fix: merge version ranges when adding existing package signer (#3125)

* fix: merge version ranges when adding existing package signer Previously, add_package_signer unconditionally inserted the new version range, overwriting any existing authorization for that signer. Now it OR-merges the new range with the existing one, so running signer add multiple times accumulates permissions rather than replacing them. * add --merge flag to registry package signer add Default behavior remains overwrite. When --merge is passed, the new version range is OR-merged with the existing one, allowing admins to accumulate permissions incrementally. * add missing attribute to TS type * make merge optional * upsert instead of insert * VersionRange::None on upsert
2026-03-26 10:21:52 +00:00 · 2026-02-18 13:21:33 -07:00
parent 0260c1532d
commit 26a68afdef
2 changed files with 15 additions and 1 deletions
--- a/core/src/registry/package/signer.rs
+++ b/core/src/registry/package/signer.rs
@@ -58,6 +58,9 @@ pub struct AddPackageSignerParams {
    #[arg(long, help = "help.arg.version-range")]
    #[ts(type = "string | null")]
    pub versions: Option<VersionRange>,
+    #[arg(long, help = "help.arg.merge")]
+    #[ts(optional)]
+    pub merge: Option<bool>,
 }

 pub async fn add_package_signer(
@@ -66,6 +69,7 @@ pub async fn add_package_signer(
        id,
        signer,
        versions,
+        merge,
    }: AddPackageSignerParams,
 ) -> Result<(), Error> {
    ctx.db
@@ -76,13 +80,22 @@ pub async fn add_package_signer(
                "unknown signer {signer}"
            );

+            let versions = versions.unwrap_or_default();
            db.as_index_mut()
                .as_package_mut()
                .as_packages_mut()
                .as_idx_mut(&id)
                .or_not_found(&id)?
                .as_authorized_mut()
-                .insert(&signer, &versions.unwrap_or_default())?;
+                .upsert(&signer, || Ok(VersionRange::None))?
+                .mutate(|existing| {
+                    *existing = if merge.unwrap_or(false) {
+                        VersionRange::or(existing.clone(), versions)
+                    } else {
+                        versions
+                    };
+                    Ok(())
+                })?;

            Ok(())
        })
--- a/sdk/base/lib/osBindings/AddPackageSignerParams.ts
+++ b/sdk/base/lib/osBindings/AddPackageSignerParams.ts
@@ -6,4 +6,5 @@ export type AddPackageSignerParams = {
  id: PackageId
  signer: Guid
  versions: string | null
+  merge?: boolean
 }