Filter cloud-restricted descendants by ancestor path prefix, not exact match

The cloud filtering for config diffs now matches descendant and indexed paths (e.g. SqlSettings.ReplicaLagSettings[0].DataSource) under tagged ancestor fields, not just exact path equality. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-28 04:35:04 -04:00 · 2026-03-22 10:44:27 -07:00 · 2026-03-22 10:44:27 -07:00 · dfe73b14c6
commit dfe73b14c6
parent 4563d7fc3f
1 changed files with 18 additions and 2 deletions
--- a/server/public/model/config.go
+++ b/server/public/model/config.go
@ -5198,7 +5198,23 @@ func CloudRestrictedPaths() map[string]bool {
 	return collectTaggedPaths(reflect.TypeFor[Config](), ConfigAccessTagType, ConfigAccessTagCloudRestrictable, "")
 }

-// FilterCloudRestrictedChanges removes changes whose paths match cloud-restrictable config fields.
+// isCloudRestricted checks whether a change path matches or is a descendant
+// of any cloud-restrictable config field path (e.g. "SqlSettings.ReplicaLagSettings"
+// also matches "SqlSettings.ReplicaLagSettings[0].DataSource").
+func isCloudRestricted(path string, restricted map[string]bool) bool {
+	if restricted[path] {
+		return true
+	}
+	for rp := range restricted {
+		if strings.HasPrefix(path, rp+".") || strings.HasPrefix(path, rp+"[") {
+			return true
+		}
+	}
+	return false
+}
+
+// FilterCloudRestrictedChanges removes changes whose paths match or descend from
+// cloud-restrictable config fields.
 func FilterCloudRestrictedChanges(items []*ConfigListItem) {
 	restricted := CloudRestrictedPaths()
 	for _, item := range items {
@ -5207,7 +5223,7 @@ func FilterCloudRestrictedChanges(items []*ConfigListItem) {
 		}
 		filtered := make([]ConfigChange, 0, len(item.Changes))
 		for _, ch := range item.Changes {
-			if !restricted[ch.Path] {
+			if !isCloudRestricted(ch.Path, restricted) {
 				filtered = append(filtered, ch)
 			}
 		}