Skip to content

fix: require admin role for destructive project mutations in GraphQL API#14050

Draft
mikeldking wants to merge 1 commit into
mainfrom
claude/graphql-project-auth-check-eta8st
Draft

fix: require admin role for destructive project mutations in GraphQL API#14050
mikeldking wants to merge 1 commit into
mainfrom
claude/graphql-project-auth-check-eta8st

Conversation

@mikeldking

Copy link
Copy Markdown
Collaborator

resolves #14047

Summary

When PHOENIX_ENABLE_AUTH=true, the GraphQL mutations deleteProject, clearProject, and patchProject only checked IsNotViewer, so any authenticated MEMBER could delete or wipe every project (and all associated traces, evaluations, and experiment data) in the instance. The equivalent REST endpoints (PUT/DELETE /v1/projects/...) already require admin via require_admin.

Changes

  • Backend (src/phoenix/server/api/mutations/project_mutations.py): add IsAdminIfAuthEnabled to the permission_classes of deleteProject, clearProject, and patchProject, matching the REST API and other sensitive GraphQL mutations. createProject keeps IsNotViewer only, matching POST /v1/projects which is member-allowed. When auth is disabled, behavior is unchanged (IsAdminIfAuthEnabled passes).
  • Frontend: new useViewerCanManageProjects hook (admin-only, consistent with useViewerCanManageRetentionPolicy etc.); the project action menu now hides Clear All Data / Remove Data / Delete for non-admins, and the project settings Edit button (patchProject) is hidden for non-admins.
  • Tests (tests/integration/auth/test_auth.py): new TestProjectMutationPermissions verifying per role (viewer/member/admin/default admin) that createProject is member-allowed while the three destructive mutations are admin-only.

🤖 Generated with Claude Code

https://claude.ai/code/session_01NUkuh6drCcqkwDMzKm9crm


Generated by Claude Code

When auth is enabled, deleteProject, clearProject, and patchProject only
checked IsNotViewer, allowing any MEMBER to delete or wipe all projects
and their trace data. Add IsAdminIfAuthEnabled to these mutations,
matching the REST API where PUT/DELETE /v1/projects require admin.
createProject remains member-allowed, matching POST /v1/projects.

Also hide the corresponding UI affordances (delete/clear/remove-data
menu items and the project settings edit button) from non-admin users,
and add role-based integration tests for the four project mutations.

Fixes #14047

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NUkuh6drCcqkwDMzKm9crm
@mintlify

mintlify Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
arize-phoenix 🟢 Ready View Preview Jul 3, 2026, 4:58 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 📘 Todo

Development

Successfully merging this pull request may close these issues.

GraphQL project mutations missing admin authorization -- Phoenix v16.3.0

2 participants