Skip to content

Recursively resolve holder feature action scopes to internal_ scopes#8206

Closed
mpmadhavig wants to merge 2 commits into
wso2:masterfrom
mpmadhavig:dependent-permission-res
Closed

Recursively resolve holder feature action scopes to internal_ scopes#8206
mpmadhavig wants to merge 2 commits into
wso2:masterfrom
mpmadhavig:dependent-permission-res

Conversation

@mpmadhavig

Copy link
Copy Markdown
Contributor

Purpose

Stacked on top of #8178. Until that merges, this PR's diff includes the granular-scope-feature commit as a base; after it merges, only the nested-scope resolution commit remains.

When a console feature action scope (e.g. `console:applications_edit`, `console:applications_create`) appears inside another collection's `` / `` / `` / `` block, treat it as a holder and substitute it with the leaf scopes from the matching action block of the owning collection. The holder name itself is dropped from the bucket so the `/api-resource-collections/{id}` response surfaces the underlying internal scopes (and their owning API resource) instead of an opaque console scope that no API resource owns.

Changes

  • `APIResourceCollectionMgtConfigBuilder` — pre-build a `holder → leaf scopes` map from each collection's `` block + matching action block. `_view` → owner Read, `_create`/`_update`/`_delete` → matching owner block, `_edit` → owner Create + Update + Delete (legacy coarse write). Resolution is recursive with cycle protection + memoisation, so an owner's action block can itself reference another holder.
  • `api-resource-collection.xml.j2` — declare `_create`/`_update`/`_delete` siblings next to every `edit` holder inside non-`` blocks (8 sites across `applicationAuthenticationScript`, `applicationClientSecretManagement`, `applicationInternalAPIAuthorization`, `userSharingV2`, and the four `org*` counterparts).
  • Tests — 7 new cases in `APIResourceCollectionMgtConfigBuilderTest` covering update/view/edit holder resolution, write-bucket propagation, transitive recursion, literal scopes preserved alongside holders, owner collection unaffected.

Related PRs

Depends on #8178.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Changes

The change adds configurable granular console permissions with separate create, update, and delete scope buckets. Collection models and parsers support action-specific scopes and holder resolution, runtime APIs populate granular resources, and tenant, organization, system, template, and compatibility configurations expose the new scopes.

Granular Console Permissions

Layer / File(s) Summary
Contracts and configuration flag
components/api-resource-mgt/.../APIResourceCollection.java, .../APIResourceCollectionManagementConstants.java, .../APIResourceCollectionManagementUtil.java, features/identity-core/...
Adds CRUD scope fields, builders, constants, configuration lookup, default enablement, and compatibility overrides.
CRUD scope parsing and holder resolution
components/api-resource-mgt/.../APIResourceCollectionMgtConfigBuilder.java, .../APIResourceCollectionMgtConfigBuilderTest.java, .../api-resource-collection.xml
Parses action-specific scopes, resolves nested holder scopes to leaf scopes, retains legacy behavior, and tests the resulting buckets.
Runtime granular resource bucketing
components/api-resource-mgt/.../APIResourceCollectionManagerImpl.java, .../APIResourceCollectionManagerTest.java, .../APIResourceCollectionManagementUtilTest.java
Conditionally populates READ/WRITE and CREATE/UPDATE/DELETE API resource buckets and validates enabled, disabled, empty, and isolated bucket behavior.
Console CRUD scope catalogs
features/api-resource-mgt/.../api-resource-collection.xml*, .../system-api-resource.xml*
Adds create, update, and delete console scopes across tenant, organization, system, and VC template resource definitions.
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description covers purpose and changes, but most template sections are missing or empty, including goals, approach, tests, docs, and security. Add the missing template sections with concise content for goals, approach, user stories, release note, documentation, automation tests, security checks, and other required items.
Docstring Coverage ⚠️ Warning Docstring coverage is 7.89% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: recursively resolving holder feature action scopes to internal scopes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml (1)

804-807: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Mirror the holder-scope additions in the static XML

