[LFXV2-603] Add authorization model types for past meeting artifacts

[andrest50]

Summary

• Added three new OpenFGA authorization model types: past_meeting_recording, past_meeting_transcript, and past_meeting_summary
• Each type supports three visibility levels: public (anyone), all participants (invitees and attendees), and only hosts
• Write permissions are limited to organizers from the past meeting
• Auditors and writers always have viewer access regardless of visibility settings
• Bumped authorization model version from 4.3.1 to 5.3.1 (major version bump for new types)

Ticket

LFXV2-603

🤖 Generated with Claude Code

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds three new OpenFGA types for past meeting artifacts (recording, transcript, summary) with relations derived from past_meeting and a public viewer rule. Updates the OpenFGA AuthorizationModelRequest major version from 4 to 5 in charts/lfx-platform/templates/openfga/model.yaml.

Changes

Cohort / File(s)	Summary of Changes
OpenFGA model extensions charts/lfx-platform/templates/openfga/model.yaml	Added types: past_meeting_recording, past_meeting_transcript, past_meeting_summary. Each defines relations: past_meeting (link), writer/auditor/host (from past_meeting), participant (invitee or attendee from past_meeting), viewer (user:* or writer or auditor).
Auth model versioning charts/lfx-platform/templates/openfga/model.yaml	Bumped AuthorizationModelRequest major version from 4 to 5.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant S as Service/API
  participant FGA as OpenFGA

  Note over S,FGA: Access check for new artifact types (recording/transcript/summary)

  U->>S: Request to view past_meeting_recording:{id}
  S->>FGA: Check(user, past_meeting_recording:{id}, viewer)
  alt viewer direct public
    FGA-->>S: allow (user:* matches)
  else derived via writer/auditor
    FGA->>FGA: Resolve writer/auditor from past_meeting
    FGA-->>S: allow/deny
  else participant path
    FGA->>FGA: Resolve invitee/attendee from past_meeting
    FGA-->>S: allow/deny
  end
  S-->>U: Permit or Deny
  Note over S: Same flow applies to transcript and summary

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [LFXV2-375] Add a past_meeting type to the openfga authorization model #45 — Also modifies the OpenFGA model to extend past_meeting (adds past_meeting and auditor relation), directly connected to new types deriving auditor from past_meeting.
• LFXV2-352 - update the groupsio mailing list object to manage the members #52 — Updates the same OpenFGA model file, bumps major version to 5, and introduces new authorization types; overlaps in model-level change.
• add organizer as auditor on past_meeting model #63 — Changes past_meeting’s auditor definition (adds organizer), which affects auditor derivation used by the newly added artifact types.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title concisely and accurately summarizes the main change – adding authorization model types for past meeting artifacts – matching the changeset.
Linked Issues Check	✅ Passed	The changes introduce distinct FGA types for past_meeting_recording, past_meeting_transcript, and past_meeting_summary with appropriate relations and permissions, fully satisfying the objectives of LFXV2-603.
Out of Scope Changes Check	✅ Passed	All modifications are confined to the OpenFGA model.yaml, adding the specified types and bumping the version, with no unrelated or extraneous changes detected.
Description Check	✅ Passed	The description clearly relates to adding new OpenFGA types, their permissions, and the version bump, matching the changes in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch andrest50/past-meeting-artifacts

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 400334b and 7889019.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-08T21:57:43.678Z

Learnt from: andrest50
PR: linuxfoundation/lfx-v2-helm#30
File: charts/lfx-platform/templates/openfga/model.yaml:66-69
Timestamp: 2025-08-08T21:57:43.678Z
Learning: In the lfx-platform OpenFGA authorization model for the meeting type, the viewer relation is intentionally defined as `[user:*] or participant or organizer or auditor from project`, which allows any user to view meetings by default. This is the correct and intended behavior for this system.

Applied to files:

• charts/lfx-platform/templates/openfga/model.yaml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR adds authorization model types for past meeting artifacts including recordings, transcripts, and summaries. The changes implement three visibility levels (public, participants only, and hosts only) with appropriate access controls for each artifact type.

• Added three new OpenFGA authorization model types: past_meeting_recording, past_meeting_transcript, and past_meeting_summary
• Implemented consistent access control patterns across all artifact types with viewer, writer, and auditor roles
• Bumped major version from 4 to 5 to reflect the addition of new authorization model types

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cab36c8 and f9b77f0.

📒 Files selected for processing (2)

• charts/lfx-platform/Chart.yaml (1 hunks)
• charts/lfx-platform/templates/openfga/model.yaml (2 hunks)