Fix viewer relation for past meeting artifacts

[andrest50]

Summary

• Fixed the viewer relation for past_meeting_recording, past_meeting_transcript, and past_meeting_summary types to accept both [user] and [user:*] types
• This allows the backend to create viewer tuples for specific users (e.g., hosts or participants) in addition to the wildcard [user:*] tuple for public visibility
• Bumped the patch version from 5.3.2 to 5.3.3

🤖 Generated with Claude Code

[Copilot]

Pull Request Overview

This PR fixes the viewer relation for past meeting artifacts (recordings, transcripts, and summaries) in the OpenFGA authorization model to support both specific user assignments and wildcard user access patterns.

• Updated viewer relations to accept both [user] and [user:*] types
• Bumped patch version from 5.3.2 to 5.3.3
• Enables backend to create viewer tuples for specific users while maintaining public visibility option

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Walkthrough

Updated OpenFGA viewer relations in the access model to include explicit non-wildcard users (user) alongside wildcard (user:*), and added writer as a viewer for project. Similar explicit user inclusion applied to past meeting artifacts. Incremented model version patch from 2 to 3.

Changes

Cohort / File(s)	Summary of Changes
OpenFGA access model: viewer relations charts/lfx-platform/templates/openfga/model.yaml	Adjusted viewer definitions: project.viewer from [user:*] or auditor to [user, user:*] or writer or auditor; for past_meeting_recording, past_meeting_transcript, past_meeting_summary from [user:*] or writer or auditor to [user, user:*] or writer or auditor.
Version metadata bump charts/lfx-platform/templates/openfga/model.yaml	Incremented version patch from 2 to 3.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant S as Service
  participant A as AuthZ (OpenFGA)

  U->>S: Request access to resource (view)
  S->>A: Check relation: viewer?
  Note over A: Evaluate:<br/>- user in [user]<br/>- user matches [user:*]<br/>- user has writer<br/>- user has auditor
  alt Authorized
    A-->>S: allow
    S-->>U: 200 OK (granted)
  else Not authorized
    A-->>S: deny
    S-->>U: 403 Forbidden
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [LFXV2-603] Add authorization model types for past meeting artifacts #65 — Introduced past_meeting_* types with initial viewer relations; this PR refines those relations to include explicit user.
• [LFXV2-375] Add a past_meeting type to the openfga authorization model #45 — Prior adjustments to viewer relations in the same OpenFGA model file for past meeting artifacts; closely related area of change.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	The patch includes a modification to the project.viewer relation which is not specified in issue LFXV2-603 and therefore appears unrelated to the requirement of adjusting only the past meeting artifact types’ permissions.	Please remove or isolate the project.viewer definition change to a separate pull request or verify if that update is intended, ensuring this PR only addresses the past meeting artifact types as scoped by the linked issue.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly describes the primary change of fixing viewer relations for past meeting artifacts and is both clear and concise without extraneous information.
Linked Issues Check	✅ Passed	The pull request updates the OpenFGA model to adjust viewer relations for the distinct types past_meeting_recording, past_meeting_transcript, and past_meeting_summary as required by issue LFXV2-603, enabling both specific user and wildcard tuples, and references the correct ticket for traceability.
Description Check	✅ Passed	The description clearly outlines the specific viewer relation updates for past meeting recording, transcript, and summary types as well as the version bump, all of which directly relate to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch andrest50/patch-auth-model

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 46e19d7 and f8a0b45.

📒 Files selected for processing (1)

• charts/lfx-platform/templates/openfga/model.yaml (4 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: andrest50
PR: linuxfoundation/lfx-v2-helm#30
File: charts/lfx-platform/templates/openfga/model.yaml:66-69
Timestamp: 2025-08-08T21:57:43.678Z
Learning: In the lfx-platform OpenFGA authorization model for the meeting type, the viewer relation is intentionally defined as `[user:*] or participant or organizer or auditor from project`, which allows any user to view meetings by default. This is the correct and intended behavior for this system.

📚 Learning: 2025-08-08T21:57:43.678Z

Learnt from: andrest50
PR: linuxfoundation/lfx-v2-helm#30
File: charts/lfx-platform/templates/openfga/model.yaml:66-69
Timestamp: 2025-08-08T21:57:43.678Z
Learning: In the lfx-platform OpenFGA authorization model for the meeting type, the viewer relation is intentionally defined as `[user:*] or participant or organizer or auditor from project`, which allows any user to view meetings by default. This is the correct and intended behavior for this system.

Applied to files:

• charts/lfx-platform/templates/openfga/model.yaml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bramwelt]

Looks good, just missing a chart bump.