These 8 blocks still only reference *_edit, while api-resource-collection.xml.j2 also adds the matching *_create/*_update/*_delete holders. Keep applicationAuthenticationScript, applicationClientSecretManagement, applicationInternalAPIAuthorization, userSharingV2, and their org_* counterparts aligned with the template so permission resolution stays consistent.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml`
around lines 804 - 807, Update the static XML blocks for
applicationAuthenticationScript, applicationClientSecretManagement,
applicationInternalAPIAuthorization, userSharingV2, and their org_* counterparts
to mirror the template’s matching *_create, *_update, and *_delete holder scopes
alongside the existing *_edit scopes. Keep the static api-resource collection
aligned with api-resource-collection.xml.j2.
🧹 Nitpick comments (1)
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java (1)

298-313: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add direct coverage for cyclic holder references.

The implementation explicitly short-circuits cycles, but this suite only tests acyclic nesting. Add two mutually referencing holders and verify termination, removal of holder names, and preservation of non-cyclic leaves.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java`
around lines 298 - 313, Extend testHolderResolutionRecursesThroughNestedHolders
or add a focused holder-resolution test that defines two holders referencing
each other and includes a non-cyclic leaf scope. Resolve a collection using that
cycle, assert resolution terminates, verify both holder names are absent from
the resulting scopes, and assert the unrelated leaf scope is preserved.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java`:
- Around line 73-76: Normalize the property value in
isGranularConsolePermissionsEnabled by trimming the non-null result from
IdentityUtil.getProperty before passing it to Boolean.parseBoolean. In
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java
lines 73-76, apply this change while preserving null handling. In
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java
lines 40-47, extend the data provider with whitespace-padded true and false
values.
- Around line 68-72: Complete the public method documentation for the granular
console permission check by removing the dangling “Controlled” wording and
naming the configuration property that controls the feature. Ensure the summary
and return description are grammatically complete and end with periods.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java`:
- Around line 174-176: Update the holder-scope resolution branches in
APIResourceCollectionMgtConfigBuilder, including the readScopeSet handling and
the corresponding branches around lines 181-185, 191-195, 201-205, and 375-381,
so missing owners and cyclic holder scopes are not silently converted to empty
sets. Emit a WARN containing only the safe scope identifier at each unresolved
or cycle decision point, or reject the invalid configuration, while preserving
normal resolution behavior.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java`:
- Around line 248-261: Update the APIResourceCollection fixture builder in
APIResourceCollectionManagerTest so createScopes, updateScopes, and deleteScopes
contain only their respective action and feature scopes, removing the shared
read scopes from each list; keep readScopes populated separately with all read
scopes.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java`:
- Line 146: Update the comment at
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java:146
to capitalize “Write” while preserving the existing wording and period. Rewrite
the comment at
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java:39
as a capitalized sentence ending with a period, removing the brace notation.
- Line 2: Update the Java license header year in
APIResourceCollectionMgtConfigBuilderTest to 2026, preserving the existing
copyright holder and header format.

In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2`:
- Around line 2068-2073: Update the descriptions for the tenant-level
console:userSharing_create and console:userSharing_delete Scope entries in the
user sharing management block to use distinct Create and Delete wording,
matching the corresponding org-level and system-api-resource entries; leave
console:userSharing_update unchanged.

---

Outside diff comments:
In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml`:
- Around line 804-807: Update the static XML blocks for
applicationAuthenticationScript, applicationClientSecretManagement,
applicationInternalAPIAuthorization, userSharingV2, and their org_* counterparts
to mirror the template’s matching *_create, *_update, and *_delete holder scopes
alongside the existing *_edit scopes. Keep the static api-resource collection
aligned with api-resource-collection.xml.j2.

---

Nitpick comments:
In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java`:
- Around line 298-313: Extend testHolderResolutionRecursesThroughNestedHolders
or add a focused holder-resolution test that defines two holders referencing
each other and includes a non-cyclic leaf scope. Resolve a collection using that
cycle, assert resolution terminates, verify both holder names are absent from
the resulting scopes, and assert the unrelated leaf scope is preserved.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: dd58ec52-12b4-43ba-b5fa-446589950b37

📥 Commits

Reviewing files that changed from the base of the PR and between 5adcefd and 2c38ad3.

