Skip to content

PS-1048 permissions metadata#743

Open
4rthem wants to merge 66 commits intomasterfrom
PS-1048-permissions-metadata
Open

PS-1048 permissions metadata#743
4rthem wants to merge 66 commits intomasterfrom
PS-1048-permissions-metadata

Conversation

@4rthem
Copy link
Copy Markdown
Member

@4rthem 4rthem commented Mar 16, 2026

No description provided.

@4rthem 4rthem requested a review from Copilot March 16, 2026 16:50
@4rthem 4rthem mentioned this pull request Mar 16, 2026
Closed
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands the ACL/permissions model by introducing metadata-backed “extra” permissions, refactoring capability shapes across the Databox client/API, and updating related voters, providers, fixtures, and migrations (including deprecating rendition rules and collection-level tag filter rules).

Changes:

  • Add ACE metadata support and propagate “extra permissions” through API + client permission UI.
  • Refactor capability payloads from canX to {edit, delete, share, editPermissions, createAsset, ...} and update affected UI/actions.
  • Rework permission enforcement for integrations/renditions/tag filters (new voters/queries/migrations; remove obsolete rule entities).

Reviewed changes

Copilot reviewed 173 out of 174 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
uploader/api/migrations/Version20260311123636.php Add ACE metadata column (uploader)
expose/api/migrations/Version20260311123636.php Add ACE metadata column (expose)
databox/api/migrations/Version20260311123636.php Add ACE metadata column (databox)
databox/api/migrations/Version20260311153515.php Add public to workspace_integration
databox/api/migrations/Version20260316113320.php Alters ACE/workspace_integration schema
databox/api/migrations/Version20260316144506.php Remove rendition_rule + tag filter collection level
databox/api/migrations/Version20260316152513.php Add editable to rendition_policy
lib/php/auth-bundle/Security/Voter/AbstractVoter.php Add metadata helpers + broaden hasAcl signature
lib/php/auth-bundle/Tests/Client/KeycloakClientTestMock.php Add extra test user
lib/js/api/src/hydra.ts Add IRI helpers
lib/js/api/index.ts Export new IRI helpers
lib/js/phrasea-framework/src/Tree/TreeView.tsx Disabled node styling
lib/js/phrasea-framework/src/Tree/BaseTreeNode.tsx Non-selectable node click behavior
docker-compose.dev.yml Pass REACT_EDITOR env
.env Define REACT_EDITOR
databox/client/translations/en.json Permission label casing updates
databox/client/src/types.ts Capability + ACE metadata typing
databox/client/src/store/basketStore.ts Update basket capability usage
databox/client/src/hooks/useAssetActions.ts Update asset capability usage
databox/client/src/components/Upload/UploadForm.tsx Upload destination filtering/selectability
databox/client/src/components/Upload/UploadDialog.tsx Destination IRI handling + selection tracking
databox/client/src/components/Form/CollectionTreeWidget.tsx Default selection wiring for tree widget
databox/client/src/components/Media/CollectionsPanel.tsx Pass auth state to menu items
databox/client/src/components/Media/WorkspaceMenuItem.tsx Workspace actions gated by new capabilities
databox/client/src/components/Media/CollectionMenuItem.tsx Collection actions gated by new capabilities
databox/client/src/components/Media/Collection/CollectionTree/types.ts Tree item capability shape updates
databox/client/src/components/Media/Collection/CollectionTree/CollectionsTreeView.tsx Node IDs as IRIs + add-child capability
databox/client/src/components/Media/Search/SavedSearch/SavedSearchList.tsx Update saved-search capability usage
databox/client/src/components/Media/Asset/FileIntegrations.tsx Gate integration usage via capabilities
databox/client/src/components/Media/Asset/Actions/SaveFileAsNewAssetDialog.tsx Update destination selectability
databox/client/src/components/Media/Asset/Actions/MoveAssetsDialog.tsx Update destination selectability
databox/client/src/components/Media/Asset/Actions/CopyAssetsDialog.tsx Update share/createAsset capability checks
databox/client/src/components/Integration/TuiPhotoEditor/TUIPhotoEditor.tsx Gate interaction via integration capabilities
databox/client/src/components/Integration/RemoveBG/RemoveBGAssetEditorActions.tsx Gate interaction + i18n key changes
databox/client/src/components/Integration/AwsRekognition/AwsRekognitionAssetEditorActions.tsx Disable processing when cannot interact
databox/client/src/components/Discussion/DiscussionMessage.tsx Update message capability usage
databox/client/src/components/Dialog/Workspace/WorkspaceDialog.tsx Update workspace dialog capability usage
databox/client/src/components/Dialog/Workspace/Acl.tsx Workspace ACL definitions + filtering
databox/client/src/components/Dialog/Workspace/IntegrationManager.tsx Integration public flag + ACL UI
databox/client/src/components/Dialog/Workspace/RenditionPolicyManager.tsx Add editable/public UX for policies
databox/client/src/components/Dialog/Workspace/RenditionPolicyPermissions.tsx Rendition policy ACL via AclForm
databox/client/src/components/Dialog/Workspace/AttributePolicyManager.tsx Attribute policy ACL filter updates
databox/client/src/components/Dialog/Collection/CollectionDialog.tsx Update collection dialog capability usage
databox/client/src/components/Dialog/Collection/Operations.tsx Update operations gating
databox/client/src/components/Dialog/Collection/Acl.tsx Collection ACL definitions + filtering
databox/client/src/components/Dialog/SavedSearch/SavedSearchDialog.tsx Update dialog capability usage
databox/client/src/components/Dialog/SavedSearch/Acl.tsx Switch to Permissions AclForm
databox/client/src/components/Dialog/Basket/BasketDialog.tsx Update dialog capability usage
databox/client/src/components/Dialog/Basket/Acl.tsx Switch to Permissions AclForm
databox/client/src/components/Dialog/AttributeList/AttributeListDialog.tsx Update dialog capability usage
databox/client/src/components/Dialog/AttributeList/Acl.tsx Switch to Permissions AclForm
databox/client/src/components/Dialog/Asset/AssetDialog.tsx Update dialog capability usage
databox/client/src/components/Dialog/Asset/EditAsset.tsx Update editAttributes gating
databox/client/src/components/Dialog/Asset/Acl.tsx Filter visible ACL defs for assets
databox/client/src/components/Basket/BasketViewDialog.tsx Update basket edit gating
databox/client/src/components/Basket/BasketListDialog.tsx Update basket capability usage
databox/client/src/components/Basket/BasketContextMenu.tsx Update basket capability usage
databox/client/src/components/AttributeList/AttributeListMenuItem.tsx Update attribute-list capability usage
databox/client/src/components/AssetList/Toolbar/WithSelectionActions.tsx Update asset capability usage
databox/client/src/components/AttributeEditor/batchActions.test.ts Update capability test data
databox/client/src/api/acl.ts Send ACE metadata on update
databox/client/src/api/collection.ts Create IRIs via helper
databox/client/src/components/Permissions/permissionsTypes.ts New permission/extra-permission types
databox/client/src/components/Permissions/useAclPermissionDefinitions.ts Centralize permission definitions
databox/client/src/components/Permissions/PermissionsHelper.tsx Render permission descriptions table
databox/client/src/components/Permissions/PermissionList.tsx Definitions-driven permission table
databox/client/src/components/Permissions/PermissionTable.tsx Definitions-driven columns + empty state
databox/client/src/components/Permissions/PermissionRow.tsx Mask + extra-permission checkbox handling
databox/client/src/components/Permissions/PermissionRowSkeleton.tsx Skeleton rows by column count
databox/client/src/components/Permissions/AclForm.tsx Wire metadata to putAce
databox/client/src/components/Acl/acl.ts Removed (moved to permissionsTypes)
databox/client/src/components/Acl/AclPermissionLabel.tsx Removed (labeling now via definitions)
databox/client/src/components/Permissions/permissions.ts Removed (replaced by permissionsTypes)
databox/client/src/api/renditionRule.ts Removed (rendition rules deprecated)
databox/api/composer.json Pin acl-bundle to dev-metadata
databox/api/config/packages/alchemy_acl.yaml Register more ACL objects + permissions
databox/api/config/packages/alchemy_webhook.yaml Remove rendition_rule webhook mapping
databox/api/config/packages/alchemy_track.yaml Remove rendition_rule tracking
databox/api/fixtures/Newspaper.yaml Add integration public + policy editable
databox/api/fixtures/Marketplace.yaml Add policy editable
databox/api/tests/fixtures/test.yaml Add policy editable
databox/api/tests/Api/CrudTest.php Include policy editable in CRUD test
databox/api/tests/Api/CollectionAssetTest.php Adjust user expectations
databox/api/tests/Search/AssetSearchPermissionsTest.php Update tag filter rule test scenario
databox/api/tests/Rendition/Phraseanet/PhraseanetRenditionEnqueueMethodTest.php Set integration public
databox/api/tests/Rendition/Phraseanet/PhraseanetRenditionApiV3SubDefMethodTest.php Set integration public
databox/api/tests/Integration/Phrasea/Uploader/UploaderIntegrationTest.php Set integration public
databox/api/tests/Integration/Aws/Transcribe/AwsTranscribeEventTest.php Set integration public
databox/api/src/Entity/Integration/WorkspaceIntegration.php Add public + ACL object type/owner
databox/api/src/Entity/Core/RenditionPolicy.php Add editable + implement ACL object
databox/api/src/Entity/Core/TagFilterRule.php Move to workspace-level constraint/model
databox/api/src/Repository/Core/TagFilterRuleRepository.php Convert to ServiceEntityRepository + workspace filter
databox/api/src/Repository/Core/AssetRenditionRepository.php Convert to ServiceEntityRepository
databox/api/src/Security/TagFilterManager.php Workspace-only rule model
databox/api/src/Elasticsearch/AssetSearch.php Remove collection-level tag filter query
databox/api/src/Integration/IntegrationManager.php Enforce INTERACT permission for actions
databox/api/src/Api/Provider/WorkspaceIntegrationCollectionProvider.php Filter integrations by ACL/public/owner
databox/api/src/Api/Provider/TagFilterRuleCollectionProvider.php Workspace-only rule filtering
databox/api/src/Api/InputTransformer/WorkspaceIntegrationInputTransformer.php Map public from input
databox/api/src/Api/InputTransformer/TagFilterRuleInputTransformer.php Workspace-only + access check
databox/api/src/Api/OutputTransformer/WorkspaceOutputTransformer.php New workspace capabilities
databox/api/src/Api/OutputTransformer/WorkspaceIntegrationOutputTransformer.php Add public + capabilities
databox/api/src/Api/OutputTransformer/CollectionOutputTransformer.php New collection capabilities
databox/api/src/Api/OutputTransformer/AssetOutputTransformer.php New asset capabilities + rendition access checks
databox/api/src/Api/OutputTransformer/BasketOutputTransformer.php New basket capabilities
databox/api/src/Api/OutputTransformer/AttributeListOutputTransformer.php New attribute-list capabilities
databox/api/src/Api/OutputTransformer/SavedSearchOutputTransformer.php New saved-search capabilities
databox/api/src/Api/OutputTransformer/ThreadMessageOutputTransformer.php New message capabilities
databox/api/src/Api/OutputTransformer/TagFilterRuleOutputProcessor.php Output workspaceId from workspace relation
databox/api/src/Api/Processor/ExportProcessor.php Check rendition access via voter
databox/api/src/Api/Provider/StoryThumbnailsProvider.php Check rendition access via voter
databox/api/src/Api/Provider/ShareReadProvider.php Check rendition access via voter
databox/api/src/Api/Provider/ShareRenditionProvider.php Remove rendition-permission deps
databox/api/src/Security/Voter/WorkspaceVoter.php Add caching + new container permissions
databox/api/src/Security/Voter/CollectionVoter.php Add caching + new container permissions
databox/api/src/Security/Voter/AssetVoter.php Rework container-based checks + metadata perms
databox/api/src/Security/Voter/AssetRenditionVoter.php Remove rendition manager; add cached ACL checks
databox/api/src/Security/Voter/WorkspaceIntegrationVoter.php Add READ_DATA/INTERACT permissions
databox/api/src/Security/Voter/CollectionAssetVoter.php Tighten create/delete checks
databox/api/src/Security/Voter/ThreadVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/ThreadMessageVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/TemplateAttributeVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/TagVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/TagFilterRuleVoter.php Workspace-based permission check
databox/api/src/Security/Voter/ShareVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/RenditionPolicyVoter.php Add scope short-circuit + stricter read
databox/api/src/Security/Voter/RenditionDefinitionVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/FileVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/EntityListVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/AttributeVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/AttributePolicyVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/AttributeEntityVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/AttributeDefinitionVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/AssetFileVersionVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/AssetAttachmentVoter.php Remove explicit token passing to security
databox/api/src/Security/Voter/AssetContainerVoterInterface.php New container permission constants
databox/api/src/Doctrine/Delete/WorkspaceDelete.php Delete TagFilterRule dependencies
databox/api/src/Border/BorderManager.php Add fopen failure handling
databox/api/src/Controller/Admin/RenditionPolicyCrudController.php Add editable field + ACL admin base
databox/api/src/Controller/Admin/WorkspaceIntegrationCrudController.php Add public field
databox/api/src/Controller/Admin/TagFilterRuleCrudController.php Workspace filter + remove objectType/objectId
databox/api/src/Controller/Admin/DashboardController.php Remove rendition_rule menu
databox/api/src/Validator/TagFilterRuleConstraint.php Removed
databox/api/src/Validator/TagFilterRuleConstraintValidator.php Removed
databox/api/src/Security/RenditionPermissionManager.php Removed
databox/api/src/Repository/Core/RenditionRuleRepository.php Removed
databox/api/src/Entity/Core/RenditionRule.php Removed
databox/api/src/Security/Voter/RenditionRuleVoter.php Removed
databox/api/src/Api/Model/Input/RenditionRuleInput.php Removed
databox/api/src/Api/InputTransformer/RenditionRuleInputTransformer.php Removed
databox/api/src/Api/Model/Output/RenditionRuleOutput.php Removed
databox/api/src/Api/OutputTransformer/RenditionRuleOutputProcessor.php Removed
databox/api/src/Service/Workspace/WorkspaceDuplicateManager.php Stop duplicating removed rule entities
databox/api/src/Service/Asset/AssetCopier.php Switch rendition access checks to voters
databox/api/src/Security/Voter/MemoryCacheSecurity.php Removed
databox/api/src/Doctrine/Listener/WorkspaceListener.php Removed
databox/api/src/Consumer/Handler/Workspace/OnWorkspaceDelete.php Removed
databox/api/src/Consumer/Handler/Workspace/OnWorkspaceDeleteHandler.php Removed
databox/api/src/Form/UserTypeType.php Removed
databox/api/src/Form/ObjectTypeType.php Removed
Comments suppressed due to low confidence (1)

