feat: add iam, crq and pmbok permissions in roles

[Mohamed-Hacene]

Summary by CodeRabbit

• New Features

  • Expanded UI text in 20+ locales — added PMBOK, IAM, CRQ and many action labels (accreditation, collections, folders, tokens, roles, SSO, users/groups, risk items).

• Chores

  • Permission filtering refined: permission listings now include additional apps and exclude specific permission models to better surface relevant permissions.

• Other

  • Minor localization wording updates in several languages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Added an IGNORED_PERMISSION_MODELS constant and extended ALLOWED_PERMISSION_APPS in backend/iam/models.py; permission filtering for object_type "permission" now filters by ALLOWED_PERMISSION_APPS and excludes IGNORED_PERMISSION_MODELS. Appended many new localization keys across numerous frontend/messages/*.json files.

Changes

Cohort / File(s)	Change Summary
Backend — IAM model backend/iam/models.py	Added IGNORED_PERMISSION_MODELS constant; expanded ALLOWED_PERMISSION_APPS to include "crq", "pmbok", and "iam"; updated get_accessible_object_ids for object_type == "permission" to filter permissions by ALLOWED_PERMISSION_APPS and exclude permissions whose content_type.model is in IGNORED_PERMISSION_MODELS (replacing prior app_label-only filtering).
Frontend — Localization (many locales) frontend/messages/*.json Examples: frontend/messages/ar.json, frontend/messages/en.json, frontend/messages/fr.json, frontend/messages/pl.json, frontend/messages/tr.json, frontend/messages/da.json, ...	Appended a large set of new translation keys (including pmbok, iam, crq and many add/change/delete/view strings for accreditation, collections, folders, personal access tokens, roles, role assignments, SSO settings, users/groups, quantitative-risk entities). Several files also adjusted legacyEvidenceField wording or added a trailing comma for JSON syntax.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Focus areas:
  • backend/iam/models.py — confirm IGNORED_PERMISSION_MODELS contents and that the combined ALLOWED + IGNORED filter yields the intended permission set (no accidental broadened access).
  • A representative subset of frontend/messages/*.json — validate JSON syntax (commas) and check new keys match frontend usage (spelling/consistency).

Possibly related PRs

• feat: introduce PMBOK and support accreditation (homologations) #2625 — related to adding PMBOK/CRQ models and permission integrations (touches permission handling surface).
• chores(i18n): recover crq translations #2612 — large i18n changes that overlap added translation keys across frontend/messages/*.json.
• Complete missing translations - PL #2261 — overlapping changes to Polish localization (frontend/messages/pl.json).

Suggested labels

new feature, i18n, High Value

Suggested reviewers

• Mohamed-Hacene
• eric-intuitem

Poem

🐰 I hopped through code and keys today,
Added apps and words along the way.
IGNORED models tucked out of sight,
Translations blooming left and right.
A tiny rabbit cheers — all systems OK!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding IAM, CRQ, and PMBOK permissions to roles, which is reflected in the backend models changes and extensive translation additions across multiple languages.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/add-pmbok-crq-iam-permissions-list

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dc027de and 93afb7c.

📒 Files selected for processing (1)

• backend/iam/models.py (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/iam/models.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: build (3.12)
• GitHub Check: startup-functional-test (3.12)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: test (3.12)
• GitHub Check: build_community_frontend
• GitHub Check: build_enterprise_frontend
• GitHub Check: Analyze (python)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 9

🧹 Nitpick comments (11)

frontend/messages/en.json (1)

2819-2864: Fix wording consistency for Folder/Domain and CRQ permission labels; minor copy edit.

• Align folder permissions with existing “Domain” terminology.
• Disambiguate CRQ permissions (scenario/study/hypothesis).
• Use “Back up” (verb) instead of “Backup”.

Apply:

- "addFolder": "Add folder",
- "changeFolder": "Change folder",
- "deleteFolder": "Delete folder",
+ "addFolder": "Add domain",
+ "changeFolder": "Change domain",
+ "deleteFolder": "Delete domain",

- "backupUser": "Backup user",
+ "backupUser": "Back up user",

- "changeQuantitativeRiskHypothesis": "Change quantitative risk hypothesis",
- "deleteQuantitativeRiskHypothesis": "Delete quantitative risk hypothesis",
- "viewQuantitativeRiskHypothesis": "View quantitative risk hypothesis",
- "changeQuantitativeRiskScenario": "Change scenario",
- "deleteQuantitativeRiskScenario": "Delete scenario",
- "viewQuantitativeRiskScenario": "View scenario",
- "changeQuantitativeRiskStudy": "Change risk quantification study",
- "deleteQuantitativeRiskStudy": "Delete risk quantification study",
- "viewQuantitativeRiskStudy": "View risk quantification study"
+ "changeQuantitativeRiskHypothesis": "Change CRQ hypothesis",
+ "deleteQuantitativeRiskHypothesis": "Delete CRQ hypothesis",
+ "viewQuantitativeRiskHypothesis": "View CRQ hypothesis",
+ "changeQuantitativeRiskScenario": "Change CRQ scenario",
+ "deleteQuantitativeRiskScenario": "Delete CRQ scenario",
+ "viewQuantitativeRiskScenario": "View CRQ scenario",
+ "changeQuantitativeRiskStudy": "Change CRQ study",
+ "deleteQuantitativeRiskStudy": "Delete CRQ study",
+ "viewQuantitativeRiskStudy": "View CRQ study"

Also, confirm backend permission allowlist includes apps “iam”, “crq”, “pmbok” and that Permission filtering by content_type app_label remains enforced to avoid overexposure. Based on learnings, RoleAssignment relies on an allowlist.

frontend/messages/uk.json (1)

1508-1553: Unify “Домен” terminology and make CRQ permissions explicit.

• Use “домен” to match existing “folder": "Домен".
• Add “CRQ” to scenario/study/hypothesis permissions for clarity.

- "addFolder": "Додати папку",
- "changeFolder": "Змінити папку",
- "deleteFolder": "Видалити папку",
+ "addFolder": "Додати домен",
+ "changeFolder": "Змінити домен",
+ "deleteFolder": "Видалити домен",

- "changeQuantitativeRiskHypothesis": "Змінити гіпотезу кількісного ризику",
- "deleteQuantitativeRiskHypothesis": "Видалити гіпотезу кількісного ризику",
- "viewQuantitativeRiskHypothesis": "Переглянути гіпотезу кількісного ризику",
- "changeQuantitativeRiskScenario": "Змінити сценарій",
- "deleteQuantitativeRiskScenario": "Видалити сценарій",
- "viewQuantitativeRiskScenario": "Переглянути сценарій",
- "changeQuantitativeRiskStudy": "Змінити дослідження кількісного ризику",
- "deleteQuantitativeRiskStudy": "Видалити дослідження кількісного ризику",
- "viewQuantitativeRiskStudy": "Переглянути дослідження кількісного ризику"
+ "changeQuantitativeRiskHypothesis": "Змінити гіпотезу CRQ",
+ "deleteQuantitativeRiskHypothesis": "Видалити гіпотезу CRQ",
+ "viewQuantitativeRiskHypothesis": "Переглянути гіпотезу CRQ",
+ "changeQuantitativeRiskScenario": "Змінити сценарій CRQ",
+ "deleteQuantitativeRiskScenario": "Видалити сценарій CRQ",
+ "viewQuantitativeRiskScenario": "Переглянути сценарій CRQ",
+ "changeQuantitativeRiskStudy": "Змінити дослідження CRQ",
+ "deleteQuantitativeRiskStudy": "Видалити дослідження CRQ",
+ "viewQuantitativeRiskStudy": "Переглянути дослідження CRQ"

Please also verify backend allowlist now includes “iam”, “crq”, “pmbok” to keep permissions scoped. Based on learnings, ...

frontend/messages/ur.json (1)

962-1007: Clarify CRQ permission labels to match model naming.

If the model labels use “CRQ scenario/hypothesis/study”, reflect that in permission strings to avoid ambiguity.

