Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

wave-12 follow-up: fleet sweep of *_register.json to add authorization blocks ahead of default-closed flip #2011

Description

@rubenvdlinde

Context

Wave-12 (PR #2010) closed the engine-side default-OPEN write hole behind an opt-in flag (openregister:enforce_default_closed, default false). The flag is the staging ground for a next-major release where the default flips to true, requiring every schema author to declare an explicit authorization block on schemas that hold tenant-scoped or app-private data.

Today's audit (/tmp/wave11-or-engine-primitives.md Section B1) flagged openbuilt_register.json as the proximate case, but every fleet *_register.json without an authorization block is open for create/update/delete to any authenticated user under the current default.

Scope

For every Conduction app under apps-extra/ and in the broader fleet (decidesk, docudesk, mydash, opencatalogi, openconnector, openbuilt, openregister, openzaak, pipelinq, procest, scholiq, shillinq, softwarecatalog, zaakafhandelapp, larpingapp, planix, …):

  1. Enumerate every *_register.json (and schema JSON file ingested by lib/Repair/InitializeRegister.php).
  2. For each file lacking an authorization block, decide one of:
    • Add the block with sensible defaults (e.g. create/update/delete: ["users"] for shared data, ["admin"] for system/registry data).
    • Opt in to open writes by setting "public": true on the schema (rare — should be the exception for genuinely anonymous-submission forms).
  3. Ship one PR per app, gated by Hydra's standard review pipeline.

Definition of done

  • Every fleet *_register.json and schema JSON either declares authorization or explicitly opts in via "public": true.
  • The openregister:enforce_default_closed flag can be flipped from false to true without breaking any leaf app.
  • A coordinated next-major OR release flips the default.

Audit command

# Enumerate files missing an authorization block:
grep -L '"authorization"' apps-extra/*/registers/*.json apps-extra/*/openspec/specs

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions