Skip to content

feat: group management UI in AclMembersPanel (#307)#310

Open
schmug wants to merge 2 commits into
mainfrom
claude/issue-307-group-ui
Open

feat: group management UI in AclMembersPanel (#307)#310
schmug wants to merge 2 commits into
mainfrom
claude/issue-307-group-ui

Conversation

@schmug
Copy link
Copy Markdown
Owner

@schmug schmug commented May 22, 2026

Summary

  • Adds a Groups section below Members in AclMembersPanel with an add (plain-text input) and per-group remove button, mirroring the existing member UI pattern
  • Extends app/services/api.ts with addAclGroup / removeAclGroup API calls; adds useAddAclGroup / useRemoveAclGroup mutation hooks in app/queries/mailboxes.ts; updates useMailboxAcl return type to include groups: string[]
  • Extends tests/routes/acl-members.test.ts with route-level tests for POST /acl/groups (idempotent add, non-owner 403, missing field 400) and DELETE /acl/groups/:name (remove, non-owner 403, URL-encoded group name)

Closes #307

Stacking note: This branch builds on claude/wizardly-einstein-cgUZc (PR #306). Before merging #307, flip its base to main and rebase with git rebase --onto origin/main 86d47e7 to drop the upstream commits cleanly.

Test plan

  • npm test — 1100 passing, 0 failing
  • npm run typecheck — no TypeScript errors
  • Route-level: POST /acl/groups adds group, idempotent on duplicate, 403 for non-owner, 400 for missing field
  • Route-level: DELETE /acl/groups/:name removes group, 403 for non-owner, URL-decodes group name with spaces
  • Frontend: AclMembersPanel renders a Groups section listing current groups with remove buttons
  • Frontend: Add group input is plain text (not email), displays note "Group names must match names defined in your Cloudflare Access dashboard"
  • Frontend mocks updated in settings-behavior, hub-settings, security-settings, settings-attachment-scanner to expose the two new hooks

Acceptance items

Criterion Status
Settings → Access panel shows a "Groups" section listing current group grants with a remove button per group Shipped
Owner can add a new group by typing its name and clicking Add; the list updates without a full page reload Shipped
Non-owner caller does not see the group editor (read-only view or hidden) Shipped — API returns 403 to non-owners; useMailboxAcl query remains in error state, panel never renders edit controls
useMailboxAcl return type includes groups: string[]; TypeScript is happy Shipped
Route-level tests cover: add group (idempotent), remove group, non-owner gets 403 Shipped

https://claude.ai/code/session_01WpLc5TwgfQr642pqrvgs1q

Generated by Claude Code

claude added 2 commits May 21, 2026 12:21
@claude
feat: group-based mailbox ACLs via CF Access JWT groups (#295)
86d47e7 
Extends the per-mailbox ACL to support Cloudflare Access group grants
alongside the existing email-member list, so orgs can manage mailbox
access by team/role without maintaining per-mailbox email lists.

Key changes:
- `MailboxAcl.groups?: string[]` — optional field; absent = no group
  grants; existing email-only ACL blobs remain valid without migration
- `callerGroupsFromJwt()` — decodes the `groups` claim from the
  already-verified CF Access JWT (no re-verification, sourced only from
  the signed token, never a spoofable header)
- `callerInAcl()` gains a third `callerGroups` param; access is granted
  when the caller is in `members` OR belongs to a granted group name
- `requireMailbox` and `GET /api/v1/mailboxes` both extract groups from
  the JWT and pass them to `callerInAcl`
- `POST /api/v1/mailboxes/:id/acl/groups` and
  `DELETE /api/v1/mailboxes/:id/acl/groups/:name` — owner-only group
  add/remove; `GET /acl` now returns `groups[]` alongside owner/members

Tests: callerInAcl group-grant, deny non-member, email-only unchanged,
no-ACL backwards-compat, callerGroupsFromJwt, requireMailbox integration
(1093 passing, 0 failing)

Deferred (follow-up): group management in AclMembersPanel UI

https://claude.ai/code/session_019pmwmDXFom1HzioGUAgAbF
@claude
feat: group management UI in AclMembersPanel (#307)
5e1785a 
Adds a Groups section below Members in AclMembersPanel with add/remove
controls mirroring the existing member UI. Extends api.ts with
addAclGroup/removeAclGroup, adds useAddAclGroup/useRemoveAclGroup hooks,
updates useMailboxAcl return type to include groups: string[], and
extends acl-members route tests to cover POST /groups (idempotent add),
DELETE /groups/:name, and non-owner 403.

https://claude.ai/code/session_01WpLc5TwgfQr642pqrvgs1q
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 22, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 ais-hub 5e1785a Commit Preview URL

Branch Preview URL		 May 22 2026, 11:18 AM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: group management UI in AclMembersPanel (deferred from #295)

2 participants

@schmug @claude