databox/client/src/components/Permissions/PermissionRowSkeleton.tsx:24

  • Array(columnCount).map(...) won’t render any cells because Array(n) creates a sparse array and map skips empty slots. Use Array.from({length: columnCount}) (or spread) so skeleton cells actually render.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread databox/api/migrations/Version20260316113320.php
Comment thread lib/php/auth-bundle/Security/Voter/AbstractVoter.php
Comment thread databox/client/src/components/Form/CollectionTreeWidget.tsx
Comment thread databox/api/src/Entity/Core/RenditionPolicy.php
Comment thread databox/client/src/components/Dialog/Workspace/RenditionPolicyManager.tsx
Comment thread databox/client/src/components/Permissions/useAclPermissionDefinitions.ts
Comment thread databox/client/src/components/Permissions/PermissionRow.tsx Outdated
Comment thread databox/api/src/Api/OutputTransformer/WorkspaceOutputTransformer.php
Comment thread databox/client/src/components/Dialog/Workspace/IntegrationManager.tsx
@4rthem 4rthem force-pushed the PS-1048-permissions-metadata branch from 216bcdd to 39eeb39 Compare March 16, 2026 17:04
4rthem added 9 commits March 24, 2026 12:14
@4rthem
WIP
f13893f
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
036ba10 
# Conflicts:
#	databox/api/config/packages/alchemy_acl.yaml
#	databox/client/src/api/collection.ts
#	databox/client/src/hooks/useAssetActions.ts
#	lib/js/api/index.ts
#	lib/js/api/src/hydra.ts
#	lib/js/phrasea-framework/src/Tree/BaseTreeNode.tsx
@4rthem
fix merge
54d6855
@4rthem
fixes
85663c2
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
feeb8be
@4rthem
Enhance permissions handling and metadata integration for assets and …
db97888 
…collections
@4rthem
fix ES index with new permissions
39cf12a
@4rthem
refactor permission checks in voters to use AbstractVoter constants f…
62fa9e0 
…or consistency
@4rthem
add permission parents
bac29ae
@4rthem 4rthem requested a review from Copilot April 1, 2026 17:57
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces “permissions metadata” and a broader ACL refactor across backend + frontend, including new permission definitions/capabilities, integration visibility/interaction permissions, and removal of legacy rendition-rule and collection-level tag-filter rules.

Changes:

  • Add ACL “metadata” support (DB + voters) and revamp permission/capabilities naming across APIs and clients.
  • Move rendition policy access control to ACL, add editable to rendition policies, and add public + ACL support to workspace integrations.
  • Update UI permission management components (definitions-based table, helper, parent ACL display) and multiple features to use new capabilities.