- "changeQuantitativeRiskHypothesis": "مقدارتی خطرہ فرضیہ تبدیل کریں",
- "deleteQuantitativeRiskHypothesis": "مقدارتی خطرہ فرضیہ حذف کریں",
- "viewQuantitativeRiskHypothesis": "مقدارتی خطرہ فرضیہ دیکھیں",
- "changeQuantitativeRiskScenario": "منظرنامہ تبدیل کریں",
- "deleteQuantitativeRiskScenario": "منظرنامہ حذف کریں",
- "viewQuantitativeRiskScenario": "منظرنامہ دیکھیں",
- "changeQuantitativeRiskStudy": "خطرہ کی مقدار کی تحقیق تبدیل کریں",
- "deleteQuantitativeRiskStudy": "خطرہ کی مقدار کی تحقیق حذف کریں",
- "viewQuantitativeRiskStudy": "خطرہ کی مقدار کی تحقیق دیکھیں"
+ "changeQuantitativeRiskHypothesis": "CRQ مفروضہ تبدیل کریں",
+ "deleteQuantitativeRiskHypothesis": "CRQ مفروضہ حذف کریں",
+ "viewQuantitativeRiskHypothesis": "CRQ مفروضہ دیکھیں",
+ "changeQuantitativeRiskScenario": "CRQ منظرنامہ تبدیل کریں",
+ "deleteQuantitativeRiskScenario": "CRQ منظرنامہ حذف کریں",
+ "viewQuantitativeRiskScenario": "CRQ منظرنامہ دیکھیں",
+ "changeQuantitativeRiskStudy": "CRQ مطالعہ تبدیل کریں",
+ "deleteQuantitativeRiskStudy": "CRQ مطالعہ حذف کریں",
+ "viewQuantitativeRiskStudy": "CRQ مطالعہ دیکھیں"

Also ensure backend allowlist contains “iam”, “crq”, “pmbok”. Based on learnings, ...

frontend/messages/pt.json (1)

1034-1036: Align “scenario” label with the other quantitative risk keys.

Current string is too generic compared to “Hipótese/Estudo de risco quantitativo.” Suggest:

- "changeQuantitativeRiskScenario": "Alterar cenário",
+ "changeQuantitativeRiskScenario": "Alterar cenário de risco quantitativo",

frontend/messages/da.json (3)

1284-1287: Terminology: “Folder” vs “Domæne”.

Earlier, "folder": "Domæne" (Line 128). New keys use “mappe”. Please align to one term to avoid user confusion. If “Folder” represents the domain concept, use “Domæne” consistently:

- "addFolder": "Tilføj mappe",
- "changeFolder": "Ændre mappe",
- "deleteFolder": "Slet mappe",
+ "addFolder": "Tilføj domæne",
+ "changeFolder": "Ændr domæne",
+ "deleteFolder": "Slet domæne",

---

1317-1319: Improve DK grammar for “kvantitativt risikostudie”.

More natural phrasing:

- "changeQuantitativeRiskStudy": "Ændre risiko kvantitativ studie",
- "deleteQuantitativeRiskStudy": "Slet risiko kvantitativ studie",
- "viewQuantitativeRiskStudy": "Se risiko kvantitativ studie"
+ "changeQuantitativeRiskStudy": "Ændr kvantitativt risikostudie",
+ "deleteQuantitativeRiskStudy": "Slet kvantitativt risikostudie",
+ "viewQuantitativeRiskStudy": "Se kvantitativt risikostudie"

---

1302-1304: Minor wording: “Backup bruger”.

Consider a more idiomatic form:

- "backupUser": "Backup bruger",
+ "backupUser": "Sikkerhedskopiér bruger"

Alternative: “Tag backup af bruger”.

frontend/messages/pl.json (2)

1744-1747: Terminology: “Folder” vs “Domena”.

Earlier, "folder": "Domena" (Line 133). New keys use “folder”. Align to avoid UX inconsistencies:

- "addFolder": "Dodaj folder",
- "changeFolder": "Zmień folder",
- "deleteFolder": "Usuń folder",
+ "addFolder": "Dodaj domenę",
+ "changeFolder": "Zmień domenę",
+ "deleteFolder": "Usuń domenę",

---

1774-1777: Make quantitative scenario labels explicit (match Hypothesis/Study).

- "changeQuantitativeRiskScenario": "Zmień scenariusz",
- "deleteQuantitativeRiskScenario": "Usuń scenariusz",
- "viewQuantitativeRiskScenario": "Zobacz scenariusz",
+ "changeQuantitativeRiskScenario": "Zmień scenariusz ryzyka ilościowego",
+ "deleteQuantitativeRiskScenario": "Usuń scenariusz ryzyka ilościowego",
+ "viewQuantitativeRiskScenario": "Zobacz scenariusz ryzyka ilościowego",

frontend/messages/sv.json (1)

1025-1027: Be explicit: quantitative scenario.

- "changeQuantitativeRiskScenario": "Ändra scenario",
- "deleteQuantitativeRiskScenario": "Ta bort scenario",
- "viewQuantitativeRiskScenario": "Visa scenario",
+ "changeQuantitativeRiskScenario": "Ändra kvantitativt riskscenario",
+ "deleteQuantitativeRiskScenario": "Ta bort kvantitativt riskscenario",
+ "viewQuantitativeRiskScenario": "Visa kvantitativt riskscenario",

frontend/messages/nl.json (1)

1025-1026: Prefer “Back-up van gebruiker maken”.

“Gebruiker back-uppen” is colloquial. Consider more standard phrasing.

- "backupUser": "Gebruiker back-uppen",
+ "backupUser": "Back-up van gebruiker maken",

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b7a9583 and ff0d07f.

📒 Files selected for processing (22)

• backend/iam/models.py (1 hunks)
• frontend/messages/ar.json (1 hunks)
• frontend/messages/cs.json (1 hunks)
• frontend/messages/da.json (1 hunks)
• frontend/messages/de.json (1 hunks)
• frontend/messages/el.json (1 hunks)
• frontend/messages/en.json (1 hunks)
• frontend/messages/es.json (1 hunks)
• frontend/messages/fr.json (1 hunks)
• frontend/messages/hi.json (1 hunks)
• frontend/messages/hr.json (1 hunks)
• frontend/messages/hu.json (1 hunks)
• frontend/messages/id.json (1 hunks)
• frontend/messages/it.json (1 hunks)
• frontend/messages/nl.json (1 hunks)
• frontend/messages/pl.json (1 hunks)
• frontend/messages/pt.json (1 hunks)
• frontend/messages/ro.json (1 hunks)
• frontend/messages/sv.json (1 hunks)
• frontend/messages/tr.json (1 hunks)
• frontend/messages/uk.json (1 hunks)
• frontend/messages/ur.json (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: Mohamed-Hacene
Repo: intuitem/ciso-assistant-community PR: 2422
File: backend/core/serializers.py:1018-1030
Timestamp: 2025-08-25T08:51:15.404Z
Learning: The CISO Assistant project uses a custom permission system where RoleAssignment.get_accessible_object_ids() provides special handling for Permission objects by filtering them by content_type app_label rather than folder hierarchy, since Permission objects don't belong to folders. This allows safe CRUD operations on permissions while preventing privilege escalation by restricting access to only application-specific permissions from allowed apps: "core", "ebios_rm", "tprm", "privacy", "resilience", and "cal".

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: startup-functional-test (3.12)
• GitHub Check: test (3.12)
• GitHub Check: build (3.12)
• GitHub Check: build_enterprise_frontend
• GitHub Check: build_community_frontend
• GitHub Check: Analyze (python)

🔇 Additional comments (11)

frontend/messages/hi.json (1)

963-1008: No action required. The backend permission system already includes all three new apps (iam, crq, pmbok) in the ALLOWED_PERMISSION_APPS whitelist, and the permission filtering logic correctly handles them. The localization entries are fully supported by the backend implementation.

backend/iam/models.py (1)

50-59: ALLOWED_PERMISSION_APPS extension aligns with existing permission filtering model

Adding "iam", "crq" and "pmbok" here cleanly plugs the new apps into the existing Permission filtering path in RoleAssignment.get_accessible_object_ids, while still scoping access to an explicit allowlist rather than all Django apps. This matches the RBAC pattern described for permissions and looks safe as long as these three apps are intended to have their Permission objects manageable through roles rather than only by superusers. Based on learnings, this is consistent with how permission CRUD is already exposed for the other app labels.

frontend/messages/es.json (1)

1001-1046: New Spanish permission labels are consistent and structurally sound

The added ES translations for legacyEvidenceField, pmbok/iam/crq, and the various permission-related actions (e.g. changeRoleAssignment, viewQuantitativeRiskStudy) follow the existing naming convention and keep the JSON valid. They should integrate cleanly with any permission/label rendering that relies on these keys.

frontend/messages/ro.json (1)

991-1036: Romanian additions mirror the shared permission key set

The new RO entries correctly mirror the shared permission-related keys (pmbok, iam, crq, folder/role/SSO/user CRUD, quantitative risk objects), keeping naming consistent across locales and preserving valid JSON structure.

frontend/messages/id.json (1)

1179-1224: Indonesian permission labels correctly extend the shared key set

The added Indonesian translations for legacyEvidenceField, the new apps, and all related permission operations are consistent with other locales and with the underlying permission codenames, with no JSON or naming issues apparent.

frontend/messages/ar.json (1)

962-1007: Arabic translations for new permission keys are complete and consistent

The newly added Arabic entries for legacyEvidenceField, pmbok/iam/crq, and the various permission/CRUD actions stay in sync with other locales and preserve valid JSON, so the permission UI should render correctly for AR users as well.

frontend/messages/fr.json (1)

2795-2797: New app labels (PMBOK, IAM, CRQ) look fine.

