From 4ce4b80a5bb679fa1c9599ac7b876475a9c0d0b8 Mon Sep 17 00:00:00 2001
From: Rohil Surana <rohilsurana96@gmail.com>
Date: Mon, 15 Jun 2026 13:02:30 +0530
Subject: [PATCH] refactor(schema): remove dead membership permission, drop +
 member from get

---
 internal/bootstrap/schema/base_schema.zed       |  7 ++-----
 internal/bootstrap/schema/schema.go             |  3 ---
 internal/bootstrap/testdata/compiled_schema.zed | 15 ++++++---------
 3 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/internal/bootstrap/schema/base_schema.zed b/internal/bootstrap/schema/base_schema.zed
index 430306a7f..985c48b30 100644
--- a/internal/bootstrap/schema/base_schema.zed
+++ b/internal/bootstrap/schema/base_schema.zed
@@ -38,11 +38,9 @@ definition app/organization {
 
 	// permissions
     // org
-    permission membership = member + owner
-
     permission delete = platform->superuser + granted->app_organization_administer + granted->app_organization_delete + owner
     permission update = platform->superuser + granted->app_organization_administer + granted->app_organization_update + owner
-    permission get = platform->superuser + granted->app_organization_administer + granted->app_organization_get + granted->app_organization_update + owner + member
+    permission get = platform->superuser + granted->app_organization_administer + granted->app_organization_get + granted->app_organization_update + owner
     permission rolemanage = platform->superuser + granted->app_organization_administer + granted->app_organization_rolemanage + owner
     permission policymanage = platform->superuser + granted->app_organization_administer + granted->app_organization_policymanage + owner
     permission projectlist = platform->superuser + granted->app_organization_administer + granted->app_organization_projectlist + owner
@@ -76,10 +74,9 @@ definition app/group {
 	relation owner: app/user | app/serviceuser
 
 	// permissions
-	permission membership = member + owner
     permission delete = org->group_delete + granted->app_group_administer + granted->app_group_delete + owner
     permission update = org->group_update + granted->app_group_administer + granted->app_group_update + owner
-    permission get = org->group_get + granted->app_group_administer + granted->app_group_get + member + owner
+    permission get = org->group_get + granted->app_group_administer + granted->app_group_get + owner
 }
 
 definition app/project {
diff --git a/internal/bootstrap/schema/schema.go b/internal/bootstrap/schema/schema.go
index 5279907d4..ecb87ebb9 100644
--- a/internal/bootstrap/schema/schema.go
+++ b/internal/bootstrap/schema/schema.go
@@ -64,9 +64,6 @@ const (
 	PlatformSudoPermission  = "superuser"
 	PlatformCheckPermission = "check"
 
-	// synthetic permission
-	MembershipPermission = "membership"
-
 	// principals
 	UserPrincipal        = "app/user"
 	ServiceUserPrincipal = "app/serviceuser"
diff --git a/internal/bootstrap/testdata/compiled_schema.zed b/internal/bootstrap/testdata/compiled_schema.zed
index 3bf584b18..ac991d7ce 100644
--- a/internal/bootstrap/testdata/compiled_schema.zed
+++ b/internal/bootstrap/testdata/compiled_schema.zed
@@ -1,14 +1,12 @@
 
 
 definition app/group {
+	// permissions
 	permission delete = org->group_delete + granted->app_group_administer + granted->app_group_delete + owner
-	permission get = org->group_get + granted->app_group_administer + granted->app_group_get + member + owner
+	permission get = org->group_get + granted->app_group_administer + granted->app_group_get + owner
 	relation granted: app/rolebinding
 	relation member: app/user
 
-	// permissions
-	permission membership = member + owner
-
 	// relations
 	relation org: app/organization
 	relation owner: app/user | app/serviceuser
@@ -32,8 +30,11 @@ definition app/organization {
 	permission compute_order_update = owner + platform->superuser + granted->app_organization_administer + granted->compute_order_update + pat_granted->app_project_administer + pat_granted->compute_order_update
 	permission compute_receipt_get = owner + platform->superuser + granted->app_organization_administer + granted->compute_receipt_get + pat_granted->app_project_administer + pat_granted->compute_receipt_get
 	permission compute_receipt_update = owner + platform->superuser + granted->app_organization_administer + granted->compute_receipt_update + pat_granted->app_project_administer + pat_granted->compute_receipt_update
+
+	// permissions
+	// org
 	permission delete = platform->superuser + granted->app_organization_administer + granted->app_organization_delete + owner
-	permission get = platform->superuser + granted->app_organization_administer + granted->app_organization_get + granted->app_organization_update + owner + member
+	permission get = platform->superuser + granted->app_organization_administer + granted->app_organization_get + granted->app_organization_update + owner
 	relation granted: app/rolebinding
 
 	// synthetic permissions - group
@@ -45,10 +46,6 @@ definition app/organization {
 	permission invitationcreate = platform->superuser + granted->app_organization_administer + granted->app_organization_invitationcreate + owner
 	permission invitationlist = platform->superuser + granted->app_organization_administer + granted->app_organization_invitationlist + owner
 	relation member: app/user | app/group#member | app/serviceuser
-
-	// permissions
-	// org
-	permission membership = member + owner
 	relation owner: app/user | app/serviceuser
 	relation pat_granted: app/rolebinding