This change adds support for disabling permissions without removing them
from roles. This allows users to revoke permissions while signaling to
apps that the permission should not be re-granted.
Key changes:
- Add disabled boolean field to RolespecPermission in CUE schema
- Update generated Go types for Role, CoreRole, and GlobalRole
- Add disabled column to permission table via migration
- Filter disabled permissions in Zanzana tuple conversion
- Filter disabled permissions in legacy RBAC queries
- Update SQL queries to persist and retrieve disabled field
When a permission has disabled: true:
- It remains visible in the role definition
- It is NOT written to Zanzana (authorization engine)
- It is NOT returned in RBAC permission queries
This prevents apps from re-granting permissions that users have
explicitly revoked, while maintaining visibility of the permission
in the role.
mohammad-hamid
a3ae83a37a