No issues; matches backend intent to expose new permission apps.

Please still verify backend allowlist updates (see repo-wide checks below). Based on learnings, ...

frontend/messages/cs.json (1)

982-985: Legacy evidence and new app labels are OK.

“Pole důkazů je zastaralé”, “PMBOK”, “IAM”, “CRQ” look fine.

frontend/messages/hu.json (1)

994-1040: Hungarian additions read well.

Folder actions match “Mappa”; CRQ/PMBOK/IAM labels OK. No changes needed.

frontend/messages/nl.json (1)

997-1042: Other Dutch additions look consistent.

IAM/CRQ/PMBOK and CRUD labels align with existing terminology.

frontend/messages/tr.json (1)

1728-1772: Backend permission allowlist properly includes new apps.

The three new apps (pmbok, iam, crq) have been correctly added to ALLOWED_PERMISSION_APPS in backend/iam/models.py. The frontend localization translations are now consistent with the backend permission system and will function correctly during permission checks.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

German typos and specificity: Akkreditierung + Quantitatives Risikoszenario.

• Fix spelling to “Akkreditierung”.
• Make QuantitativeRiskScenario explicit.

- "changeAccreditation": "Akreditierung ändern",
- "deleteAccreditation": "Akreditierung löschen",
- "viewAccreditation": "Akreditierung anzeigen",
+ "changeAccreditation": "Akkreditierung ändern",
+ "deleteAccreditation": "Akkreditierung löschen",
+ "viewAccreditation": "Akkreditierung anzeigen",

- "changeQuantitativeRiskScenario": "Szenario ändern",
- "deleteQuantitativeRiskScenario": "Szenario löschen",
- "viewQuantitativeRiskScenario": "Szenario anzeigen",
+ "changeQuantitativeRiskScenario": "Quantitatives Risikoszenario ändern",
+ "deleteQuantitativeRiskScenario": "Quantitatives Risikoszenario löschen",
+ "viewQuantitativeRiskScenario": "Quantitatives Risikoszenario anzeigen",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"legacyEvidenceField": "Veraltetes Beweisfeld",
	"pmbok": "PMBOK",
	"iam": "IAM",
	"crq": "CRQ",
	"changeAccreditation": "Akreditierung ändern",
	"deleteAccreditation": "Akreditierung löschen",
	"viewAccreditation": "Akreditierung anzeigen",
	"changeGenericCollection": "Sammlung ändern",
	"deleteGenericCollection": "Sammlung löschen",
	"viewGenericCollection": "Sammlung anzeigen",
	"addFolder": "Ordner hinzufügen",
	"changeFolder": "Ordner ändern",
	"deleteFolder": "Ordner löschen",
	"addPersonalAccessToken": "Persönliches Zugriffstoken hinzufügen",
	"changePersonalAccessToken": "Persönliches Zugriffstoken ändern",
	"deletePersonalAccessToken": "Persönliches Zugriffstoken löschen",
	"viewPersonalAccessToken": "Persönliches Zugriffstoken anzeigen",
	"changeRole": "Rolle ändern",
	"deleteRole": "Rolle löschen",
	"viewRole": "Rolle anzeigen",
	"addRoleAssignment": "Rollenzuweisung hinzufügen",
	"changeRoleAssignment": "Rollenzuweisung ändern",
	"deleteRoleAssignment": "Rollenzuweisung löschen",
	"viewRoleAssignment": "Rollenzuweisung anzeigen",
	"addSSOSettings": "SSO-Einstellungen hinzufügen",
	"changeSSOSettings": "SSO-Einstellungen ändern",
	"deleteSSOSettings": "SSO-Einstellungen löschen",
	"viewSSOSettings": "SSO-Einstellungen anzeigen",
	"backupUser": "Benutzer sichern",
	"restoreUser": "Benutzer wiederherstellen",
	"changeUser": "Benutzer ändern",
	"deleteUser": "Benutzer löschen",
	"viewUser": "Benutzer anzeigen",
	"addUserGroup": "Benutzergruppe hinzufügen",
	"changeUserGroup": "Benutzergruppe ändern",
	"deleteUserGroup": "Benutzergruppe löschen",
	"viewUserGroup": "Benutzergruppe anzeigen",
	"changeQuantitativeRiskHypothesis": "Quantitative Risikohypothese ändern",
	"deleteQuantitativeRiskHypothesis": "Quantitative Risikohypothese löschen",
	"viewQuantitativeRiskHypothesis": "Quantitative Risikohypothese anzeigen",
	"changeQuantitativeRiskScenario": "Szenario ändern",
	"deleteQuantitativeRiskScenario": "Szenario löschen",
	"viewQuantitativeRiskScenario": "Szenario anzeigen",
	"changeQuantitativeRiskStudy": "Risikoquantifizierungsstudie ändern",
	"deleteQuantitativeRiskStudy": "Risikoquantifizierungsstudie löschen",
	"viewQuantitativeRiskStudy": "Risikoquantifizierungsstudie anzeigen"
	"legacyEvidenceField": "Veraltetes Beweisfeld",
	"pmbok": "PMBOK",
	"iam": "IAM",
	"crq": "CRQ",
	"changeAccreditation": "Akkreditierung ändern",
	"deleteAccreditation": "Akkreditierung löschen",
	"viewAccreditation": "Akkreditierung anzeigen",
	"changeGenericCollection": "Sammlung ändern",
	"deleteGenericCollection": "Sammlung löschen",
	"viewGenericCollection": "Sammlung anzeigen",
	"addFolder": "Ordner hinzufügen",
	"changeFolder": "Ordner ändern",
	"deleteFolder": "Ordner löschen",
	"addPersonalAccessToken": "Persönliches Zugriffstoken hinzufügen",
	"changePersonalAccessToken": "Persönliches Zugriffstoken ändern",
	"deletePersonalAccessToken": "Persönliches Zugriffstoken löschen",
	"viewPersonalAccessToken": "Persönliches Zugriffstoken anzeigen",
	"changeRole": "Rolle ändern",
	"deleteRole": "Rolle löschen",
	"viewRole": "Rolle anzeigen",
	"addRoleAssignment": "Rollenzuweisung hinzufügen",
	"changeRoleAssignment": "Rollenzuweisung ändern",
	"deleteRoleAssignment": "Rollenzuweisung löschen",
	"viewRoleAssignment": "Rollenzuweisung anzeigen",
	"addSSOSettings": "SSO-Einstellungen hinzufügen",
	"changeSSOSettings": "SSO-Einstellungen ändern",
	"deleteSSOSettings": "SSO-Einstellungen löschen",
	"viewSSOSettings": "SSO-Einstellungen anzeigen",
	"backupUser": "Benutzer sichern",
	"restoreUser": "Benutzer wiederherstellen",
	"changeUser": "Benutzer ändern",
	"deleteUser": "Benutzer löschen",
	"viewUser": "Benutzer anzeigen",
	"addUserGroup": "Benutzergruppe hinzufügen",
	"changeUserGroup": "Benutzergruppe ändern",
	"deleteUserGroup": "Benutzergruppe löschen",
	"viewUserGroup": "Benutzergruppe anzeigen",
	"changeQuantitativeRiskHypothesis": "Quantitative Risikohypothese ändern",
	"deleteQuantitativeRiskHypothesis": "Quantitative Risikohypothese löschen",
	"viewQuantitativeRiskHypothesis": "Quantitative Risikohypothese anzeigen",
	"changeQuantitativeRiskScenario": "Quantitatives Risikoszenario ändern",
	"deleteQuantitativeRiskScenario": "Quantitatives Risikoszenario löschen",
	"viewQuantitativeRiskScenario": "Quantitatives Risikoszenario anzeigen",
	"changeQuantitativeRiskStudy": "Risikoquantifizierungsstudie ändern",
	"deleteQuantitativeRiskStudy": "Risikoquantifizierungsstudie löschen",
	"viewQuantitativeRiskStudy": "Risikoquantifizierungsstudie anzeigen"

