[LFXV2-920] Committee member visibility - Conditional Relation

[mauriciozanettisalomao]

Overview

Jira Ticket: https://linuxfoundation.atlassian.net/browse/LFXV2-920

This pull request updates the OpenFGA authorization model in charts/lfx-platform/templates/openfga/model.yaml to introduce new relationship definitions and adjust existing ones, enabling more granular access control for profile viewing and auditing.

Relates to

• [LFXV2-920] Committee member visibility - Conditional Relation lfx-v2-committee-service#54 (test evidence in this PR)

[coderabbitai]

Walkthrough

Bumps OpenFGA model minor version (1 → 2) for the committee type. Adds self_for_member_basic_profile_access and basic_profile_viewer, updates auditor to include writer, and removes the auditor from project alternative from viewer. Adds explanatory comments.

Changes

Cohort / File(s)

Summary

OpenFGA Authorization Model charts/lfx-platform/templates/openfga/model.yaml

Minor version bumped (spec.version.minor 1 → 2). Added public relation define self_for_member_basic_profile_access: [committee]. Updated define auditor to include writer ([user, team#member] or writer or auditor from project or meeting_coordinator from project). Added define basic_profile_viewer: auditor or member from self_for_member_basic_profile_access. Simplified define viewer by removing auditor from project ([user:*] or member or auditor). Added explanatory comments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	The code changes partially implement the linked issue requirements by updating the OpenFGA authorization model with new relations for profile access control, but fall short of the full scope which includes FGA sync, indexer, Heimdall rulesets, and migration strategy.	Verify that companion PRs address FGA sync updates, indexer changes, Heimdall rulesets, and migration strategy, or document in this PR how remaining requirements will be fulfilled.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: implementing conditional relation support for committee member visibility as referenced in the Jira ticket LFXV2-920.
Description check	✅ Passed	The description is directly related to the changeset, explaining the OpenFGA model updates and referencing the relevant Jira ticket and companion PR for context.
Out of Scope Changes check	✅ Passed	All changes in the pull request are directly related to updating the OpenFGA authorization model for committee member visibility, staying within the scope of the linked issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8ae79af and e0bd176.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• charts/lfx-platform/templates/openfga/model.yaml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the OpenFGA authorization model for committee member visibility controls by introducing conditional profile access relationships and refining permission hierarchies. The changes support JIRA ticket LFXV2-920 and enable more granular control over who can view committee member profiles.

• Introduced two new relations for conditional basic profile viewing access
• Modified the auditor relation to include writers in the auditor permission set
• Removed project-level auditor inheritance from the committee viewer relation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

charts/lfx-platform/templates/openfga/model.yaml (1)

50-50: Consider adding a comment to explain this self-referential pattern.

The self_for_member_basic_profile_access relation uses a self-referential pattern where the committee references itself to conditionally enable member access. This pattern isn't immediately obvious to future maintainers.

📝 Suggested documentation

+            # The self_for_member_basic_profile_access relation enables conditional member visibility.
+            # When member_visibility is BASIC_PROFILE, write tuple: committee:<id>#self_for_member_basic_profile_access@committee:<id>
+            # When member_visibility is HIDDEN (default), omit the tuple so members cannot see other members' profiles.
             define self_for_member_basic_profile_access: [committee]

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c675678 and 8ae79af.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: MegaLinter

🔇 Additional comments (3)

charts/lfx-platform/templates/openfga/model.yaml (3)

21-24: LGTM!

Version bump from minor 1 to 2 is appropriate per the versioning guidelines for adding new relations (self_for_member_basic_profile_access and basic_profile_viewer).

---

52-53: Verify consuming services are updated to use basic_profile_viewer for profile access checks.

The basic_profile_viewer relation correctly implements the access rules:

• Auditors: Always have access (regardless of visibility setting)
• Members: Conditional access via member from self_for_member_basic_profile_access (only when visibility ≠ HIDDEN)

Ensure the FGA sync process writes the self-referential tuple when member_visibility is BASIC_PROFILE, and that downstream services (indexer, Heimdall, query-svc) are updated to check basic_profile_viewer for member profile access.

---

54-54: LGTM - Redundant path removed.

The removal of auditor from project from viewer is not a breaking change. Project auditors retain viewer access because:

1. Committee's auditor includes auditor from project (line 52)
2. Committee's viewer includes auditor (this line)

This simplification removes the redundant direct path while maintaining equivalent access semantics.