category: reference

tags:

- phase-2

- acl

- middleware

**Branch:** `feat/P2-3-acl-enforcement` (from `phase-2`)

**Status:** Complete — 21/21 tests passing

- String constants: `READ`, `WRITE`, `UPLOAD`, `ADMIN`

- `ROLE_PERMISSIONS` dict mapping owner/editor/viewer to permission tuples

- `permissions_for_role(role)` — returns tuple or raises `ValueError`

- `format_permission_header(permissions)` — comma-separated string

- `AclEnforcer` class with constructor injection (`acl_model`, `wiki_model`)

- `check_access(user_id, wiki_id)` — looks up ACL entry, returns `{role, permissions}` or raises `AuthError(403)`

- `check_public_access(wiki_id)` — parses `owner_id:wiki_slug`, checks `is_public` flag, returns READ or raises

- `check_bearer_token(token)` — delegates to `WikiModel.scan_by_token()`, returns editor-level permissions or raises `AuthError(401)`

- `build_proxy_headers(email, name, permissions)` — returns dict with `x-otterwiki-name`, `x-otterwiki-email`, `x-otterwiki-permissions`

- Added `scan_by_token(plaintext_token)` — scans all wikis with `mcp_token_hash`, checks each with `bcrypt.checkpw()`, handles pagination

- Added `bcrypt` and `Attr` imports

- 21 tests using moto for DynamoDB mocking

- Covers: role mapping (4), format_permission_header (4), check_access (4), check_public_access (3), check_bearer_token (3), build_proxy_headers (3)

- Bearer token validation scans all wikis then bcrypt-checks each (bcrypt salts are non-deterministic)

- `wiki_id` format: `{owner_id}:{wiki_slug}` — parsed by `_parse_wiki_id()` helper

- Token-authenticated requests get editor-level permissions (READ, WRITE, UPLOAD)

- No new dependencies beyond `bcrypt` (already needed for token hashing)