🤖 Prompt for AI Agents

In frontend/messages/de.json around lines 1001 to 1046, correct the German
wording: change any occurrence of "Akreditierung" to the correct spelling
"Akkreditierung" (e.g. changeAccreditation, deleteAccreditation,
viewAccreditation values), and make the QuantitativeRiskScenario labels explicit
by replacing the generic "Szenario" text with a more specific phrase such as
"Quantitatives Risikoszenario" for changeQuantitativeRiskScenario,
deleteQuantitativeRiskScenario and viewQuantitativeRiskScenario so the intent is
clear in the UI.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check backend allowed apps include iam, crq, pmbok =="
rg -n "ALLOWED_PERMISSION_APPS" -C2 backend || true
echo "---"
rg -nP "(iam|crq|pmbok)" backend -C2 || true

echo
echo "== Find all QuantitativeRiskScenario labels across locales =="
echo "changeQuantitativeRiskScenario:"
fd -t f '.json$' frontend/messages | xargs -I{} rg -n '"changeQuantitativeRiskScenario"\s*:\s*"[^"]*"' {} || true

echo
echo "deleteQuantitativeRiskScenario:"
fd -t f '.json$' frontend/messages | xargs -I{} rg -n '"deleteQuantitativeRiskScenario"\s*:\s*"[^"]*"' {} || true

echo
echo "viewQuantitativeRiskScenario:"
fd -t f '.json$' frontend/messages | xargs -I{} rg -n '"viewQuantitativeRiskScenario"\s*:\s*"[^"]*"' {} || true

Repository: intuitem/ciso-assistant-community

Length of output: 50391

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== 1. Full ALLOWED_PERMISSION_APPS list ==="
sed -n '50,65p' backend/iam/models.py

echo
echo "=== 2. QuantitativeRiskScenario translations in el.json ==="
rg -n 'QuantitativeRiskScenario' frontend/messages/el.json

echo
echo "=== 3. Check for RoleAssignment terminology consistency in el.json ==="
rg -n '(RoleAssignment|εκχώρησης|ανάθεσης)' frontend/messages/el.json

echo
echo "=== 4. Check all locale files for QuantitativeRiskScenario pattern ==="
echo "Checking how other locales handle QuantitativeRiskScenario:"
fd -t f '.json$' frontend/messages | while read file; do
  locale=$(basename "$file" .json)
  result=$(rg 'QuantitativeRiskScenario' "$file" -c 2>/dev/null || echo "0")
  if [ "$result" != "0" ]; then
    echo "$locale: has QuantitativeRiskScenario entries"
    rg '"(change|delete|view)QuantitativeRiskScenario".*"[^"]*σεναρίου[^"]*"' "$file" -o 2>/dev/null || true
  fi
done

echo
echo "=== 5. Check Accreditation terminology in el.json ==="
rg -n 'Accreditation.*"[^"]*"' frontend/messages/el.json

Repository: intuitem/ciso-assistant-community

Length of output: 2298

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Compare all QuantitativeRisk* terms in el.json ==="
rg -n 'Quantitative(Risk)?(Hypothesis|Study|Scenario)' frontend/messages/el.json -A 0 | head -20

echo
echo "=== Check for 'Αναθέσεις' (assignments) pattern in el.json ==="
rg -n 'Αναθέσεις' frontend/messages/el.json

echo
echo "=== Search for existing RoleAssignment terms in el.json ==="
rg -n '".*RoleAssignment.*":' frontend/messages/el.json

echo
echo "=== Check how other locales translate QuantitativeRiskScenario vs Hypothesis/Study ==="
echo "English (en):"
rg '"(change|delete|view)Quantitative(Risk)?(Scenario|Hypothesis|Study)"' frontend/messages/en.json -o 2>/dev/null | head -6

echo
echo "French (fr):"
rg '"(change|delete|view)Quantitative(Risk)?(Scenario|Hypothesis|Study)"' frontend/messages/fr.json -o 2>/dev/null | head -6

echo
echo "=== Check full el.json context for Hypothesis and Study ==="
rg -n 'QuantitativeRisk(Hypothesis|Study)' frontend/messages/el.json -A 0

Repository: intuitem/ciso-assistant-community

Length of output: 2203

---

Minor i18n fixes for consistency (Accreditation, RoleAssignment, QuantitativeRiskScenario).

• Prefer "Διαπίστευση" for Accreditation (more formal than "πιστοποίησης").
• Align RoleAssignment with existing "Αναθέσεις ρόλων" (line 97): use "ανάθεσης" instead of "εκχώρησης ρόλου".
• Make QuantitativeRiskScenario explicit: add "ποσοτικού … κινδύνου" to match QuantitativeRiskHypothesis and QuantitativeRiskStudy pattern.

Apply:

- "changeAccreditation": "Αλλαγή πιστοποίησης",
- "deleteAccreditation": "Διαγραφή πιστοποίησης",
- "viewAccreditation": "Προβολή πιστοποίησης",
+ "changeAccreditation": "Αλλαγή διαπίστευσης",
+ "deleteAccreditation": "Διαγραφή διαπίστευσης",
+ "viewAccreditation": "Προβολή διαπίστευσης",

- "addRoleAssignment": "Προσθήκη εκχώρησης ρόλου",
+ "addRoleAssignment": "Προσθήκη ανάθεσης ρόλου",

- "changeQuantitativeRiskScenario": "Αλλαγή σεναρίου",
- "deleteQuantitativeRiskScenario": "Διαγραφή σεναρίου",
- "viewQuantitativeRiskScenario": "Προβολή σεναρίου",
+ "changeQuantitativeRiskScenario": "Αλλαγή ποσοτικού σεναρίου κινδύνου",
+ "deleteQuantitativeRiskScenario": "Διαγραφή ποσοτικού σεναρίου κινδύνου",
+ "viewQuantitativeRiskScenario": "Προβολή ποσοτικού σεναρίου κινδύνου",

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In frontend/messages/el.json around lines 1691 to 1736, update three i18n
strings for consistency: change Accreditation translations from "Αλλαγή
πιστοποίησης" / "Διαγραφή πιστοποίησης" / "Προβολή πιστοποίησης" to use
"Διαπίστευση" (e.g. "Αλλαγή διαπίστευσης", "Διαγραφή διαπίστευσης", "Προβολή
διαπίστευσης"); change RoleAssignment entries from "Προσθήκη εκχώρησης ρόλου",
"Αλλαγή εκχώρησης ρόλου", "Διαγραφή εκχώρησης ρόλου", "Προβολή εκχώρησης ρόλου"
to use "ανάθεσης" (e.g. "Προσθήκη ανάθεσης ρόλου", "Αλλαγή ανάθεσης ρόλου",
"Διαγραφή ανάθεσης ρόλου", "Προβολή ανάθεσης ρόλου"); and make
QuantitativeRiskScenario explicit by changing "Αλλαγή σεναρίου", "Διαγραφή
σεναρίου", "Προβολή σεναρίου" to include "ποσοτικού κινδύνου" (e.g. "Αλλαγή
σεναρίου ποσοτικού κινδύνου", "Διαγραφή σεναρίου ποσοτικού κινδύνου", "Προβολή
σεναρίου ποσοτικού κινδύνου").

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Stick to “Homologation” for accreditation (consistency).

Existing keys use “Homologation/ Homologations”. Update newly added actions accordingly.

- "changeAccreditation": "Modifier l'accréditation",
- "deleteAccreditation": "Supprimer l'accréditation",
- "viewAccreditation": "Voir l'accréditation",
+ "changeAccreditation": "Modifier l'homologation",
+ "deleteAccreditation": "Supprimer l'homologation",
+ "viewAccreditation": "Voir l'homologation",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"changeAccreditation": "Modifier l'accréditation",
	"deleteAccreditation": "Supprimer l'accréditation",
	"viewAccreditation": "Voir l'accréditation",
	"changeGenericCollection": "Modifier la collection",
	"changeAccreditation": "Modifier l'homologation",
	"deleteAccreditation": "Supprimer l'homologation",
	"viewAccreditation": "Voir l'homologation",
	"changeGenericCollection": "Modifier la collection",

🤖 Prompt for AI Agents

In frontend/messages/fr.json around lines 2798 to 2801, the translated strings
for accreditation actions are inconsistent with the project's terminology;
update the values for "changeAccreditation", "deleteAccreditation", and
"viewAccreditation" to use "Homologation" (singular) to match existing keys —
replace their current French strings with the corresponding phrases using
"l'homologation" (e.g., "Modifier l'homologation", "Supprimer l'homologation",
"Voir l'homologation") while keeping the keys unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use “domaine” instead of “dossier” for Folder actions (consistency).

