Access to read project\'s policies. Replaced by \'project.policies.read\' for more granular control", "category" => "Project", 'deprecated' => true, ], "policies.write" => [ "description" => - "Access to update project\'s policies. Replaces by \'project.policies.read\' for more granular control.", + "Access to update project\'s policies. Replaces by \'project.policies.write\' for more granular control", "category" => "Project", 'deprecated' => true, ], From fef4cbf3b04006f7f96879e6a6c2118bad20953f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 5 May 2026 13:37:51 +0200 Subject: [PATCH 3/3] Fix missing new scope --- .../Project/Http/Project/Policies/MembershipPrivacy/Update.php | 2 +- .../Project/Http/Project/Policies/PasswordDictionary/Update.php | 2 +- .../Project/Http/Project/Policies/PasswordHistory/Update.php | 2 +- .../Http/Project/Policies/PasswordPersonalData/Update.php | 2 +- .../Project/Http/Project/Policies/SessionAlert/Update.php | 2 +- .../Project/Http/Project/Policies/SessionDuration/Update.php | 2 +- .../Http/Project/Policies/SessionInvalidation/Update.php | 2 +- .../Project/Http/Project/Policies/SessionLimit/Update.php | 2 +- .../Modules/Project/Http/Project/Policies/UserLimit/Update.php | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/MembershipPrivacy/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/MembershipPrivacy/Update.php index c947ff225a..41a6168b07 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/MembershipPrivacy/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/MembershipPrivacy/Update.php @@ -31,7 +31,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/memberships-privacy') ->desc('Update membership privacy policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordDictionary/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordDictionary/Update.php index e2c678abb6..d7ee99fbfe 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordDictionary/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordDictionary/Update.php @@ -31,7 +31,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/password-dictionary') ->desc('Update password dictionary policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordHistory/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordHistory/Update.php index a8ae81caff..84861a19e1 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordHistory/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordHistory/Update.php @@ -32,7 +32,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/password-history') ->desc('Update password history policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordPersonalData/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordPersonalData/Update.php index 9db7cf0549..435f00fc39 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordPersonalData/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/PasswordPersonalData/Update.php @@ -31,7 +31,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/personal-data') ->desc('Update password personal data policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionAlert/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionAlert/Update.php index 22b7a44b04..79653d46ad 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionAlert/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionAlert/Update.php @@ -31,7 +31,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/session-alerts') ->desc('Update session alert policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionDuration/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionDuration/Update.php index ba72c93a6f..0a7f33218a 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionDuration/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionDuration/Update.php @@ -31,7 +31,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/duration') ->desc('Update session duration policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionInvalidation/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionInvalidation/Update.php index 8f8a959959..a1feb67346 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionInvalidation/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionInvalidation/Update.php @@ -31,7 +31,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/session-invalidation') ->desc('Update session invalidation policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionLimit/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionLimit/Update.php index 382ed6f0d9..936a541249 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionLimit/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/SessionLimit/Update.php @@ -32,7 +32,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/max-sessions') ->desc('Update session limit policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}') diff --git a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/UserLimit/Update.php b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/UserLimit/Update.php index 9129b81250..2b7e704853 100644 --- a/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/UserLimit/Update.php +++ b/src/Appwrite/Platform/Modules/Project/Http/Project/Policies/UserLimit/Update.php @@ -32,7 +32,7 @@ class Update extends Action ->httpAlias('/v1/projects/:projectId/auth/limit') ->desc('Update user limit policy') ->groups(['api', 'project']) - ->label('scope', 'policies.write') + ->label('scope', ['policies.write', 'project.policies.write']) ->label('event', 'projects.[projectId].policies.[policy].update') ->label('audits.event', 'projects.[projectId].policies.[policy].update') ->label('audits.resource', 'project/{response.$id}')