## Summary This issue integrates DAP (Duo Agent Platform) role-based `Enable on projects` permission checks into custom agent enablement operations. It ensures that only users with appropriate permissions (maintainer+ by default) can enable or disable custom agents on projects. ## Background As part of the DAP role-based permissions epic (#19743), we need to enforce the `Enable on projects` permission across all DAP agent enablement operations. Custom agents are a core DAP resource that requires proper access controls for project-level enablement. The `Enable on projects` permission controls: - **Enable**: Enabling custom agents on projects - **Disable**: Disabling custom agents on projects - **Toggle**: Toggling agent availability on projects The `Enable on projects` permission is limited to maintainer+ roles by design. ## Requirements ### Permission Check Integration - [ ] Identify all entry points for custom agent enablement operations on projects - [ ] Integrate `DapPermissionService.can_user_perform_action?` checks for `:enable_on_projects` action - [ ] Ensure permission checks occur before any enablement operation - [ ] Handle permission denial gracefully with appropriate error messages - [ ] Enforce maintainer+ minimum role requirement ### Enablement Operations to Protect #### Enable Operations - [ ] Enabling custom agents on projects via UI - [ ] Enabling custom agents on projects via API/GraphQL - [ ] Bulk enable operations #### Disable Operations - [ ] Disabling custom agents on projects via UI - [ ] Disabling custom agents on projects via API/GraphQL - [ ] Bulk disable operations #### Toggle Operations - [ ] Toggling agent availability on projects ## Technical Implementation ### Locations to Update Based on the codebase analysis, identify and update all locations where custom agents are enabled on projects. This may include: - Agent enablement controllers - GraphQL mutations for agent enablement operations - API endpoints for agent enablement - Project settings interfaces for agent configuration - Bulk operation handlers ### Permission Check Pattern ```ruby # Before any enable operation on custom agent for project unless DapPermissionService.can_user_perform_action?(current_user, namespace, :enable_on_projects) return error_response('Insufficient permissions to enable custom agents on projects. Maintainer role or higher required.') end # Perform enablement operation perform_agent_enablement_operation(agent, project, params) ``` ## Acceptance Criteria - [ ] All custom agent enablement operations have permission checks - [ ] Users without `Enable on projects` permission receive clear error messages - [ ] Error messages indicate maintainer+ role requirement - [ ] Permission checks are performant (use caching from DapPermissionService) - [ ] UI elements for enablement are hidden/disabled for users without permission - [ ] Integration tests verify permission enforcement - [ ] Tests cover both allowed and denied scenarios - [ ] Audit logging captures enablement operations and permission checks ## Testing Scenarios - [ ] User with maintainer role can enable custom agents on projects (default config) - [ ] User with owner role can enable custom agents on projects (default config) - [ ] User with developer role cannot enable custom agents on projects - [ ] User with reporter role cannot enable custom agents on projects - [ ] Custom permission configuration is respected (maintainer+ only) - [ ] Instance-level and namespace-level permissions work correctly - [ ] All enablement operations (enable, disable, toggle) respect permissions - [ ] Bulk operations respect permissions - [ ] UI appropriately reflects permission state ## User Experience - [ ] Enablement UI elements are hidden for users without permission - [ ] Clear messaging when users attempt unauthorized operations - [ ] Guidance on how to request access or who can perform operations - [ ] Consistent permission enforcement across UI, API, and GraphQL ## Related Issues - Parent Epic: #19743 - [Backend] Role-based permissions controls for DAP - Related: #583859 - Enable on projects permission for custom flows - Related: #578557 - Role-based permissions DAP - Manage permission ## Notes The `Enable on projects` permission for custom agents is an important security control. Only maintainer+ users should be able to enable agents on projects, as these can execute code and access resources within projects.