Elsewhere “folder” is translated as “Domaine” (e.g., viewFolder). Align these labels.

- "addFolder": "Ajouter un dossier",
- "changeFolder": "Modifier le dossier",
- "deleteFolder": "Supprimer le dossier",
+ "addFolder": "Ajouter un domaine",
+ "changeFolder": "Modifier le domaine",
+ "deleteFolder": "Supprimer le domaine",

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In frontend/messages/fr.json around lines 2805-2810, the French translations for
"changeFolder" and "deleteFolder" use "dossier" but should match the established
translation "Domaine" used elsewhere (e.g., viewFolder); update the string
values to "Modifier le Domaine" and "Supprimer le Domaine" respectively so all
folder-related labels are consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix French grammar: “étude quantitative”.

Replace “étude de quantificative” with “étude quantitative”.

- "changeQuantitativeRiskStudy": "Modifier une étude de quantificative",
- "deleteQuantitativeRiskStudy": "Supprimer une étude de quantificative",
- "viewQuantitativeRiskStudy": "Voir une étude de quantificative"
+ "changeQuantitativeRiskStudy": "Modifier une étude quantitative",
+ "deleteQuantitativeRiskStudy": "Supprimer une étude quantitative",
+ "viewQuantitativeRiskStudy": "Voir une étude quantitative"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"changeQuantitativeRiskStudy": "Modifier une étude de quantificative",
	"deleteQuantitativeRiskStudy": "Supprimer une étude de quantificative",
	"viewQuantitativeRiskStudy": "Voir une étude de quantificative"
	"changeQuantitativeRiskStudy": "Modifier une étude quantitative",
	"deleteQuantitativeRiskStudy": "Supprimer une étude quantitative",
	"viewQuantitativeRiskStudy": "Voir une étude quantitative"

🤖 Prompt for AI Agents

In frontend/messages/fr.json around lines 2837 to 2839, the French strings use
the incorrect phrase "étude de quantificative"; update each value to use the
correct grammar "étude quantitative" (i.e., replace "Modifier une étude de
quantificative" with "Modifier une étude quantitative", "Supprimer une étude de
quantificative" with "Supprimer une étude quantitative", and "Voir une étude de
quantificative" with "Voir une étude quantitative").

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Croatian terminology: backup/restore user and QuantitativeRiskScenario.

• Clarify backup/restore actions on user.
• Expand QuantitativeRiskScenario to “scenarij kvantitativnog rizika”.

- "backupUser": "Kreiraj pričuvni račun",
- "restoreUser": "Vrati pričuvni račun",
+ "backupUser": "Sigurnosno kopiraj korisnika",
+ "restoreUser": "Obnovi korisnika",

- "changeQuantitativeRiskScenario": "Promijeni scenarij",
- "deleteQuantitativeRiskScenario": "Obriši scenarij",
- "viewQuantitativeRiskScenario": "Pogledaj scenarij",
+ "changeQuantitativeRiskScenario": "Promijeni scenarij kvantitativnog rizika",
+ "deleteQuantitativeRiskScenario": "Obriši scenarij kvantitativnog rizika",
+ "viewQuantitativeRiskScenario": "Pogledaj scenarij kvantitativnog rizika",

🤖 Prompt for AI Agents

In frontend/messages/hr.json around lines 1959 to 2004, the Croatian strings
need clearer wording: change "backupUser": "Kreiraj pričuvni račun" to a phrase
explicitly indicating backing up the user (e.g. "Kreiraj sigurnosnu kopiju
korisnika") and "restoreUser": "Vrati pričuvni račun" to explicitly indicate
restoring from backup (e.g. "Vrati korisnika iz sigurnosne kopije"); also expand
the QuantitativeRiskScenario entries ("changeQuantitativeRiskScenario",
"deleteQuantitativeRiskScenario", "viewQuantitativeRiskScenario") from generic
"Promijeni/Obriši/Pogledaj scenarij" to "Promijeni scenarij kvantitativnog
rizika", "Obriši scenarij kvantitativnog rizika", and "Pogledaj scenarij
kvantitativnog rizika" respectively to match terminology.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Italian wording tweaks: Accreditation and QuantitativeRiskScenario.

• Use “accreditamento” (standard) instead of “accredito”.
• Make QuantitativeRiskScenario explicit to match Hypothesis/Study.

- "changeAccreditation": "Cambia accredito",
- "deleteAccreditation": "Elimina accredito",
- "viewAccreditation": "Visualizza accredito",
+ "changeAccreditation": "Cambia accreditamento",
+ "deleteAccreditation": "Elimina accreditamento",
+ "viewAccreditation": "Visualizza accreditamento",

- "changeQuantitativeRiskScenario": "Cambia scenario",
- "deleteQuantitativeRiskScenario": "Elimina scenario",
- "viewQuantitativeRiskScenario": "Visualizza scenario",
+ "changeQuantitativeRiskScenario": "Cambia scenario di rischio quantitativo",
+ "deleteQuantitativeRiskScenario": "Elimina scenario di rischio quantitativo",
+ "viewQuantitativeRiskScenario": "Visualizza scenario di rischio quantitativo",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"legacyEvidenceField": "Campo di evidenza obsoleto",
	"pmbok": "PMBOK",
	"iam": "IAM",
	"crq": "CRQ",
	"changeAccreditation": "Cambia accredito",
	"deleteAccreditation": "Elimina accredito",
	"viewAccreditation": "Visualizza accredito",
	"changeGenericCollection": "Cambia raccolta",
	"deleteGenericCollection": "Elimina raccolta",
	"viewGenericCollection": "Visualizza raccolta",
	"addFolder": "Aggiungi cartella",
	"changeFolder": "Cambia cartella",
	"deleteFolder": "Elimina cartella",
	"addPersonalAccessToken": "Aggiungi token di accesso personale",
	"changePersonalAccessToken": "Cambia token di accesso personale",
	"deletePersonalAccessToken": "Elimina token di accesso personale",
	"viewPersonalAccessToken": "Visualizza token di accesso personale",
	"changeRole": "Cambia ruolo",
	"deleteRole": "Elimina ruolo",
	"viewRole": "Visualizza ruolo",
	"addRoleAssignment": "Aggiungi assegnazione ruolo",
	"changeRoleAssignment": "Cambia assegnazione ruolo",
	"deleteRoleAssignment": "Elimina assegnazione ruolo",
	"viewRoleAssignment": "Visualizza assegnazione ruolo",
	"addSSOSettings": "Aggiungi impostazioni SSO",
	"changeSSOSettings": "Cambia impostazioni SSO",
	"deleteSSOSettings": "Elimina impostazioni SSO",
	"viewSSOSettings": "Visualizza impostazioni SSO",
	"backupUser": "Backup utente",
	"restoreUser": "Ripristina utente",
	"changeUser": "Cambia utente",
	"deleteUser": "Elimina utente",
	"viewUser": "Visualizza utente",
	"addUserGroup": "Aggiungi gruppo utenti",
	"changeUserGroup": "Cambia gruppo utenti",
	"deleteUserGroup": "Elimina gruppo utenti",
	"viewUserGroup": "Visualizza gruppo utenti",
	"changeQuantitativeRiskHypothesis": "Cambia ipotesi di rischio quantitativo",
	"deleteQuantitativeRiskHypothesis": "Elimina ipotesi di rischio quantitativo",
	"viewQuantitativeRiskHypothesis": "Visualizza ipotesi di rischio quantitativo",
	"changeQuantitativeRiskScenario": "Cambia scenario",
	"deleteQuantitativeRiskScenario": "Elimina scenario",
	"viewQuantitativeRiskScenario": "Visualizza scenario",
	"changeQuantitativeRiskStudy": "Cambia studio di quantificazione del rischio",
	"deleteQuantitativeRiskStudy": "Elimina studio di quantificazione del rischio",
	"viewQuantitativeRiskStudy": "Visualizza studio di quantificazione del rischio"
	"legacyEvidenceField": "Campo di evidenza obsoleto",
	"pmbok": "PMBOK",
	"iam": "IAM",
	"crq": "CRQ",
	"changeAccreditation": "Cambia accreditamento",
	"deleteAccreditation": "Elimina accreditamento",
	"viewAccreditation": "Visualizza accreditamento",
	"changeGenericCollection": "Cambia raccolta",
	"deleteGenericCollection": "Elimina raccolta",
	"viewGenericCollection": "Visualizza raccolta",
	"addFolder": "Aggiungi cartella",
	"changeFolder": "Cambia cartella",
	"deleteFolder": "Elimina cartella",
	"addPersonalAccessToken": "Aggiungi token di accesso personale",
	"changePersonalAccessToken": "Cambia token di accesso personale",
	"deletePersonalAccessToken": "Elimina token di accesso personale",
	"viewPersonalAccessToken": "Visualizza token di accesso personale",
	"changeRole": "Cambia ruolo",
	"deleteRole": "Elimina ruolo",
	"viewRole": "Visualizza ruolo",
	"addRoleAssignment": "Aggiungi assegnazione ruolo",
	"changeRoleAssignment": "Cambia assegnazione ruolo",
	"deleteRoleAssignment": "Elimina assegnazione ruolo",
	"viewRoleAssignment": "Visualizza assegnazione ruolo",
	"addSSOSettings": "Aggiungi impostazioni SSO",
	"changeSSOSettings": "Cambia impostazioni SSO",
	"deleteSSOSettings": "Elimina impostazioni SSO",
	"viewSSOSettings": "Visualizza impostazioni SSO",
	"backupUser": "Backup utente",
	"restoreUser": "Ripristina utente",
	"changeUser": "Cambia utente",
	"deleteUser": "Elimina utente",
	"viewUser": "Visualizza utente",
	"addUserGroup": "Aggiungi gruppo utenti",
	"changeUserGroup": "Cambia gruppo utenti",
	"deleteUserGroup": "Elimina gruppo utenti",
	"viewUserGroup": "Visualizza gruppo utenti",
	"changeQuantitativeRiskHypothesis": "Cambia ipotesi di rischio quantitativo",
	"deleteQuantitativeRiskHypothesis": "Elimina ipotesi di rischio quantitativo",
	"viewQuantitativeRiskHypothesis": "Visualizza ipotesi di rischio quantitativo",
	"changeQuantitativeRiskScenario": "Cambia scenario di rischio quantitativo",
	"deleteQuantitativeRiskScenario": "Elimina scenario di rischio quantitativo",
	"viewQuantitativeRiskScenario": "Visualizza scenario di rischio quantitativo",
	"changeQuantitativeRiskStudy": "Cambia studio di quantificazione del rischio",
	"deleteQuantitativeRiskStudy": "Elimina studio di quantificazione del rischio",
	"viewQuantitativeRiskStudy": "Visualizza studio di quantificazione del rischio"

