Rbac Scoping
# Task 006: Implement RBAC Scoping
> Production task prompt. Phase 1 backend component.
---
## 1. Objective
Implement `search.apply_rbac(filters, actor)` - derives the actor's `(organization_id, role)` and injects an `organization_id` filter for non-admin actors. After RBAC scoping, the query builder (task 7) cannot return users outside the actor's authorized scope.
After this task: admin actors see the full corpus; non-admin actors see only users in their own organization. A cross-tenant probe (manual integration test) is rejected.
## 2. Context
**PRD Reference**: [`../../prds/active/user-search.md`](../../prds/active/user-search.md) Section 17 (Security Requirements)
**Spec Reference**: [`../../specs/user-search/requirements.md`](../../specs/user-search/requirements.md) - R5.1, R5.2, R5.3, NFR-2.1, NFR-2.2
**Architecture Reference**: [`../../specs/user-search/design.md`](../../specs/user-search/design.md) Section 8 (Security Considerations)
**Phase Master**: [`000_MASTER_backend.md`](000_MASTER_backend.md)
**Global Master**: [`../000_GLOBAL_MASTER.md`](../000_GLOBAL_MASTER.md)
**Related Tasks**: task 6 in [`../../specs/user-search/tasks.md`](../../specs/user-search/tasks.md). Depends on task 5 (validator). Consumed by task 10 (compose endpoint).
**Current File(s)**: `src/services/users/search/rbac.py` (new).
This is the security gate. Forgetting RBAC scoping at this layer turns the endpoint into an enumeration attack. The validator runs first; this runs second; the query builder runs third - defense in depth.
## 3. Agent Assignment
**Primary Agent**: `backend-engineer`
**Supporting Agents**:
- `security-auditor` - reviews the boundary between authenticated and validated; reviews the test that confirms a forged cursor or filter can't bypass.
- `unit-test-writer` - embedded.
## 4. Prerequisites
- [ ] Task 5 (validator) merged.
- [ ] Auth middleware exposes the actor's `id`, `role`, `organization_id` reliably.
- [ ] The roles enum is finalized.
## 5. Task Details
### 5.1 Goal
A pure function that augments the validated filter set with RBAC scoping:when to use it
Community prompt sourced from the open-source GitHub repo Enovatr-Labs/SpecRoute (Apache-2.0). A "Rbac Scoping" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.
tags
codingcommunitydeveloper
source
Enovatr-Labs/SpecRoute · Apache-2.0
more in Coding
Coding✓ tested
Senior code review (strict mode)
senior staff engineer running a merciless but fair review
Coding✓ tested
Debug by hypothesis, not by guessing
debugging partner who forms theories before touching code
Coding✓ tested
Generate tests from described behavior
test engineer who writes tests that would actually catch regressions