feat(BA-5765): add RBAC-enforced VFolder purge mutation

fregataa · claude · fregataa · commit 35a531b8d17b · 2026-04-21T20:01:32.000+09:00
Add PurgeVFolderV2RBACAction (SingleEntityActionProcessor + RBAC).
Adapter purge() routes to RBAC path; bulk_purge() stays on legacy.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/changes/11165.feature.md b/changes/11165.feature.md
@@ -0,0 +1 @@
+Add RBAC-enforced VFolder purge v2 mutation with SingleEntityActionProcessor.
diff --git a/src/ai/backend/manager/api/adapters/vfolder.py b/src/ai/backend/manager/api/adapters/vfolder.py
@@ -411,12 +411,9 @@ async def restore(self, vfolder_id: UUID) -> RestoreVFolderPayload:
         return RestoreVFolderPayload(id=vfolder_id)
 
     async def purge(self, vfolder_id: UUID) -> PurgeVFolderPayload:
-        """Permanently delete a vfolder."""
-        me = current_user()
-        if me is None:
-            raise UnreachableError("User context is not available")
-        action = PurgeVFolderV2Action(user_id=me.user_id, vfolder_id=vfolder_id)
-        await self._processors.vfolder.purge_v2.wait_for_complete(action)
+        """Permanently delete a vfolder. RBAC enforced."""
+        action = PurgeVFolderV2RBACAction(vfolder_id=vfolder_id)
+        await self._processors.vfolder.purge_v2_rbac.wait_for_complete(action)
         return PurgeVFolderPayload(id=vfolder_id)
 
     async def deploy(
diff --git a/tests/component/vfolder_v2/test_vfolder_mutation.py b/tests/component/vfolder_v2/test_vfolder_mutation.py
@@ -1,6 +1,6 @@
-"""Component tests for v2 VFolder RBAC-enforced delete and restore mutations via SDK.
+"""Component tests for v2 VFolder RBAC-enforced delete, restore, and purge mutations via SDK.
 
-Exercises delete and restore mutations through the real HTTP server +
+Exercises delete, restore, and purge mutations through the real HTTP server +
 V2ClientRegistry SDK.
 """
 
@@ -225,3 +225,15 @@ async def test_superadmin_trash_then_restore(
         await admin_v2_registry.vfolder.delete(project_vfolder.id)
         payload = await admin_v2_registry.vfolder.restore(project_vfolder.id)
         assert payload.id == project_vfolder.id
+
+
+class TestPurgeVFolderRBAC:
+    """POST /v2/vfolders/{id}/purge -- SingleEntityActionProcessor RBAC."""
+
+    async def test_regular_user_denied(
+        self,
+        user_v2_registry: V2ClientRegistry,
+        project_vfolder: ProjectVFolderFixtureData,
+    ) -> None:
+        with pytest.raises(PermissionDeniedError):
+            await user_v2_registry.vfolder.purge(project_vfolder.id)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Add RBAC-enforced VFolder purge v2 mutation with SingleEntityActionProcessor.`