🤖 Prompt for AI Agents

In frontend/messages/it.json around lines 1371 to 1416, update the Italian
wording: replace the three occurrences of "accredito" with the standard term
"accreditamento" for changeAccreditation, deleteAccreditation and
viewAccreditation; and make the QuantitativeRiskScenario strings explicit to
match the other keys by replacing the generic "scenario" with a more specific
label such as "scenario di quantificazione del rischio quantitativo" (for
changeQuantitativeRiskScenario, deleteQuantitativeRiskScenario and
viewQuantitativeRiskScenario) so the phrasing parallels Hypothesis/Study.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Replace English “accreditation” with Swedish “ackreditering”.

- "changeAccreditation": "Ändra accreditation",
- "deleteAccreditation": "Ta bort accreditation",
- "viewAccreditation": "Visa accreditation",
+ "changeAccreditation": "Ändra ackreditering",
+ "deleteAccreditation": "Ta bort ackreditering",
+ "viewAccreditation": "Visa ackreditering",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"changeAccreditation": "Ändra accreditation",
	"deleteAccreditation": "Ta bort accreditation",
	"viewAccreditation": "Visa accreditation",
	"changeGenericCollection": "Ändra samling",
	"changeAccreditation": "Ändra ackreditering",
	"deleteAccreditation": "Ta bort ackreditering",
	"viewAccreditation": "Visa ackreditering",
	"changeGenericCollection": "Ändra samling",

🤖 Prompt for AI Agents

In frontend/messages/sv.json around lines 989 to 992, the Swedish translations
incorrectly use the English word “accreditation”; replace each occurrence
("Ändra accreditation", "Ta bort accreditation", "Visa accreditation") with the
correct Swedish term using "ackreditering" so they read "Ändra ackreditering",
"Ta bort ackreditering", and "Visa ackreditering"; leave
"changeGenericCollection": "Ändra samling" unchanged.

[ab-smith]

don't include the IAM for now as it can breaks things

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

backend/iam/models.py (1)

50-58: Verify completeness of ALLOWED_PERMISSION_APPS (missing cal vs previous behavior)

Extending ALLOWED_PERMISSION_APPS with "crq" and "pmbok" is consistent with the new modules, but prior logic (and earlier work in this project) referenced the set {"core", "ebios_rm", "tprm", "privacy", "resilience", "cal"} for safe permission CRUD. Please double‑check whether "cal" (or any other legacy app) should still be present here to keep permission management consistent across apps, and update the tuple or add a code comment to record the intended set.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff0d07f and 65c15e0.

📒 Files selected for processing (1)

• backend/iam/models.py (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-25T08:51:15.404Z

Learnt from: Mohamed-Hacene
Repo: intuitem/ciso-assistant-community PR: 2422
File: backend/core/serializers.py:1018-1030
Timestamp: 2025-08-25T08:51:15.404Z
Learning: The CISO Assistant project uses a custom permission system where RoleAssignment.get_accessible_object_ids() provides special handling for Permission objects by filtering them by content_type app_label rather than folder hierarchy, since Permission objects don't belong to folders. This allows safe CRUD operations on permissions while preventing privilege escalation by restricting access to only application-specific permissions from allowed apps: "core", "ebios_rm", "tprm", "privacy", "resilience", and "cal".

Applied to files:

• backend/iam/models.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (python)

[coderabbitai]

Actionable comments posted: 6

♻️ Duplicate comments (3)

frontend/messages/de.json (1)

1041-1043: Generic wording for QuantitativeRiskScenario translations persists.

The previous review flagged that lines 1041-1043 should use "Quantitatives Risikoszenario" instead of the generic "Szenario" to clarify intent in the UI. This suggestion was not addressed.

Consider applying the suggested fix from the previous review:

- "changeQuantitativeRiskScenario": "Szenario ändern",
- "deleteQuantitativeRiskScenario": "Szenario löschen",
- "viewQuantitativeRiskScenario": "Szenario anzeigen",
+ "changeQuantitativeRiskScenario": "Quantitatives Risikoszenario ändern",
+ "deleteQuantitativeRiskScenario": "Quantitatives Risikoszenario löschen",
+ "viewQuantitativeRiskScenario": "Quantitatives Risikoszenario anzeigen",

frontend/messages/fr.json (2)

2798-2801: Stick to "Homologation" for accreditation (consistency).

This is a repeat of a past review comment. Existing keys use "Homologation/Homologations". Update these newly added actions to use "l'homologation" for consistency.

- "changeAccreditation": "Modifier l'accréditation",
- "deleteAccreditation": "Supprimer l'accréditation",
- "viewAccreditation": "Voir l'accréditation",
+ "changeAccreditation": "Modifier l'homologation",
+ "deleteAccreditation": "Supprimer l'homologation",
+ "viewAccreditation": "Voir l'homologation",

---

2837-2839: Fix French grammar: "étude quantitative".

This is a repeat of a past review comment. The phrase "étude de quantificative" is grammatically incorrect. Replace with "étude quantitative".

- "changeQuantitativeRiskStudy": "Modifier une étude de quantificative",
- "deleteQuantitativeRiskStudy": "Supprimer une étude de quantificative",
- "viewQuantitativeRiskStudy": "Voir une étude de quantificative"
+ "changeQuantitativeRiskStudy": "Modifier une étude quantitative",
+ "deleteQuantitativeRiskStudy": "Supprimer une étude quantitative",
+ "viewQuantitativeRiskStudy": "Voir une étude quantitative"

🧹 Nitpick comments (2)

frontend/messages/es.json (1)

1041-1043: Generic wording for QuantitativeRiskScenario—use "Escenario" with qualifier.

Lines 1041-1043 use generic "Escenario" instead of clarifying the context. Consider updating to "Escenario cuantitativo de riesgo" or similar to improve UI clarity.

- "changeQuantitativeRiskScenario": "Cambiar escenario",
- "deleteQuantitativeRiskScenario": "Eliminar escenario",
- "viewQuantitativeRiskScenario": "Ver escenario",
+ "changeQuantitativeRiskScenario": "Cambiar escenario de riesgo cuantitativo",
+ "deleteQuantitativeRiskScenario": "Eliminar escenario de riesgo cuantitativo",
+ "viewQuantitativeRiskScenario": "Ver escenario de riesgo cuantitativo",

frontend/messages/cs.json (1)

1022-1024: Generic wording for QuantitativeRiskScenario—clarify context.

