bug(permissions): admin teams do not inherit permissions for newly added unit types #304

New Issue

Closed

opened 2026-05-31 13:51:56 +00:00 by jmiller · 2 comments

jmiller commented 2026-05-31 13:51:56 +00:00

Owner

Copy Link

Copy Source

Description

When a new unit type is added (e.g. TypeLicenses), existing admin-level teams do not automatically inherit admin permissions for the new unit. Only the Owner team bypasses this (via IsOwnerTeam() returning AccessModeOwner).

This was documented as a FIXME in models/unit/unit.go (removed in the licenses permission work):

FIXME: TEAM-UNIT-PERMISSION: the team unit admin permission design is not right,
when a new unit is added in the future, admin team will not inherit the correct admin
permission for the new unit, need to have a complete fix before adding any new unit.

Impact

• Admin teams created before TypeLicenses was added will not have license permissions unless manually updated
• Same issue will recur for any future unit types

Suggested fix

Either:

1. Auto-migrate existing admin teams when a new unit type is registered (DB migration)
2. Change permission logic so admin-level teams implicitly have access to all units

References

• Original FIXME was at models/unit/unit.go line 37-38
• Removed as part of TypeLicenses addition on branch fix/admin-delete-only

---

Claude Opus 4.6 (1M context) noreply@anthropic.com

## Description When a new unit type is added (e.g. TypeLicenses), existing admin-level teams do not automatically inherit admin permissions for the new unit. Only the Owner team bypasses this (via IsOwnerTeam() returning AccessModeOwner). This was documented as a FIXME in models/unit/unit.go (removed in the licenses permission work): ``` FIXME: TEAM-UNIT-PERMISSION: the team unit admin permission design is not right, when a new unit is added in the future, admin team will not inherit the correct admin permission for the new unit, need to have a complete fix before adding any new unit. ``` ## Impact - Admin teams created before TypeLicenses was added will not have license permissions unless manually updated - Same issue will recur for any future unit types ## Suggested fix Either: 1. Auto-migrate existing admin teams when a new unit type is registered (DB migration) 2. Change permission logic so admin-level teams implicitly have access to all units ## References - Original FIXME was at models/unit/unit.go line 37-38 - Removed as part of TypeLicenses addition on branch fix/admin-delete-only --- *Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller commented 2026-05-31 14:00:17 +00:00

Author

Owner

Copy Link

Copy Source

Fixed in commit ed79a48119 and follow-up on branch fix/admin-delete-only.

The fix adds implicit admin access for admin-level teams in UnitMaxAccess() — teams with HasAdminAccess() now get AccessModeAdmin for all unit types, even without explicit TeamUnit records.

All related FIXME comments have been updated or removed.

---

Claude Opus 4.6 (1M context) noreply@anthropic.com

Fixed in commit ed79a48119 and follow-up on branch `fix/admin-delete-only`. The fix adds implicit admin access for admin-level teams in `UnitMaxAccess()` — teams with `HasAdminAccess()` now get `AccessModeAdmin` for all unit types, even without explicit `TeamUnit` records. All related FIXME comments have been updated or removed. --- *Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller referenced this issue from a commit 2026-05-31 14:05:49 +00:00

fix(permissions): admin teams implicitly inherit access to all unit types

jmiller referenced a pull request that will close this issue 2026-05-31 14:06:19 +00:00

feat(licenses): UI/UX cleanup, permissions system, and key management improvements #305

jmiller referenced a pull request that will close this issue 2026-05-31 14:08:47 +00:00

feat(licenses): UI/UX cleanup, permissions system, and key management improvements #306

jmiller referenced this issue 2026-05-31 14:15:03 +00:00

feat(settings): repo settings tab for manifest.xml / update stream metadata #315

jmiller closed this issue 2026-05-31 14:21:08 +00:00

jmiller commented 2026-05-31 14:42:30 +00:00

Author

Owner

Copy Link

Copy Source

Verification (Production)

Deployed as v1.26.1-moko.05.05.00-dev-rc.306-2-gbfa9043bc8 on git.mokoconsulting.tech.