Reviewed changes

Copilot reviewed 210 out of 213 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
uploader/api/migrations/Version20260311123636.php Adds metadata JSON column to ACL entries (uploader DB).
lib/php/auth-bundle/Tests/Client/KeycloakClientTestMock.php Adds an additional mock user for permission scenarios.
lib/php/auth-bundle/Security/Voter/AbstractVoter.php Extends ACL checks with ownership toggle + metadata helpers.
lib/js/phrasea-framework/src/Ui/BetaChip.tsx Allows setting chip size and adjusts font size accordingly.
lib/js/phrasea-framework/src/Tree/TreeView.tsx Adds styling for disabled tree nodes.
lib/js/phrasea-framework/src/Tree/BaseTreeNode.tsx Adjusts selection vs expand behavior for non-selectable nodes.
lib/js/api/src/useRequestErrorHandler.ts Makes retry-condition evaluation async-aware.
lib/js/api/src/useFormSubmit.ts Ensures early return after mapping remote form errors.
lib/js/api/src/hydra.ts Renames/extends IRI helpers (createIriFromId, isEntityIri).
lib/js/api/index.ts Updates exports organization for API package.
expose/api/symfony.lock Adds StofDoctrineExtensionsBundle recipe lock entry.
expose/api/migrations/Version20260311123636.php Adds metadata JSON column to ACL entries (expose DB).
expose/api/config/packages/stof_doctrine_extensions.yaml Enables doctrine-extensions (timestampable).
expose/api/config/bundles.php Registers StofDoctrineExtensionsBundle.
expose/api/composer.json Adds doctrine-extensions bundle dependency.
docker-compose.dev.yml Propagates REACT_EDITOR into dev container environment.
databox/client/translations/en.json Updates permission labels casing (UI).
databox/client/src/types.ts Renames capability fields and adds ACE metadata typing.
databox/client/src/store/basketStore.ts Updates basket capability field usage.
databox/client/src/hooks/useAssetActions.ts Updates asset action gating to new capabilities.
databox/client/src/components/Upload/UploadForm.tsx Updates destination selection logic and workspace filtering.
databox/client/src/components/Upload/UploadDialog.tsx Uses IRI helpers; derives collection ID from watched destination.
databox/client/src/components/Permissions/PermissionTable.tsx Switches to definitions-driven permission table + empty state.
databox/client/src/components/Permissions/permissionsTypes.ts Introduces unified permission/definition types (mask + extra).
databox/client/src/components/Permissions/PermissionsHelper.tsx Adds helper table showing permission descriptions.
databox/client/src/components/Permissions/permissions.ts Removes legacy permission types module.
databox/client/src/components/Permissions/PermissionRowSkeleton.tsx Refactors skeleton to use column count.
databox/client/src/components/Permissions/PermissionList.tsx Builds definitions list with filtering + optional helper.
databox/client/src/components/Permissions/ParentAcl.tsx Adds collapsible “Parent permissions” UI wrapper.
databox/client/src/components/Permissions/aclTypes.ts Adds shared ACL form prop typing.
databox/client/src/components/Permissions/AclForm.tsx Extends ACE updates to include metadata.
databox/client/src/components/Media/Search/SavedSearch/SavedSearchList.tsx Updates saved-search capability field usage.
databox/client/src/components/Media/Search/AQL/query.ts Uses new IRI builder helper.
databox/client/src/components/Media/CollectionsPanel.tsx Passes auth state down to menu items.
databox/client/src/components/Media/CollectionMenuItem.tsx Gates actions using new capabilities + passed auth state.
databox/client/src/components/Media/Collection/CollectionTree/types.ts Updates tree node capability shape.
databox/client/src/components/Media/Collection/CollectionTree/CollectionsTreeView.tsx Uses IRIs as node IDs; updates “add children” gating.
databox/client/src/components/Media/Asset/FileIntegrations.tsx Blocks integration UI when “use” capability is missing.
databox/client/src/components/Media/Asset/Actions/SaveFileAsNewAssetDialog.tsx Uses createAsset capability for destination selection.
databox/client/src/components/Media/Asset/Actions/MoveAssetsDialog.tsx Uses createAsset capability for destination selection.
databox/client/src/components/Media/Asset/Actions/CopyAssetsDialog.tsx Updates share/edit checks and destination select gating.
databox/client/src/components/Media/Asset/Actions/AssetViewActions.tsx Shows edit group when edit OR editAttributes is allowed.
databox/client/src/components/Layout/AppNav.tsx Adds BetaChip indicator to Pages nav item.
databox/client/src/components/Integration/TuiPhotoEditor/TUIPhotoEditor.tsx Adds integration interaction gating.
databox/client/src/components/Integration/RemoveBG/RemoveBGAssetEditorActions.tsx Adds interaction gating + translation key adjustments.
databox/client/src/components/Integration/AwsRekognition/AwsRekognitionAssetEditorActions.tsx Disables processing when interaction isn’t allowed.
databox/client/src/components/Form/SavedSearchSelect.tsx Uses new IRI helper.
databox/client/src/components/Form/RenditionPolicySelect.tsx Uses new IRI helper.
databox/client/src/components/Form/RenditionDefinitionSelect.tsx Uses new IRI helper.
databox/client/src/components/Form/CollectionTreeWidget.tsx Derives defaultSelectedNodes from form value.
databox/client/src/components/Discussion/DiscussionMessage.tsx Updates message capability field usage.
