Context
AssignmentsAPIView previously returned staff/superuser entries (SuperAdminAssignmentData) alongside regular role assignments, these entries bypassed all org/scope/role filters because they are not Casbin-backed so they were fetched in a separate call.
PR #345 removed them from the list endpoint as a short-term fix to unblock a release.
What needs to be done
Design and implement proper listing and filtering behavior for staff/superuser entries in the assignments list endpoint:
- Define what it means to filter a
SuperAdminAssignmentData by org, scope, and role (these entries have no Casbin policy behind them).
- Ensure superadmin entries are either included or excluded consistently with whatever filter is active, without bypassing the filter logic.
- Ensure users can only review scopes they have access to.
- Add or restore test coverage for the filtering behavior.
Current state
SuperAdminAssignmentData and get_superadmin_assignments() still exist and are used by TeamMemberAssignmentsAPIView.
- The list endpoint returns only
RoleAssignmentData entries.
- Serializer support for
SuperAdminAssignmentData (role, org, scope, is_superadmin fields) is still in place.
Context
AssignmentsAPIViewpreviously returned staff/superuser entries (SuperAdminAssignmentData) alongside regular role assignments, these entries bypassed all org/scope/role filters because they are not Casbin-backed so they were fetched in a separate call.PR #345 removed them from the list endpoint as a short-term fix to unblock a release.
What needs to be done
Design and implement proper listing and filtering behavior for staff/superuser entries in the assignments list endpoint:
SuperAdminAssignmentDataby org, scope, and role (these entries have no Casbin policy behind them).Current state
SuperAdminAssignmentDataandget_superadmin_assignments()still exist and are used byTeamMemberAssignmentsAPIView.RoleAssignmentDataentries.SuperAdminAssignmentData(role, org, scope, is_superadmin fields) is still in place.