## Summary This issue integrates DAP (Duo Agent Platform) role-based `Enable on projects` permission checks into custom flow enablement operations. It ensures that only users with appropriate permissions (maintainer+ by default) can enable or disable custom flows on projects. ## Background As part of the DAP role-based permissions epic (#19743), we need to enforce the `Enable on projects` permission across all DAP flow enablement operations. Custom flows are a core DAP resource that requires proper access controls for project-level enablement. The `Enable on projects` permission controls: - **Enable**: Enabling custom flows on projects - **Disable**: Disabling custom flows on projects - **Toggle**: Toggling flow availability on projects The `Enable on projects` permission is limited to maintainer+ roles by design. Flows can only be added to a project by a maintainer+. ## Requirements ### Permission Check Integration - [ ] Identify all entry points for custom flow enablement operations on projects - [ ] Integrate `DapPermissionService.can_user_perform_action?` checks for `:enable_on_projects` action - [ ] Ensure permission checks occur before any enablement operation - [ ] Handle permission denial gracefully with appropriate error messages - [ ] Enforce maintainer+ minimum role requirement ### Enablement Operations to Protect #### Enable Operations - [ ] Enabling custom flows on projects via UI - [ ] Enabling custom flows on projects via API/GraphQL - [ ] Bulk enable operations #### Disable Operations - [ ] Disabling custom flows on projects via UI - [ ] Disabling custom flows on projects via API/GraphQL - [ ] Bulk disable operations #### Toggle Operations - [ ] Toggling flow availability on projects ### Service Account Considerations Each flow has a service account assigned (see epic #19478). Enablement operations should consider: - Service account can only be added by an owner+ to a top-level namespace - Flow can only be added to a project by a maintainer+ - Changing flow service account requires appropriate permissions ## Technical Implementation ### Locations to Update Based on the codebase analysis, identify and update all locations where custom flows are enabled on projects. This may include: - Flow enablement controllers - GraphQL mutations for flow enablement operations - API endpoints for flow enablement - Project settings interfaces for flow configuration - Bulk operation handlers - Flow import/export functionality ### Permission Check Pattern ```ruby # Before any enable operation on custom flow for project unless DapPermissionService.can_user_perform_action?(current_user, namespace, :enable_on_projects) return error_response('Insufficient permissions to enable custom flows on projects. Maintainer role or higher required.') end # Perform enablement operation perform_flow_enablement_operation(flow, project, params) ``` ## Acceptance Criteria - [ ] All custom flow enablement operations have permission checks - [ ] Users without `Enable on projects` permission receive clear error messages - [ ] Error messages indicate maintainer+ role requirement - [ ] Permission checks are performant (use caching from DapPermissionService) - [ ] UI elements for enablement are hidden/disabled for users without permission - [ ] Integration tests verify permission enforcement - [ ] Tests cover both allowed and denied scenarios - [ ] Audit logging captures enablement operations and permission checks ## Testing Scenarios - [ ] User with maintainer role can enable custom flows on projects (default config) - [ ] User with owner role can enable custom flows on projects (default config) - [ ] User with developer role cannot enable custom flows on projects - [ ] User with reporter role cannot enable custom flows on projects - [ ] Custom permission configuration is respected (maintainer+ only) - [ ] Instance-level and namespace-level permissions work correctly - [ ] All enablement operations (enable, disable, toggle) respect permissions - [ ] Bulk operations respect permissions - [ ] UI appropriately reflects permission state - [ ] Flow can only be added to project by maintainer+ ## User Experience - [ ] Enablement UI elements are hidden for users without permission - [ ] Clear messaging when users attempt unauthorized operations - [ ] Guidance on how to request access or who can perform operations - [ ] Consistent permission enforcement across UI, API, and GraphQL ## Related Issues - Parent Epic: #19743 - [Backend] Role-based permissions controls for DAP - Related: #583858 - Enable on projects permission for custom agents - Related: #578557 - Role-based permissions DAP - Manage permission - Related: #19478 - Service account implementation ## Notes The `Enable on projects` permission for custom flows is an important security control. Only maintainer+ users should be able to enable flows on projects, as these can execute code and access resources within projects. The restriction that flows can only be added to a project by maintainer+ is an important security boundary.