feat: permission elevation foundation

[tomkis]

Summary

Adds whole CLI section for listing users as well as setting role to individual users.

Linked Issues

Solves #1734

Documentation

• No Docs Needed:

If this PR adds new feature or changes existing. Make sure documentation is adjusted accordingly. If the docs is not needed, please explain why.

[gemini-code-assist]

Summary of Changes

Hello @tomkis, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes the foundational elements for a robust permission elevation system. It introduces a comprehensive role versioning mechanism that ensures immediate reflection of user role changes by invalidating outdated access tokens. Additionally, it provides a dedicated administrative API for managing user roles, enhancing security and control over user permissions.

Highlights

• Role Versioning Implementation: Introduced role_version and role_updated_at fields to the User model and the underlying database schema, providing a mechanism to track changes in user roles.
• JWT Invalidation on Role Change: Implemented a security measure where JSON Web Tokens (JWTs) are invalidated if a user's role has been updated since the token was issued. This is achieved by embedding a token_version in the JWT and comparing it against the user's current role_version during authentication.
• Admin API for Role Management: Added a new API endpoint (PUT /users/{user_id}/role) that allows administrators to change user roles. This endpoint ensures that only admins can perform this action and prevents users from modifying their own roles.
• Database Migration: Included an Alembic migration script to add the new role_version (integer, default 1) and role_updated_at (datetime, nullable) columns to the users table in the database.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a permission elevation foundation by adding role versioning to users. This allows for invalidating JWTs when a user's role changes, which is a great security enhancement. A new endpoint is added for administrators to change user roles.

My review includes a few suggestions:

• Handling a potential ValueError in the new user role change endpoint to prevent 500 errors.
• Improving code readability in the user repository.
• Aligning naming conventions for JWT claims for better consistency and maintainability.

[tomkis]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a solid foundation for permission elevation by adding CLI commands for user management, including listing users and setting their roles. The implementation of role versioning to invalidate tokens upon role change is a great security enhancement. However, I've identified a couple of critical issues: one in the JWT verification logic that would cause it to fail, and another in a new API endpoint's dependency declaration that would prevent it from working correctly. I've also included some suggestions to improve code quality and maintainability in the new CLI commands. Addressing these points will ensure the new functionality is robust and reliable.