update

[swami134]

Description

(insert summary)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[Copilot]

Pull Request Overview

This PR adds comprehensive Role-Based Access Control (RBAC) functionality to the Caldera platform through multiple new plugins and middleware enhancements.

• Implements an RBAC plugin with GUI for managing user permissions and ability assignments
• Adds a testing plugin that demonstrates RBAC integration and provides utility interfaces
• Introduces logging middleware for request filtering and access control enforcement

Reviewed Changes

Copilot reviewed 42 out of 57 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
server.py	Adds logging middleware integration to main application and v2 API routes
plugins/rbac/*	Complete RBAC plugin implementation with GUI, state management, and API endpoints
plugins/testing/*	Testing plugin with RBAC demonstrations and utility interfaces
app/api/v2/logging_middleware.py	Middleware for enforcing RBAC policies and request filtering
plugins/helloworld/*	Basic example plugin with authentication features
plugins/accesscontrol/*	React-based access control plugin with user management
plugins/studentlab/*	Plugin for student-specific ability assignments and operations

Files not reviewed (1)

• caldera/package-lock.json: Language not supported

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The import name 'log_all_requests' is misleading as this middleware actually performs RBAC enforcement and filtering rather than just logging. Consider renaming to 'rbac_enforcement_middleware' or similar to better reflect its purpose.

[Copilot]

The comment and inline comment create redundancy. The commented-out line should be removed as it serves no purpose, and the inline comment is unnecessary given the clear variable names.

Suggested change

	# app_svc.register_subapp("/api/v2", app.api.v2.make_app(app_svc.get_services())) # converted into two liner below
	v2_app = app.api.v2.make_app(app_svc.get_services())
	v2_app.middlewares.append(log_all_requests) # <-- add this line
	v2_app = app.api.v2.make_app(app_svc.get_services())
	v2_app.middlewares.append(log_all_requests)

[Copilot]

Duplicate imports detected. Lines 2-3 and 7-8 import the same modules. Remove the duplicate imports on lines 7-8.

Suggested change

	from aiohttp_jinja2 import template
	from app.service.auth_svc import check_authorization

[Copilot]

Duplicate static directory setup. Lines 23-25 and 41-42 both set up the same static directory route. Remove the duplicate setup on lines 41-42.

Suggested change

	static_dir = Path(__file__).parent / 'static'
	app.router.add_static('/plugin/testing/static', path=str(static_dir), append_version=True)

[Copilot]

Typo in the title: 'hello word' should be 'hello world'.

Suggested change

	<title>hello word Plugin</title>
	<title>hello world Plugin</title>

[Copilot]

Incorrect product name: 'Calder' should be 'Caldera'.

Suggested change

	<h1>This is my first hello world plugin ui for <p style="color: red;">Calder</p></h1>
	<h1>This is my first hello world plugin ui for <p style="color: red;">Caldera</p></h1>

[Copilot]

Duplicate import and function calls. Lines 16-17 already import and call add_routes, making lines 19-21 redundant. Remove the duplicate code.

Suggested change

	from .app.api.accesscontrol_api import add_routes, add_gui_routes
	await add_routes(app_svc.application, services)
	from .app.api.accesscontrol_api import add_gui_routes

[Copilot]

Duplicate plugin blocking logic. This code block (lines 170-176) duplicates the same logic from lines 159-169. The duplicate block should be removed as it's unreachable and creates confusion.

Suggested change

	parts = path.split('/')
	plugin_name = parts[2] if len(parts) > 2 else ''
	blocked = _get_blocked_plugins_for_user(request, user)
	if plugin_name and plugin_name in blocked:
	if path.startswith('/plugin/') or path.startswith('/plugins/'):
	return web.Response(text=f"Plugin '{plugin_name}' is not available for your role.", status=403, content_type='text/html')
	return web.json_response({"error": "Forbidden for your role"}, status=403)

[deacon-mp]

Can you Address the comments above and resubmit for approval

[sonarqubecloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud