## Summary This issue integrates DAP (Duo Agent Platform) role-based `Manage` permission checks into custom flow management operations. It ensures that only users with appropriate permissions (maintainer+ by default) can create, duplicate, edit, enable, and delete custom flows. ## Background As part of the DAP role-based permissions epic (#19743), we need to enforce the `Manage` permission across all DAP administrative operations. Custom flows are a core DAP resource that requires proper access controls for management operations. The `Manage` permission controls: - **Create**: Creating new custom flows - **Duplicate**: Duplicating existing custom flows - **Edit**: Modifying custom flow configurations - **Enable**: Enabling or disabling custom flows - **Delete**: Removing custom flows The `Manage` permission is limited to maintainer+ roles by design. Flows can only be added to a project by a maintainer+. ## Requirements ### Permission Check Integration - [ ] Identify all entry points for custom flow management operations - [ ] Integrate `DapPermissionService.can_user_perform_action?` checks for `:manage` action - [ ] Ensure permission checks occur before any management operation - [ ] Handle permission denial gracefully with appropriate error messages - [ ] Enforce maintainer+ minimum role requirement ### Management Operations to Protect #### Create Operations - [ ] Creating new custom flows via UI - [ ] Creating custom flows via API/GraphQL - [ ] Importing custom flows - [ ] Cloning/duplicating custom flows #### Edit Operations - [ ] Updating flow configuration - [ ] Modifying flow steps and logic - [ ] Changing flow permissions - [ ] Updating flow metadata - [ ] Configuring flow triggers #### Enable/Disable Operations - [ ] Enabling custom flows - [ ] Disabling custom flows - [ ] Toggling flow availability #### Delete Operations - [ ] Deleting custom flows - [ ] Bulk deletion operations - [ ] Archiving flows (if applicable) ### Service Account Considerations Each flow has a service account assigned (see epic #19478). Management operations should consider: - Service account can only be added by an owner+ to a top-level namespace - Flow can only be added to a project by a maintainer+ - Changing flow service account requires appropriate permissions ## Technical Implementation ### Locations to Update Based on the codebase analysis from issue #578370, identify and update all locations where custom flows are managed. This may include: - Flow management controllers - GraphQL mutations for flow CRUD operations - API endpoints for flow management - Admin interfaces for flow configuration - Bulk operation handlers - Flow import/export functionality ### Permission Check Pattern ```ruby # Before any manage operation on custom flow unless DapPermissionService.can_user_perform_action?(current_user, namespace, :manage) return error_response('Insufficient permissions to manage custom flows. Maintainer role or higher required.') end # Perform management operation perform_flow_management_operation(flow, params) ``` ## Acceptance Criteria - [ ] All custom flow management operations have permission checks - [ ] Users without `Manage` permission receive clear error messages - [ ] Error messages indicate maintainer+ role requirement - [ ] Permission checks are performant (use caching from DapPermissionService) - [ ] UI elements for management are hidden/disabled for users without permission - [ ] Integration tests verify permission enforcement - [ ] Tests cover both allowed and denied scenarios - [ ] Audit logging captures management operations and permission checks ## Testing Scenarios - [ ] User with maintainer role can manage custom flows (default config) - [ ] User with owner role can manage custom flows (default config) - [ ] User with developer role cannot manage custom flows - [ ] User with reporter role cannot manage custom flows - [ ] Custom permission configuration is respected (maintainer+ only) - [ ] Instance-level and namespace-level permissions work correctly - [ ] All CRUD operations (create, read, update, delete) respect permissions - [ ] Bulk operations respect permissions - [ ] UI appropriately reflects permission state - [ ] Flow can only be added to project by maintainer+ ## User Experience - [ ] Management UI elements are hidden for users without permission - [ ] Clear messaging when users attempt unauthorized operations - [ ] Guidance on how to request access or who can perform operations - [ ] Consistent permission enforcement across UI, API, and GraphQL ## Related Issues - Parent Epic: #19743 - [Backend] Role-based permissions controls for DAP - Depends on: #578557 - Role-based permissions DAP - Manage permission - Related: #578558 - Manage permission for custom agents - Related: #578556 - Run permission service - Related: #19478 - Service account implementation ## Notes The `Manage` permission for custom flows is a critical security control. Only maintainer+ users should be able to create or modify flows, as these can execute code and access resources within projects. The restriction that flows can only be added to a project by maintainer+ is an important security boundary.