fix(BA-4525): Raise error instead of branching on GLOBAL scope in search_scopes

Remove GLOBAL scope early-return from handler (scope_type.to_element()
now raises RBACTypeConversionError naturally), remove GLOBAL branch from
ScopeAdapter, remove get_global_scope() from repository, and delete the
corresponding test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: fregataa

src/ai/backend/manager/api/rest/rbac/handler.py

@@ -12,7 +12,6 @@
 
 from ai.backend.common.api_handlers import APIResponse, BodyParam, PathParam
 from ai.backend.common.data.permission.types import (
-    GLOBAL_SCOPE_ID,
     EntityType,
     ScopeType,
 )
@@ -50,9 +49,7 @@
     SearchScopesResponse,
 )
 from ai.backend.common.exception import RBACTypeConversionError
-from ai.backend.manager.data.permission.id import ScopeId
 from ai.backend.manager.data.permission.role import UserRoleAssignmentInput, UserRoleRevocationInput
-from ai.backend.manager.data.permission.types import ScopeData
 from ai.backend.manager.dto.context import UserContext
 from ai.backend.manager.errors.permission import NotEnoughPermission
 from ai.backend.manager.models.rbac_models.role import RoleRow
@@ -326,21 +323,6 @@ async def search_scopes(
             raise NotEnoughPermission("Only superadmin can search scopes.")
 
         scope_type = path.parsed.scope_type
-        # Handle GLOBAL scope as a static early-return (GLOBAL is not in RBACElementType)
-        if scope_type.value == GLOBAL_SCOPE_ID:
-            global_result = SearchScopesResponse(
-                items=[
-                    self._scope_adapter.convert_to_dto(
-                        ScopeData(
-                            id=ScopeId(scope_type=ScopeType.GLOBAL, scope_id=GLOBAL_SCOPE_ID),
-                            name=GLOBAL_SCOPE_ID,
-                        )
-                    )
-                ],
-                pagination=PaginationInfo(total=1, offset=0, limit=1),
-            )
-            return APIResponse.build(status_code=HTTPStatus.OK, response_model=global_result)
-
         element_type = scope_type.to_element()
         querier = self._scope_adapter.build_querier(scope_type, body.parsed)
         action = SearchScopesAction(element_type=element_type, querier=querier)

src/ai/backend/manager/api/rest/rbac/scope_adapter.py

@@ -41,8 +41,6 @@ class ScopeAdapter(BaseFilterAdapter):
     def build_querier(self, scope_type: ScopeType, request: SearchScopesRequest) -> BatchQuerier:
         """Build a BatchQuerier based on scope type."""
         match scope_type:
-            case ScopeType.GLOBAL:
-                return self._build_global_scope_querier(request)
             case ScopeType.DOMAIN:
                 return self._build_domain_scope_querier(request)
             case ScopeType.PROJECT:
@@ -78,11 +76,6 @@ def _build_user_scope_querier(self, request: SearchScopesRequest) -> BatchQuerie
 
         return BatchQuerier(conditions=conditions, orders=orders, pagination=pagination)
 
-    def _build_global_scope_querier(self, request: SearchScopesRequest) -> BatchQuerier:
-        """Build a BatchQuerier for global scope (no filtering needed)."""
-        pagination = OffsetPagination(limit=request.limit, offset=request.offset)
-        return BatchQuerier(conditions=[], orders=[], pagination=pagination)
-
     def _convert_domain_filter(self, filter: ScopeFilter) -> list[QueryCondition]:
         """Convert scope filter to domain query conditions."""
         conditions: list[QueryCondition] = []

src/ai/backend/manager/repositories/permission_controller/repository.py

@@ -4,14 +4,14 @@
 from collections.abc import Mapping
 from typing import cast
 
-from ai.backend.common.data.permission.types import GLOBAL_SCOPE_ID, OperationType, RBACElementType
+from ai.backend.common.data.permission.types import OperationType, RBACElementType
 from ai.backend.common.exception import BackendAIError
 from ai.backend.common.metrics.metric import DomainType, LayerType
 from ai.backend.common.resilience.policies.metrics import MetricArgs, MetricPolicy
 from ai.backend.common.resilience.policies.retry import BackoffStrategy, RetryArgs, RetryPolicy
 from ai.backend.common.resilience.resilience import Resilience
 from ai.backend.manager.data.permission.entity import ElementAssociationListResult, EntityListResult
-from ai.backend.manager.data.permission.id import ObjectId, ScopeId
+from ai.backend.manager.data.permission.id import ObjectId
 from ai.backend.manager.data.permission.object_permission import (
     ObjectPermissionData,
     ObjectPermissionListResult,
@@ -40,9 +40,7 @@
 )
 from ai.backend.manager.data.permission.types import (
     RBACElementRef,
-    ScopeData,
     ScopeListResult,
-    ScopeType,
 )
 from ai.backend.manager.models.rbac_models.permission.object_permission import ObjectPermissionRow
 from ai.backend.manager.models.rbac_models.permission.permission import PermissionRow
@@ -303,20 +301,6 @@ async def search_users_assigned_to_role(
             querier=querier,
         )
 
-    def get_global_scope(self) -> ScopeListResult:
-        """Get the global scope as a static result."""
-        return ScopeListResult(
-            items=[
-                ScopeData(
-                    id=ScopeId(scope_type=ScopeType.GLOBAL, scope_id=GLOBAL_SCOPE_ID),
-                    name=GLOBAL_SCOPE_ID,
-                )
-            ],
-            total_count=1,
-            has_next_page=False,
-            has_previous_page=False,
-        )
-
     @permission_controller_repository_resilience.apply()
     async def search_scopes(
         self,

tests/unit/manager/repositories/permission_controller/test_search_scopes.py

@@ -11,7 +11,7 @@
 import pytest
 
 from ai.backend.common.data.filter_specs import StringMatchSpec
-from ai.backend.common.data.permission.types import GLOBAL_SCOPE_ID, RBACElementType, ScopeType
+from ai.backend.common.data.permission.types import RBACElementType, ScopeType
 from ai.backend.common.types import ResourceSlot
 from ai.backend.manager.models.agent import AgentRow
 from ai.backend.manager.models.deployment_auto_scaling_policy import DeploymentAutoScalingPolicyRow
@@ -781,21 +781,6 @@ def permission_controller_repository(
         """Create PermissionControllerRepository instance."""
         return PermissionControllerRepository(db_with_scope_tables)
 
-    async def test_search_scopes_global_returns_static_result(
-        self,
-        permission_controller_repository: PermissionControllerRepository,
-    ) -> None:
-        """Test global scope returns single static result."""
-        result = permission_controller_repository.get_global_scope()
-
-        assert result.total_count == 1
-        assert len(result.items) == 1
-        assert result.items[0].id.scope_type == ScopeType.GLOBAL
-        assert result.items[0].id.scope_id == GLOBAL_SCOPE_ID
-        assert result.items[0].name == GLOBAL_SCOPE_ID
-        assert result.has_next_page is False
-        assert result.has_previous_page is False
-
 
 class TestSearchScopesEmptyResult:
     """Tests for empty result handling."""