databox/client/src/components/Dialog/Workspace/WorkspaceDialog.tsx Updates tab enablement to new capabilities.
databox/client/src/components/Dialog/Workspace/RenditionPolicyPermissions.tsx Switches policy permissions to ACL-based form.
databox/client/src/components/Dialog/Workspace/RenditionPolicyManager.tsx Adds editable field and chips for public/editable status.
databox/client/src/components/Dialog/Workspace/IntegrationManager.tsx Adds public flag + ACL permissions for integrations.
databox/client/src/components/Dialog/Workspace/AttributePolicyManager.tsx Updates ACL form wiring to new permissions filter approach.
databox/client/src/components/Dialog/Workspace/Acl.tsx Switches to specialized workspace ACL form wrapper.
databox/client/src/components/Dialog/SavedSearch/SavedSearchDialog.tsx Updates tab enablement to new capabilities.
databox/client/src/components/Dialog/SavedSearch/Acl.tsx Switches saved-search ACL form import to new location.
databox/client/src/components/Dialog/Collection/TagRulesTab.tsx Removes TagRules tab.
databox/client/src/components/Dialog/Collection/Operations.tsx Updates operation gating to new capabilities.
databox/client/src/components/Dialog/Collection/CollectionDialog.tsx Updates tab enablement and removes TagRules tab.
databox/client/src/components/Dialog/Collection/Acl.tsx Switches to specialized collection ACL form wrapper.
databox/client/src/components/Dialog/Basket/BasketDialog.tsx Updates tab enablement to new capabilities.
databox/client/src/components/Dialog/Basket/Acl.tsx Switches basket ACL form import to new location.
databox/client/src/components/Dialog/AttributeList/AttributeListDialog.tsx Updates tab enablement to new capabilities.
databox/client/src/components/Dialog/AttributeList/Acl.tsx Switches attribute-list ACL form import to new location.
databox/client/src/components/Dialog/Asset/OperationsAsset.tsx Adjusts Typography DOM element to avoid invalid nesting.
databox/client/src/components/Dialog/Asset/EditAsset.tsx Separates edit vs editAttributes gating in UI.
databox/client/src/components/Dialog/Asset/AssetDialog.tsx Updates tab enablement rules for new capabilities.
databox/client/src/components/Dialog/Asset/AssetAclForm.tsx Adds hierarchical/parent ACL display for assets.
databox/client/src/components/Dialog/Asset/Acl.tsx Uses new AssetAclForm wrapper.
databox/client/src/components/Basket/BasketViewDialog.tsx Updates edit gating to new capability field.
databox/client/src/components/Basket/BasketListDialog.tsx Updates edit gating to new capability field.
databox/client/src/components/Basket/BasketContextMenu.tsx Updates edit/delete gating to new capability fields.
databox/client/src/components/AttributeList/AttributeListMenuItem.tsx Updates edit/delete gating to new capability fields.
databox/client/src/components/AttributeEditor/batchActions.test.ts Updates test data to new capability names.
databox/client/src/components/AssetList/Toolbar/WithSelectionActions.tsx Updates capability checks (edit/delete/share/editAttributes).
databox/client/src/components/Acl/AclPermissionLabel.tsx Removes legacy permission-label helper.
databox/client/src/components/Acl/acl.ts Removes legacy ACL constants/masks module.
databox/client/src/api/renditionRule.ts Removes legacy rendition-rule API client.
databox/client/src/api/collection.ts Uses IRI helper for collection/workspace IRIs.
databox/client/src/api/acl.ts Adds metadata field to ACE update request.
databox/api/tests/Search/AssetSearchPermissionsTest.php Adjusts tag-filter rule tests to workspace-based rules.
databox/api/tests/Rendition/Phraseanet/PhraseanetRenditionEnqueueMethodTest.php Sets integration public in tests.
databox/api/tests/Rendition/Phraseanet/PhraseanetRenditionApiV3SubDefMethodTest.php Sets integration public in tests.
databox/api/tests/Permission/permission-testing-structure.md Adds documentation for permission test structure.
databox/api/tests/Permission/Model/PermissionsTestCase.php Introduces reusable permission test-case model.
databox/api/tests/Permission/Model/AssetPermissions.php Adds asset permission expectation model.
databox/api/tests/Integration/Phrasea/Uploader/UploaderIntegrationTest.php Sets integration public in tests.
databox/api/tests/Integration/Aws/Transcribe/AwsTranscribeEventTest.php Sets integration public in tests.
databox/api/tests/fixtures/test.yaml Adds other-user fixture; updates rendition policy fields.
databox/api/tests/Api/CrudTest.php Adds editable to rendition policy CRUD test payload.
databox/api/tests/Api/CollectionAssetTest.php Updates auth user used in delete permission test.
databox/api/src/Validator/TagFilterRuleConstraintValidator.php Removes custom validator for tag-filter workspace matching.
databox/api/src/Validator/TagFilterRuleConstraint.php Removes custom constraint for tag-filter rules.
databox/api/src/Service/Workspace/WorkspaceTemplater.php Exports/imports rendition policy editable field.
databox/api/src/Service/Workspace/WorkspaceDuplicateManager.php Updates tag-filter rule duplication to workspace relation.
databox/api/src/Service/Asset/AssetCopier.php Refactors rendition copy authorization logic.
databox/api/src/Security/Voter/WorkspaceIntegrationVoter.php Adds integration ACL permissions (view/use/interact/edit perms).
databox/api/src/Security/Voter/ThreadVoter.php Updates security checks to use current token storage.
databox/api/src/Security/Voter/ThreadMessageVoter.php Updates security checks to use current token storage.
databox/api/src/Security/Voter/TemplateAttributeVoter.php Updates security checks to use current token storage.
databox/api/src/Security/Voter/TagVoter.php Updates security checks to use current token storage.
databox/api/src/Security/Voter/TagFilterRuleVoter.php Simplifies rule edit gating to workspace edit permission.
databox/api/src/Security/Voter/ShareVoter.php Updates security checks to use current token storage.
databox/api/src/Security/Voter/SetPermissionVoter.php Decorates/replaces set-permission voter to use EDIT_PERMISSIONS.
databox/api/src/Security/Voter/RenditionRuleVoter.php Removes legacy rendition-rule voter.
databox/api/src/Security/Voter/RenditionPolicyVoter.php Restricts policy READ; adds EDIT_PERMISSIONS handling.
databox/api/src/Security/Voter/RenditionDefinitionVoter.php Uses current token storage + scope checks.
databox/api/src/Security/Voter/PageVoter.php Adjusts ownership-grant behavior for page creation.
databox/api/src/Security/Voter/MemoryCacheSecurity.php Removes custom security caching wrapper.
databox/api/src/Security/Voter/FileVoter.php Uses current token storage for nested asset checks.
databox/api/src/Security/Voter/EntityListVoter.php Uses current token storage for workspace checks.
databox/api/src/Security/Voter/DataboxExtraPermissionInterface.php Introduces constants for extra-permission metadata IDs.
databox/api/src/Security/Voter/CollectionAssetVoter.php Adjusts create/delete authorization logic for collection-assets.
databox/api/src/Security/Voter/AttributeVoter.php Uses current token storage and rendition-policy editability.
databox/api/src/Security/Voter/AttributePolicyVoter.php Adds EDIT_PERMISSIONS and uses current token storage.
databox/api/src/Security/Voter/AttributeEntityVoter.php Uses current token storage for list checks.
databox/api/src/Security/Voter/AttributeDefinitionVoter.php Uses current token storage for workspace checks.
databox/api/src/Security/Voter/AssetRenditionVoter.php Replaces rendition-rule manager with ACL + caching.
databox/api/src/Security/Voter/AssetFileVersionVoter.php Uses current token storage for asset checks.
databox/api/src/Security/Voter/AssetDataTemplateVoter.php Adds EDIT_PERMISSIONS semantics for templates.
databox/api/src/Security/Voter/AssetContainerVoterInterface.php Introduces container permission constants (create/edit/share/etc).
databox/api/src/Security/Voter/AssetAttachmentVoter.php Uses current token storage for asset checks.
databox/api/src/Security/TagFilterManager.php Refactors rules to be workspace-only and repository-driven.
databox/api/src/Security/RenditionPermissionManager.php Removes legacy rendition permission manager.
databox/api/src/Repository/Core/TagFilterRuleRepository.php Converts to ServiceEntityRepository; workspace-based queries.
databox/api/src/Repository/Core/RenditionRuleRepository.php Removes legacy rendition-rule repository.
databox/api/src/Repository/Core/AssetRenditionRepository.php Converts to ServiceEntityRepository.
databox/api/src/Listener/AclListener.php Expands indexing behavior for workspace ACL changes.
databox/api/src/Integration/IntegrationManager.php Enforces interact permission for integration actions.
databox/api/src/Form/UserTypeType.php Removes legacy form type (rendition rules).
databox/api/src/Form/ObjectTypeType.php Removes legacy form type (rendition rules).
databox/api/src/Entity/Integration/WorkspaceIntegration.php Adds public + ACL object integration + ACL owner id.
databox/api/src/Entity/Core/TagFilterRule.php Switches to workspace relation; removes collection-level fields.
databox/api/src/Entity/Core/RenditionRule.php Removes legacy rendition-rule entity.
databox/api/src/Entity/Core/RenditionPolicy.php Adds editable + ACL object integration.
databox/api/src/Elasticsearch/AssetSearch.php Removes collection-level tag-filter query logic.
databox/api/src/Elasticsearch/AssetPermissionComputer.php Adds workspace ACE propagation for asset indexing.
databox/api/src/Doctrine/Listener/WorkspaceListener.php Removes legacy preRemove workspace handler.
databox/api/src/Doctrine/Listener/AssetListener.php Allows null old/new collection IDs in logs.
databox/api/src/Doctrine/Delete/WorkspaceDelete.php Adds TagFilterRule dependency cleanup on workspace delete.
databox/api/src/Controller/Admin/WorkspaceIntegrationCrudController.php Exposes public field in admin UI.
databox/api/src/Controller/Admin/TagFilterRuleCrudController.php Switches filtering/fields to workspace association.
databox/api/src/Controller/Admin/RenditionRuleCrudController.php Removes legacy admin CRUD for rendition rules.
databox/api/src/Controller/Admin/RenditionPolicyCrudController.php Switches to ACL admin controller and adds editable.
databox/api/src/Controller/Admin/DashboardController.php Removes rendition-rule menu entry.
databox/api/src/Consumer/Handler/Workspace/OnWorkspaceDeleteHandler.php Removes legacy async cleanup handler.
databox/api/src/Consumer/Handler/Workspace/OnWorkspaceDelete.php Removes legacy async cleanup message.
databox/api/src/Consumer/Handler/Search/IndexAllCollectionsHandler.php Adds optional workspace scoping to collection indexing.
databox/api/src/Consumer/Handler/Search/IndexAllCollections.php Adds optional workspaceId parameter.
databox/api/src/Consumer/Handler/Search/IndexAllAssetsHandler.php Adds optional workspace scoping to asset indexing.
