Skip to content

fix(incidents): use correct RBAC scopes for delete and read endpoints (fixes #5363)#6225

Open
asheesh-devops wants to merge 1 commit intokeephq:mainfrom
asheesh-devops:fix/5363-wrong-scope-incidents
Open

fix(incidents): use correct RBAC scopes for delete and read endpoints (fixes #5363)#6225
asheesh-devops wants to merge 1 commit intokeephq:mainfrom
asheesh-devops:fix/5363-wrong-scope-incidents

Conversation

@asheesh-devops
Copy link
Copy Markdown

@asheesh-devops asheesh-devops commented Apr 8, 2026
edited
Loading

Summary

Fixes incorrect RBAC scope assignments in incidents.py where delete endpoints used write:incident instead of delete:incident, and some read endpoints used read:incidents (plural) instead of read:incident (singular).

Root Cause

The delete and bulk-delete incident API endpoints were guarded with write:incident scope instead of delete:incident. This makes it impossible to create a role that can modify incidents but not delete them. Additionally, 3 read endpoints used read:incidents (plural) which is inconsistent with every other scope in the codebase.

The Fix

Update scope strings to follow CRUD conventions:

# Before (wrong):
IdentityManagerFactory.get_auth_verifier(["write:incident"])  # on delete endpoints
IdentityManagerFactory.get_auth_verifier(["read:incidents"])   # plural typo

# After (correct):
IdentityManagerFactory.get_auth_verifier(["delete:incident"])  # proper delete scope
IdentityManagerFactory.get_auth_verifier(["read:incident"])    # singular, consistent

The Admin role already defines delete:* wildcard scope in rbac.py, so delete:incident is properly matched.

Changes

  • keep/api/routes/incidents.py — 6 scope string corrections (3 delete, 3 read)

Testing

  • Verified Admin role has delete:* wildcard in rbac.py which matches delete:incident
  • Confirmed all other scopes in the codebase use singular form (read:incident, write:incident, read:alert, write:alert)
  • No existing tests reference these scope strings

Fixes #5363

@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Apr 8, 2026
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 8, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@asheesh-devops
fix: use correct RBAC scopes for incident delete and read endpoints
d0996b2 
- Change delete/bulk-delete/delete-alerts endpoints from write:incident
  to delete:incident to follow CRUD scope conventions
- Fix read:incidents (plural) typo to read:incident (singular) for
  consistency with all other scope definitions

Closes keephq#5363
@asheesh-devops asheesh-devops force-pushed the fix/5363-wrong-scope-incidents branch from 98818d6 to d0996b2 Compare April 8, 2026 17:06
@asheesh-devops asheesh-devops changed the title fix: correct RBAC scopes for incident delete and read endpoints fix(incidents): use correct RBAC scopes for delete and read endpoints (fixes #5363) Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[🐛 Bug]: Wrong scope in incidents.py

2 participants

@asheesh-devops @CLAassistant