mirror of
https://github.com/rommapp/romm.git
synced 2026-06-28 06:46:00 +00:00
4e686e1d74
Resolves the CI blocker and a cluster of opt-out visibility "fail-open" gaps surfaced in review of the granular permission system. Security / correctness: - admin oauth_scopes projection keeps canonical FULL_SCOPES order (order_scopes) instead of sorting alphabetically, fixing the red test_user.py::test_admin on MariaDB + Postgres. - default-group hides no longer fail open: the resolver resolves the effective (own-or-default) group before the hidden-entity lookup. - /roms/by-hash and /roms/by-metadata-provider now 404-mask hidden roms. - USERS-entity grant no longer enables admin creation: add_user and invite-link require a real admin to mint admin accounts. Visibility leaks closed on secondary read paths: - feeds, sibling roms (list query + single-rom schemas), /stats counts and per-platform breakdowns, collection rom_ids/rom_count, search_rom. Hardening / cleanups: - firmware/platform PUT 404-mask hidden entities; group rename conflict returns 400 not 500; guard against removing the last default group; kiosk read-only enforced at the fine layer; add_hidden_entity rejects non-cascading entity types. Frontend: - permissionGroups.ensureLoaded coalesces concurrent callers on one in-flight request; permissions.setGrants resets isAdmin/hidden; CreateUserDialog no longer orphans a user when group assignment fails; HiddenGamesPicker search rows are native buttons (keyboard/gamepad); invite-role labels and group swatch aria-label use i18n; drop dead code (originalRole, unused permissionsApi export). AI assistance: changes authored with Claude Code (Claude Opus), driven by the Copilot review and a multi-agent adversarial review, then verified (backend pytest, frontend typecheck/vitest, i18n parity, trunk). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>