databox/api/src/Consumer/Handler/Search/IndexAllAssets.php Adds optional workspaceId parameter.
databox/api/src/Consumer/Handler/AbstractBatchHandler.php Makes batch handlers message-aware for filtering.
databox/api/src/Border/BorderManager.php Adds explicit error handling when opening file streams fails.
databox/api/src/Api/Provider/WorkspaceIntegrationCollectionProvider.php Filters integrations by ACL/public/owner for non-admin users.
databox/api/src/Api/Provider/TagFilterRuleCollectionProvider.php Switches to workspace-only filtering.
databox/api/src/Api/Provider/StoryThumbnailsProvider.php Uses rendition voter instead of legacy rendition-rule manager.
databox/api/src/Api/Provider/ShareRenditionProvider.php Removes unused deps as part of rendition permission refactor.
databox/api/src/Api/Provider/ShareReadProvider.php Uses rendition voter instead of legacy rendition-rule manager.
databox/api/src/Api/Processor/ExportProcessor.php Uses rendition voter instead of legacy rendition-rule manager.
databox/api/src/Api/OutputTransformer/WorkspaceOutputTransformer.php Updates workspace capability payload (create/edit/delete/etc).
databox/api/src/Api/OutputTransformer/WorkspaceIntegrationOutputTransformer.php Adds integration public + capabilities (use/interact).
databox/api/src/Api/OutputTransformer/ThreadMessageOutputTransformer.php Updates message capability payload field names.
databox/api/src/Api/OutputTransformer/TagFilterRuleOutputProcessor.php Outputs workspaceId from new relation.
databox/api/src/Api/OutputTransformer/SavedSearchOutputTransformer.php Updates saved-search capability payload field names.
databox/api/src/Api/OutputTransformer/RenditionRuleOutputProcessor.php Removes legacy transformer.
databox/api/src/Api/OutputTransformer/CollectionOutputTransformer.php Adds parentId + updates capability payload fields.
databox/api/src/Api/OutputTransformer/BasketOutputTransformer.php Updates basket capability payload field names.
databox/api/src/Api/OutputTransformer/AttributeListOutputTransformer.php Updates attribute-list capability payload field names.
databox/api/src/Api/OutputTransformer/AssetOutputTransformer.php Uses rendition voter; updates capability payload fields; guards reference collection visibility.
databox/api/src/Api/OutputTransformer/AssetDataTemplateProvider.php Updates template capability payload field names.
databox/api/src/Api/Model/Output/WorkspaceIntegrationOutput.php Adds public + capabilities DTO trait.
databox/api/src/Api/Model/Output/ThreadMessageOutput.php Updates message capability schema property names.
databox/api/src/Api/Model/Output/TagFilterRuleOutput.php Removes collectionId from output model.
databox/api/src/Api/Model/Output/SavedSearchOutput.php Updates saved-search capability schema property names.
databox/api/src/Api/Model/Output/RenditionRuleOutput.php Removes legacy output model.
databox/api/src/Api/Model/Output/CollectionOutput.php Replaces parent object with parentId; updates capabilities schema.
databox/api/src/Api/Model/Output/BasketOutput.php Updates basket capability schema property names.
databox/api/src/Api/Model/Output/AttributeListOutput.php Updates attribute-list capability schema property names.
databox/api/src/Api/Model/Output/AssetOutput.php Removes date traits/fields; updates capabilities schema property names.
databox/api/src/Api/Model/Input/WorkspaceIntegrationInput.php Adds public to integration input.
databox/api/src/Api/Model/Input/TagFilterRuleInput.php Removes collectionId from input.
databox/api/src/Api/Model/Input/RenditionRuleInput.php Removes legacy input model.
databox/api/src/Api/InputTransformer/WorkspaceIntegrationInputTransformer.php Sets public from input.
databox/api/src/Api/InputTransformer/TagFilterRuleInputTransformer.php Enforces workspace edit permission and sets workspace relation.
databox/api/src/Api/InputTransformer/RenditionRuleInputTransformer.php Removes legacy transformer.
databox/api/src/Api/InputTransformer/AssetRenditionInputTransformer.php Adds explicit EDIT permission enforcement on rendition updates.
databox/api/src/Admin/Field/RenditionRuleObjectTypeChoiceField.php Removes legacy admin field helper.
databox/api/migrations/Version20260316152513.php Adds editable to rendition policies and backfills public policies.
databox/api/migrations/Version20260316144506.php Removes rendition rules & collection tag rules; migrates to ACL/workspace.
databox/api/migrations/Version20260316113320.php Alters ACL entry created_at type + drops workspace_integration public default.
databox/api/migrations/Version20260311153515.php Adds public column to workspace integrations.
databox/api/migrations/Version20260311123636.php Adds metadata JSON column to ACL entries (databox DB).
databox/api/fixtures/Newspaper.yaml Updates fixtures for editable/public integration fields.
databox/api/fixtures/Marketplace.yaml Updates fixtures for editable rendition policies.
databox/api/config/packages/alchemy_webhook.yaml Removes rendition-rule webhook config.
databox/api/config/packages/alchemy_track.yaml Removes rendition-rule tracking map entry.
databox/api/config/packages/alchemy_acl.yaml Registers new ACL objects and enables child permissions.
databox/api/composer.json Switches ACL bundle to dev-metadata.
.env Adds REACT_EDITOR default.
Comments suppressed due to low confidence (1)