Lines 1022-1024 use generic "Scénář" instead of contextualizing it as a quantitative risk scenario. For better UI clarity, consider a more specific phrase.

- "changeQuantitativeRiskScenario": "Změnit scénář",
- "deleteQuantitativeRiskScenario": "Smazat scénář",
- "viewQuantitativeRiskScenario": "Zobrazit scénář",
+ "changeQuantitativeRiskScenario": "Změnit scénář kvantitativního rizika",
+ "deleteQuantitativeRiskScenario": "Smazat scénář kvantitativního rizika",
+ "viewQuantitativeRiskScenario": "Zobrazit scénář kvantitativního rizika",

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65c15e0 and cbac87a.

📒 Files selected for processing (7)

• frontend/messages/cs.json (1 hunks)
• frontend/messages/de.json (1 hunks)
• frontend/messages/en.json (1 hunks)
• frontend/messages/es.json (1 hunks)
• frontend/messages/fr.json (1 hunks)
• frontend/messages/nl.json (1 hunks)
• frontend/messages/pl.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• frontend/messages/en.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (python)

🔇 Additional comments (7)

frontend/messages/nl.json (3)

998-998: LGTM!

The CRQ and PMBOK translation keys are appropriately added and consistent with the PR objectives.

Also applies to: 1000-1000

---

1001-1042: LGTM!

The governance and permission-related translation keys (roles, users, access tokens, accreditations, collections, SSO settings, etc.) are well-translated and properly localized for Dutch. These additions support the expanded permission system across IAM, CRQ, and PMBOK domains.

---

997-997: Minor wording improvement accepted.

The legacyEvidenceField value update from "Verouderd bewijsveld" to "Veld voor verouderd bewijs" improves grammatical clarity in Dutch.

frontend/messages/pl.json (1)

1734-1735: LGTM for PMBOK and CRQ permissions and translation updates.

The addition of PMBOK and CRQ translation keys and the extensive permission-related localization keys (accreditation, folder, personal access tokens, roles, SSO settings, users, user groups, and quantitative risk-related permissions) looks good. The legacy evidence field translation update is also appropriate.

Ensure this change is consistently applied across all locale files mentioned in the AI summary (ar, cs, de, es, fr, it, nl, pt, ro, sv, tr, uk, ur, etc.) and coordinate with backend ALLOWED_PERMISSION_APPS changes.

Also applies to: 1737-1779

frontend/messages/cs.json (2)

982-982: Minor wording improvement for legacyEvidenceField.

Line 982 updated the value from "Zastaralé pole důkazů" to "Pole důkazů je zastaralé". The new phrasing is slightly more natural Czech, though both are understandable. This is acceptable.

---

992-994: ✓ Folder actions now use "Doména" consistently.

The previous review recommended aligning folder action labels with the "Doména" translation for the key "folder". This has been correctly implemented in lines 992-994.

frontend/messages/fr.json (1)

2804-2806: Folder terminology now consistent.

The folder translations (addFolder, changeFolder, deleteFolder) correctly use "domaine" instead of "dossier", resolving the previous consistency concern.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove IAM keys per PR objective feedback.

Line 984 includes "iam": "IAM", which contradicts the explicit PR feedback: "Do not include IAM for now because it can break things." This key must be removed.

Apply this diff:

  "pmbok": "PMBOK",
- "iam": "IAM",
  "crq": "CRQ",

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In frontend/messages/cs.json around line 984, remove the "iam": "IAM" entry from
the JSON file (delete that key/value pair and the trailing comma or adjust
surrounding commas to keep valid JSON) so the file no longer includes any
IAM-related key as requested by the PR feedback.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove IAM keys per PR objective feedback.

Line 1003 includes "iam": "IAM", which directly contradicts the explicit PR feedback from ab-smith: "Do not include IAM for now because it can break things." This key should be removed from all locale files.

Apply this diff to remove the IAM key:

  "pmbok": "PMBOK",
- "iam": "IAM",
  "crq": "CRQ",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"pmbok": "PMBOK",
	"iam": "IAM",
	"crq": "CRQ",
	"pmbok": "PMBOK",
	"crq": "CRQ",

🤖 Prompt for AI Agents

In frontend/messages/de.json around lines 1002-1004, remove the `"iam": "IAM"`
entry (line 1003) so the locale no longer contains the IAM key; after removal,
fix commas so the JSON remains valid (no trailing comma on the final property),
and search and remove the same `"iam"` key from all other locale files to match
the PR objective.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove IAM keys per PR objective feedback.

Line 1003 includes "iam": "IAM", which contradicts the explicit PR feedback: "Do not include IAM for now because it can break things." This key should be removed.

Apply this diff:

  "pmbok": "PMBOK",
- "iam": "IAM",
  "crq": "CRQ",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"pmbok": "PMBOK",
	"iam": "IAM",
	"crq": "CRQ",
	"pmbok": "PMBOK",
	"crq": "CRQ",

🤖 Prompt for AI Agents

In frontend/messages/es.json around lines 1002 to 1004, remove the "iam": "IAM"
entry introduced at line 1003 to comply with the PR feedback; after removing
that line, ensure the surrounding commas are adjusted so the JSON remains valid
(i.e., no trailing comma on the previous or next item).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove IAM entries per reviewer feedback.

Line 2796 adds IAM support, but reviewer ab-smith explicitly requested not to include IAM "because it can break things." Remove the "iam": "IAM" entry and any associated IAM permission keys to align with the PR feedback.

🤖 Prompt for AI Agents

In frontend/messages/fr.json around line 2796, remove the added IAM entry
("iam": "IAM") and any other IAM-related translation keys; search the file (and
related locale files if present) for keys named "iam" or values containing "IAM"
or "Identity and Access Management" and delete those entries so IAM support is
not introduced per reviewer request, then run the localization build/checks to
ensure no missing-key regressions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove IAM translation key per reviewer guidance.

Line 999 adds the "iam" translation key, which directly contradicts the explicit PR feedback: "Do not include IAM for now because it can break things."

Remove this line to align with the reviewer's requirement.

-	"iam": "IAM",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"iam": "IAM",

🤖 Prompt for AI Agents

In frontend/messages/nl.json around line 999, remove the added translation key
"iam": "IAM" because the reviewer explicitly requested not to include IAM;
delete this line from the JSON file and ensure the file remains valid JSON (no
trailing comma issues) after removal.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove IAM translation key per reviewer feedback.

The PR objective notes that IAM should not be included for now because it can break things. Line 1736 with "iam": "IAM" should be removed to align with the reviewer requirement from ab-smith.

Apply this diff to remove the IAM key:

- "pmbok": "PMBOK",
- "iam": "IAM",
- "crq": "CRQ",
+ "pmbok": "PMBOK",
+ "crq": "CRQ",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"iam": "IAM",
	"pmbok": "PMBOK",
	"crq": "CRQ",

🤖 Prompt for AI Agents

In frontend/messages/pl.json around line 1736 remove the "iam": "IAM" entry
entirely; after deleting that line ensure the surrounding JSON remains valid
(fix any dangling/trailing commas or adjust neighboring commas if it was the
last or middle property) and run a quick JSON/locale lint to confirm no syntax
errors.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

frontend/messages/fr.json (3)

2831-2831: Retirer l’entrée IAM (conformément au reviewer).

Ne pas introduire IAM pour l’instant.

-  "iam": "IAM",

#!/bin/bash
rg -n --glob 'frontend/messages/*.json' -e '"iam"\s*:'

---

2833-2835: Utiliser “Homologation” (cohérence du produit).

Remplacer “accréditation” par “homologation”.

-  "changeAccreditation": "Modifier l'accréditation",
-  "deleteAccreditation": "Supprimer l'accréditation",
-  "viewAccreditation": "Voir l'accréditation",
+  "changeAccreditation": "Modifier l'homologation",
+  "deleteAccreditation": "Supprimer l'homologation",
+  "viewAccreditation": "Voir l'homologation",

---

2872-2874: Corriger la grammaire: “étude quantitative”.

Remplacer “étude de quantificative”.

