When a user passes --prefix <tenant> without a trailing slash, the GraphQL API returns a PermissionDenied error even if the user has full admin access. The actual cause is that the Prefix type requires a trailing slash — the value is silently passed as-is to the API, which rejects it as an unrecognized/unauthorized prefix name.
Steps to reproduce:
flowctl catalog pull-specs --prefix AcmeCo
# Error: PermissionDenied: johnsmith@acme.co is not authorized to access prefix or name 'AcmeCo' with required capability read
Expected:
Either auto-normalize (AcmeCo → AcmeCo/) or return a clear error: prefix must end with '/': did you mean 'AcmeCo/'?
Workaround:
flowctl catalog pull-specs --prefix AcmeCo/
Location: crates/flowctl/src/catalog/list/mod.rs line ~272, where models::Prefix::new(prefix) is called without validating/normalizing the trailing slash. The same fix should apply to any other command using NameSelector with --prefix.
Labels: bug
When a user passes
--prefix <tenant>without a trailing slash, the GraphQL API returns aPermissionDeniederror even if the user has full admin access. The actual cause is that thePrefixtype requires a trailing slash — the value is silently passed as-is to the API, which rejects it as an unrecognized/unauthorized prefix name.Steps to reproduce:
Expected:
Either auto-normalize (
AcmeCo→AcmeCo/) or return a clear error:prefix must end with '/': did you mean 'AcmeCo/'?Workaround:
Location:
crates/flowctl/src/catalog/list/mod.rsline ~272, wheremodels::Prefix::new(prefix)is called without validating/normalizing the trailing slash. The same fix should apply to any other command usingNameSelectorwith--prefix.Labels: bug