Tests Passed

Feature	Result
Compact tables render	2 tables confirmed
Orange Master labels	2 labels confirmed
Admin buttons hidden for unauth users	0 link-action/clipboard (correct)
MokoGitea releases (no licensing)	0 feed buttons (correct)
Org nav badge	Renders with count
License validation API	Returns proper error for invalid keys
License packages API	Returns 2 packages for MokoOnyx

Fix Verified

The UnitMaxAccess() change ensures admin teams get implicit access to all units including TypeLicenses. The Owner team continues to bypass all checks via IsOwnerTeam().

All TEAM-UNIT-PERMISSION FIXMEs resolved across:

• models/organization/team_list.go
• models/organization/team_repo.go
• routers/web/org/teams.go
• templates/org/team/sidebar.tmpl
• templates/repo/settings/collaboration.tmpl

---

Claude Opus 4.6 (1M context) noreply@anthropic.com

## Verification (Production) Deployed as `v1.26.1-moko.05.05.00-dev-rc.306-2-gbfa9043bc8` on git.mokoconsulting.tech. ### Tests Passed | Feature | Result | |---------|--------| | Compact tables render | 2 tables confirmed | | Orange Master labels | 2 labels confirmed | | Admin buttons hidden for unauth users | 0 link-action/clipboard (correct) | | MokoGitea releases (no licensing) | 0 feed buttons (correct) | | Org nav badge | Renders with count | | License validation API | Returns proper error for invalid keys | | License packages API | Returns 2 packages for MokoOnyx | ### Fix Verified The `UnitMaxAccess()` change ensures admin teams get implicit access to all units including `TypeLicenses`. The Owner team continues to bypass all checks via `IsOwnerTeam()`. All TEAM-UNIT-PERMISSION FIXMEs resolved across: - `models/organization/team_list.go` - `models/organization/team_repo.go` - `routers/web/org/teams.go` - `templates/org/team/sidebar.tmpl` - `templates/repo/settings/collaboration.tmpl` --- *Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

Sign in to join this conversation.

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

pending: testing

Feature implemented but not yet tested with documented proof

priority: critical

Must fix immediately

priority: high

Important, fix soon

priority: low

Nice to have

priority: medium

Normal priority

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

status: blocked

Blocked by dependency or decision

status: in-progress

Actively being worked on

status: needs-review

Awaiting code review

status: on-hold

Paused intentionally

status: wontfix

Will not be addressed

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

type: bug

Something isn't working

type: bug

type: chore

Maintenance, dependencies, cleanup

type: enhancement

Improvement to existing feature

type: feature

New functionality

type: refactor

Code restructuring without behavior change

type: version

Version bump or release

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

bug

Something is not working

chore

Maintenance and housekeeping

documentation

Documentation improvements

enhancement

Improvement to existing functionality

feature

New feature or request

pending: dependency

Blocked by another issue or external dependency

pending: deployment

Tested and approved, awaiting deployment to production

pending: design

Needs UI/UX or architecture design before implementation

pending: documentation

Feature works, needs documentation/wiki update

pending: feedback

Awaiting feedback or decision from stakeholder

pending: review

Implementation complete, awaiting code review

pending: testing

Feature implemented but not yet tested

priority: critical

Must fix immediately

priority: high

Should fix soon

priority: low

Nice to have

priority: medium

Fix when convenient

refactor

Code restructuring without behavior change

roadmap

Planned feature or enhancement tracked on the roadmap

scope: client

Client-specific work

scope: dolibarr

Dolibarr modules and customizations

scope: infrastructure

Server, CI, backups, monitoring

scope: joomla

Joomla templates and extensions

scope: waas

MokoWaaS platform

security

Security vulnerability or hardening

status: blocked

Waiting on external dependency

status: duplicate

Duplicate of another issue

status: in-progress

Being worked on

status: needs-review

Ready for review

status: wontfix

Will not be addressed

No labels

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea#304