📒 Files selected for processing (20)
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/pom.xml
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerImpl.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/constant/APIResourceCollectionManagementConstants.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/model/APIResourceCollection.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionTest.java
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/repository/conf/api-resource-collection.xml
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/resources/testng.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/api-resource-collection.xml.j2
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml
  • features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json
  • features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.infer.json

Comment on lines +68 to +72
/**
* Check whether the granular console permission model (create/update/delete feature scopes) is enabled. Controlled
*
* @return True if granular console permissions are enabled.
*/

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Complete the public method documentation.

The summary ends with the dangling word “Controlled” and does not identify the controlling property.

Proposed fix
-     * Check whether the granular console permission model (create/update/delete feature scopes) is enabled. Controlled
+     * Check whether the granular console permission model (create/update/delete feature scopes) is enabled.
+     * Controlled by {`@code` USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG}.

As per coding guidelines, “All public methods should have a docstring” and comments should end with a period.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
/**
* Check whether the granular console permission model (create/update/delete feature scopes) is enabled. Controlled
*
* @return True if granular console permissions are enabled.
*/
/**
* Check whether the granular console permission model (create/update/delete feature scopes) is enabled.
* Controlled by {`@code` USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG}.
*
* `@return` True if granular console permissions are enabled.
*/
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java`
around lines 68 - 72, Complete the public method documentation for the granular
console permission check by removing the dangling “Controlled” wording and
naming the configuration property that controls the feature. Ensure the summary
and return description are grammatically complete and end with periods.

Source: Coding guidelines

Comment on lines +73 to +76
public static boolean isGranularConsolePermissionsEnabled() {

return Boolean.parseBoolean(IdentityUtil.getProperty(
APIResourceCollectionManagementConstants.USE_GRANULAR_CONSOLE_PERMISSIONS_CONFIG));

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Normalize whitespace when reading the granular-permissions flag. Surrounding whitespace currently changes a valid true value into false, disabling the granular authorization model.

  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java#L73-L76: trim the non-null property before calling Boolean.parseBoolean.
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java#L40-L47: add whitespace-padded true and false values to the data provider.
📍 Affects 2 files
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java#L73-L76 (this comment)
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java#L40-L47
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java`
around lines 73 - 76, Normalize the property value in
isGranularConsolePermissionsEnabled by trimming the non-null result from
IdentityUtil.getProperty before passing it to Boolean.parseBoolean. In
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionManagementUtil.java
lines 73-76, apply this change while preserving null handling. In
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java
lines 40-47, extend the data provider with whitespace-padded true and false
values.

Comment on lines +174 to +176
if (isHolderScope(scopeName)) {
readScopeSet.addAll(holderResolutionMap.getOrDefault(
scopeName, Collections.emptySet()));

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Report unresolved and cyclic holder scopes instead of silently dropping them.

These branches convert missing owners and cycles into empty sets, silently removing permissions from collection buckets. Emit a WARN with the safe scope identifier, or reject the invalid configuration, so incomplete authorization mappings are diagnosable.

As per path instructions, logs are required around meaningful decision points and exceptional-but-handled scenarios.

Also applies to: 181-185, 191-195, 201-205, 375-381

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/main/java/org/wso2/carbon/identity/api/resource/collection/mgt/util/APIResourceCollectionMgtConfigBuilder.java`
around lines 174 - 176, Update the holder-scope resolution branches in
APIResourceCollectionMgtConfigBuilder, including the readScopeSet handling and
the corresponding branches around lines 181-185, 191-195, 201-205, and 375-381,
so missing owners and cyclic holder scopes are not silently converted to empty
sets. Emit a WARN containing only the safe scope identifier at each unresolved
or cycle decision point, or reject the invalid configuration, while preserving
normal resolution behavior.

Source: Path instructions

Comment on lines +248 to +261
APIResourceCollection collection = new APIResourceCollection.APIResourceCollectionBuilder()
.id(getEncodedName(name))
.name(name)
.displayName("Display Name " + name)
.type("tenant")
.readScopes(Arrays.asList(READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.writeScopes(Arrays.asList(CREATE_NORMAL_SCOPE, UPDATE_NORMAL_SCOPE, DELETE_NORMAL_SCOPE,
EDIT_FEATURE_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.createScopes(Arrays.asList(CREATE_NORMAL_SCOPE, CREATE_FEATURE_SCOPE,
READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.updateScopes(Arrays.asList(UPDATE_NORMAL_SCOPE, UPDATE_FEATURE_SCOPE,
READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.deleteScopes(Arrays.asList(DELETE_NORMAL_SCOPE, DELETE_FEATURE_SCOPE,
READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Do not pre-merge read scopes in the test fixture.

The create/update/delete lists already contain every read scope, so this test still passes if the manager stops merging read scopes into granular buckets. Populate each action list only with its own action and feature scopes.

Proposed fix
-                .writeScopes(Arrays.asList(CREATE_NORMAL_SCOPE, UPDATE_NORMAL_SCOPE, DELETE_NORMAL_SCOPE,
-                        EDIT_FEATURE_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
-                .createScopes(Arrays.asList(CREATE_NORMAL_SCOPE, CREATE_FEATURE_SCOPE,
-                        READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
-                .updateScopes(Arrays.asList(UPDATE_NORMAL_SCOPE, UPDATE_FEATURE_SCOPE,
-                        READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
-                .deleteScopes(Arrays.asList(DELETE_NORMAL_SCOPE, DELETE_FEATURE_SCOPE,
-                        READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
+                .writeScopes(Arrays.asList(CREATE_NORMAL_SCOPE, UPDATE_NORMAL_SCOPE,
+                        DELETE_NORMAL_SCOPE, EDIT_FEATURE_SCOPE))
+                .createScopes(Arrays.asList(CREATE_NORMAL_SCOPE, CREATE_FEATURE_SCOPE))
+                .updateScopes(Arrays.asList(UPDATE_NORMAL_SCOPE, UPDATE_FEATURE_SCOPE))
+                .deleteScopes(Arrays.asList(DELETE_NORMAL_SCOPE, DELETE_FEATURE_SCOPE))
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
APIResourceCollection collection = new APIResourceCollection.APIResourceCollectionBuilder()
.id(getEncodedName(name))
.name(name)
.displayName("Display Name " + name)
.type("tenant")
.readScopes(Arrays.asList(READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.writeScopes(Arrays.asList(CREATE_NORMAL_SCOPE, UPDATE_NORMAL_SCOPE, DELETE_NORMAL_SCOPE,
EDIT_FEATURE_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.createScopes(Arrays.asList(CREATE_NORMAL_SCOPE, CREATE_FEATURE_SCOPE,
READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.updateScopes(Arrays.asList(UPDATE_NORMAL_SCOPE, UPDATE_FEATURE_SCOPE,
READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.deleteScopes(Arrays.asList(DELETE_NORMAL_SCOPE, DELETE_FEATURE_SCOPE,
READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
APIResourceCollection collection = new APIResourceCollection.APIResourceCollectionBuilder()
.id(getEncodedName(name))
.name(name)
.displayName("Display Name " + name)
.type("tenant")
.readScopes(Arrays.asList(READ_NORMAL_SCOPE, VIEW_FEATURE_SCOPE, FEATURE_SCOPE))
.writeScopes(Arrays.asList(CREATE_NORMAL_SCOPE, UPDATE_NORMAL_SCOPE,
DELETE_NORMAL_SCOPE, EDIT_FEATURE_SCOPE))
.createScopes(Arrays.asList(CREATE_NORMAL_SCOPE, CREATE_FEATURE_SCOPE))
.updateScopes(Arrays.asList(UPDATE_NORMAL_SCOPE, UPDATE_FEATURE_SCOPE))
.deleteScopes(Arrays.asList(DELETE_NORMAL_SCOPE, DELETE_FEATURE_SCOPE))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagerTest.java`
around lines 248 - 261, Update the APIResourceCollection fixture builder in
APIResourceCollectionManagerTest so createScopes, updateScopes, and deleteScopes
contain only their respective action and feature scopes, removing the shared
read scopes from each list; keep readScopes populated separately with all read
scopes.