-  "changeQuantitativeRiskStudy": "Modifier une étude de quantificative",
-  "deleteQuantitativeRiskStudy": "Supprimer une étude de quantificative",
-  "viewQuantitativeRiskStudy": "Voir une étude de quantificative"
+  "changeQuantitativeRiskStudy": "Modifier une étude quantitative",
+  "deleteQuantitativeRiskStudy": "Supprimer une étude quantitative",
+  "viewQuantitativeRiskStudy": "Voir une étude quantitative"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cbac87a and 5c2fc4c.

📒 Files selected for processing (2)

• frontend/messages/en.json (1 hunks)
• frontend/messages/fr.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: build (3.12)
• GitHub Check: build_enterprise_frontend
• GitHub Check: build_community_frontend
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: startup-docker-compose-test
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: startup-functional-test (3.12)
• GitHub Check: test (3.12)
• GitHub Check: Analyze (python)

🔇 Additional comments (3)

frontend/messages/en.json (1)

2845-2847: CRQ/PMBOK labels look good.

Labels are concise and match backend allowlist intent.

Confirm backend ALLOWED_PERMISSION_APPS includes only "crq" and "pmbok" for this PR scope.

frontend/messages/fr.json (2)

2839-2841: “Domaine” for Folder actions is correct.

Matches existing “viewFolder” usage; no change needed.

---

2830-2832: Labels PMBOK/CRQ OK.

Conformes et alignés.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for IAM keys in all message JSON files
rg -n --glob 'frontend/messages/*.json' -e '"iam"\s*:'

Repository: intuitem/ciso-assistant-community

Length of output: 1033

---

🏁 Script executed:

#!/bin/bash
# Also check the specific file and context around the mentioned lines
if [ -f "frontend/messages/en.json" ]; then
  echo "=== Checking en.json context ==="
  sed -n '2840,2850p' frontend/messages/en.json
fi

Repository: intuitem/ciso-assistant-community

Length of output: 462

---

IAM label removal is incomplete—entry still exists in all message files.

The "iam": "IAM" entry at line 2845 in en.json was not removed and remains present across all 21 language translation files (ar.json, cs.json, da.json, de.json, el.json, en.json, es.json, fr.json, hi.json, hr.json, hu.json, id.json, it.json, nl.json, pl.json, pt.json, ro.json, sv.json, tr.json, uk.json, ur.json). Remove this entry from all message files to complete the requested change.

🤖 Prompt for AI Agents

In frontend/messages/en.json around lines 2845-2846 (and the same location in
all translation files: ar.json, cs.json, da.json, de.json, el.json, es.json,
fr.json, hi.json, hr.json, hu.json, id.json, it.json, nl.json, pl.json, pt.json,
ro.json, sv.json, tr.json, uk.json, ur.json), remove the leftover "iam": "IAM"
entry so the IAM label is fully deleted across all 21 language files; ensure you
delete the entire key/value pair and keep surrounding JSON valid (commas
adjusted as needed) in each file.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo: “récurrente”.

Orthographe.

-  "noRecurrentTasksFound": "Aucune tâche réccurente trouvée",
+  "noRecurrentTasksFound": "Aucune tâche récurrente trouvée",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"noRecurrentTasksFound": "Aucune tâche réccurente trouvée",
	"noRecurrentTasksFound": "Aucune tâche récurrente trouvée",

🤖 Prompt for AI Agents

In frontend/messages/fr.json around line 2829, the French translation value
contains a typo: "Aucune tâche réccurente trouvée" should be corrected to
"Aucune tâche récurrente trouvée"; update the JSON string value to use the
proper spelling with a single "c" and the acute accent on the first "e"
("récurrente") while keeping surrounding quotes and punctuation intact.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5c2fc4c and dc027de.

📒 Files selected for processing (1)

• backend/iam/models.py (2 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: Mohamed-Hacene
Repo: intuitem/ciso-assistant-community PR: 2422
File: backend/core/serializers.py:1018-1030
Timestamp: 2025-08-25T08:51:15.404Z
Learning: The CISO Assistant project uses a custom permission system where RoleAssignment.get_accessible_object_ids() provides special handling for Permission objects by filtering them by content_type app_label rather than folder hierarchy, since Permission objects don't belong to folders. This allows safe CRUD operations on permissions while preventing privilege escalation by restricting access to only application-specific permissions from allowed apps: "core", "ebios_rm", "tprm", "privacy", "resilience", and "cal".

📚 Learning: 2025-08-25T08:51:15.404Z

Learnt from: Mohamed-Hacene
Repo: intuitem/ciso-assistant-community PR: 2422
File: backend/core/serializers.py:1018-1030
Timestamp: 2025-08-25T08:51:15.404Z
Learning: The CISO Assistant project uses a custom permission system where RoleAssignment.get_accessible_object_ids() provides special handling for Permission objects by filtering them by content_type app_label rather than folder hierarchy, since Permission objects don't belong to folders. This allows safe CRUD operations on permissions while preventing privilege escalation by restricting access to only application-specific permissions from allowed apps: "core", "ebios_rm", "tprm", "privacy", "resilience", and "cal".

Applied to files:

• backend/iam/models.py

📚 Learning: 2025-09-05T09:18:16.194Z

Learnt from: Mohamed-Hacene
Repo: intuitem/ciso-assistant-community PR: 2472
File: backend/iam/models.py:906-907
Timestamp: 2025-09-05T09:18:16.194Z
Learning: In the get_accessible_object_ids method in backend/iam/models.py, for objects with parent_folder attribute (like Folder objects), the folder association logic treats each folder as being associated with itself, so the mapping is folder_id → folder_id. The code `[(fid, fid) for fid in folder_permissions.keys()]` correctly implements this self-referential mapping rather than querying for child folders.

Applied to files:

• backend/iam/models.py

🧬 Code graph analysis (1)

backend/iam/models.py (1)

backend/core/views.py (1)

• filter (184-210)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: build_community_frontend
• GitHub Check: build_enterprise_frontend
• GitHub Check: test (3.12)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: build (3.12)
• GitHub Check: startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: Analyze (python)

🔇 Additional comments (1)

backend/iam/models.py (1)

998-1004: Add "folder" to DISALLOWED_PERMISSION_MODELS.

The Folder model is a concrete Django model (inheriting from NameDescriptionMixin → AbstractBaseModel → models.Model). The original code explicitly excluded folder permissions with Q(content_type__model="folder"), but the refactored version does not include "folder" in DISALLOWED_PERMISSION_MODELS. This is a regression that exposes folder permissions when they should remain protected. Add "folder" to the disallowed models tuple.

⛔ Skipped due to learnings

Learnt from: Mohamed-Hacene
Repo: intuitem/ciso-assistant-community PR: 2472
File: backend/iam/models.py:906-907
Timestamp: 2025-09-05T09:18:16.194Z
Learning: In the get_accessible_object_ids method in backend/iam/models.py, for objects with parent_folder attribute (like Folder objects), the folder association logic treats each folder as being associated with itself, so the mapping is folder_id → folder_id. The code `[(fid, fid) for fid in folder_permissions.keys()]` correctly implements this self-referential mapping rather than querying for child folders.

Learnt from: Mohamed-Hacene
Repo: intuitem/ciso-assistant-community PR: 2422
File: backend/core/serializers.py:1018-1030
Timestamp: 2025-08-25T08:51:15.404Z
Learning: The CISO Assistant project uses a custom permission system where RoleAssignment.get_accessible_object_ids() provides special handling for Permission objects by filtering them by content_type app_label rather than folder hierarchy, since Permission objects don't belong to folders. This allows safe CRUD operations on permissions while preventing privilege escalation by restricting access to only application-specific permissions from allowed apps: "core", "ebios_rm", "tprm", "privacy", "resilience", and "cal".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add "folder" to DISALLOWED_PERMISSION_MODELS for defense in depth.

The Folder model (defined at line 81 in this file) is a critical IAM model that establishes the permission perimeter, yet it's absent from the disallowed list. While removing "iam" from ALLOWED_PERMISSION_APPS provides primary protection, including "folder" in DISALLOWED_PERMISSION_MODELS provides defense in depth against accidental re-introduction or misconfiguration.

Apply this diff to add "folder" to the exclusion list:

 DISALLOWED_PERMISSION_MODELS = (
     "personalaccesstoken",
     "role",
     "roleassignment",
     "usergroup",
     "ssosettings",
     "user",
     "historicalmetric",
+    "folder",
 )

🤖 Prompt for AI Agents

In backend/iam/models.py around lines 61 to 69, add "folder" to the
DISALLOWED_PERMISSION_MODELS tuple so the Folder model is explicitly excluded
from permission-related operations; update the tuple to include "folder"
(preserving tuple formatting and commas) to provide defense-in-depth without
changing other entries.