databox/api/src/Entity/Core/RenditionPolicy.php:88

  • $editable is declared as ?bool but isEditable(): bool returns it directly. If it’s ever null (e.g., new entity not fully initialized), PHP will throw a TypeError. Make $editable a non-nullable bool with a default value (and adjust ORM mapping accordingly), or coalesce to a boolean in isEditable().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread databox/client/src/components/Permissions/PermissionRowSkeleton.tsx
Comment thread databox/client/src/components/Permissions/PermissionList.tsx
Comment thread databox/api/src/Entity/Integration/WorkspaceIntegration.php
Comment thread databox/api/src/Entity/Integration/WorkspaceIntegration.php
Comment thread databox/api/src/Api/InputTransformer/WorkspaceIntegrationInputTransformer.php Outdated
Comment thread databox/api/src/Service/Asset/AssetCopier.php
Comment thread databox/api/src/Elasticsearch/AssetPermissionComputer.php Outdated
Comment thread lib/js/phrasea-framework/src/Ui/BetaChip.tsx
4rthem and others added 17 commits April 2, 2026 13:46
@4rthem
enhance asset copy process with permission checks and metadata integr…
35558a2 
…ation, add workspace cache for asset index
@4rthem
fix front permissions
ec368b9
@4rthem
fix front permissions
2ad4967
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
9bd039f
@4rthem
fixes
e716c03
@4rthem
fixes
205276b
@4rthem
fix: enhance collection privacy handling and UI feedback
dff3761
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
fb66c71
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
147afca
@4rthem
fix permissions
789c4bc
@4rthem
fix DropdownActions
7aaf9a9
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
0735988
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
f662aa4 
# Conflicts:
#	databox/client/src/types.ts
@4rthem
Merge branch 'master' into PS-1048-permissions-metadata
894f59b
@4rthem
fix copy
f9979af
@4rthem
refactor: update rendition actions based on asset capabilities
8900e6b
@4rthem
refactor: update permissions handling and improve asset management la…
132205b 
…bels
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@4rthem