@@ -1,34 +1,362 @@
/*
* Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Update the license year to 2026.

Proposed fix
- * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2025-2026, WSO2 LLC. (http://www.wso2.com).

As per coding guidelines, Java license headers must use the current year or a range ending in the current year.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
* Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
* Copyright (c) 2025-2026, WSO2 LLC. (http://www.wso2.com).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java`
at line 2, Update the Java license header year in
APIResourceCollectionMgtConfigBuilderTest to 2026, preserving the existing
copyright holder and header format.

Source: Coding guidelines


APIResourceCollection collection = getApiResourcesCollection();

// write feature + write normal scopes.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Bring changed Java comments into the repository convention.

  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java#L146-L146: capitalize “Write”.
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java#L39-L39: rewrite the brace notation as a capitalized sentence ending with a period.

As per coding guidelines, comments must begin with a capitalized first letter and end with a period.

📍 Affects 2 files
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java#L146-L146 (this comment)
  • components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java#L39-L39
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java`
at line 146, Update the comment at
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionMgtConfigBuilderTest.java:146
to capitalize “Write” while preserving the existing wording and period. Rewrite
the comment at
components/api-resource-mgt/org.wso2.carbon.identity.api.resource.collection.mgt/src/test/java/org/wso2/carbon/identity/api/resource/collection/mgt/APIResourceCollectionManagementUtilTest.java:39
as a capitalized sentence ending with a period, removing the brace notation.

Source: Coding guidelines

Comment on lines +2068 to +2073
<Scope displayName="User Sharing Management Update Feature" name="console:userSharing_update"
description="Update user sharing status from the Console"/>
<Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create"
description="Update user sharing status from the Console"/>
<Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete"
description="Update user sharing status from the Console"/>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Copy-pasted description for console:userSharing_create/_delete — both say "Update...".

The Update, Create, and Delete Feature scopes for console:userSharing all share the same description text ("Update user sharing status from the Console"). The org-level counterpart (console:org:userSharing, lines 2090-2095) and the equivalent entries in system-api-resource.xml correctly use distinct Create/Update/Delete wording — only this tenant-level block has the mismatch.

💚 Proposed fix
             <Scope displayName="User Sharing Management Update Feature" name="console:userSharing_update"
                    description="Update user sharing status from the Console"/>
             <Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create"
-                   description="Update user sharing status from the Console"/>
+                   description="Create user sharing status from the Console"/>
             <Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete"
-                   description="Update user sharing status from the Console"/>
+                   description="Delete user sharing status from the Console"/>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<Scope displayName="User Sharing Management Update Feature" name="console:userSharing_update"
description="Update user sharing status from the Console"/>
<Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create"
description="Update user sharing status from the Console"/>
<Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete"
description="Update user sharing status from the Console"/>
<Scope displayName="User Sharing Management Update Feature" name="console:userSharing_update"
description="Update user sharing status from the Console"/>
<Scope displayName="User Sharing Management Create Feature" name="console:userSharing_create"
description="Create user sharing status from the Console"/>
<Scope displayName="User Sharing Management Delete Feature" name="console:userSharing_delete"
description="Delete user sharing status from the Console"/>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@features/api-resource-mgt/org.wso2.carbon.identity.api.resource.mgt.server.feature/resources/system-api-resource.xml.j2`
around lines 2068 - 2073, Update the descriptions for the tenant-level
console:userSharing_create and console:userSharing_delete Scope entries in the
user sharing management block to use distinct Create and Delete wording,
matching the corresponding org-level and system-api-resource entries; leave
console:userSharing_update unchanged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant