feat(homepage): add unless exclusion and tags for RBAC conditional filtering

[karthikjeeyar]

Hey, I just made a Pull Request!

Fixes:

https://redhat.atlassian.net/browse/RHIDP-14648
https://redhat.atlassian.net/browse/RHIDP-14649

Adds two new config-level features to homepage default widgets:

• unless config block: inverse of if — uses the same shape (users, groups, permissions) but acts as a denylist. Checked before if so deny always wins. On group nodes, prunes the entire subtree.
• tags on widget nodes: optional string array (e.g. ['admin', 'developer']) passed through to the API response. Used with the new HAS_TAG permission rule for RBAC conditional policy filtering. Widgets without tags bypass tag-based filtering.
• HAS_TAG permission rule: new rule registered alongside HAS_WIDGET_ID for the homepage-default-widget resource type. Matches
  widgets that have at least one overlapping tag.
• Refactored permission flow: moved authorizeConditional from buildUserContext into DefaultWidgetsService so the top-level RBAC filtering runs.
• README updated with unless, tags, filtering layer and permission rules table.
• Frontend: mount point default props are now merged with widget-level props ({ ...mountPoint.config?.props, ...widget.props }).

Screenshots:

How to test

Test widgets included in app-config.yaml, to switch different personas

1. examples/org.yaml — change the guest user's memberOf to match:

  spec:
    memberOf: [guests, default/developers] //  To test as admin change it to `default/admins`

2. Modify the conditional-policies.yaml tags to filter the widgets.

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[github-actions]

This pull request adds a new top-level directory under workspaces/. Please follow Submitting a Pull Request for a New Workspace in CONTRIBUTING.md.

[rhdh-gh-app]

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@red-hat-developer-hub/backstage-plugin-homepage-backend	workspaces/homepage/plugins/homepage-backend	minor	v0.2.1
@red-hat-developer-hub/backstage-plugin-homepage-common	workspaces/homepage/plugins/homepage-common	minor	v0.2.1
@red-hat-developer-hub/backstage-plugin-homepage	workspaces/homepage/plugins/homepage	patch	v1.15.0

[codecov]

Codecov Report

❌ Patch coverage is 97.22222% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.75%. Comparing base (7bb75a9) to head (5147ac1).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3546      +/-   ##
==========================================
+ Coverage   53.74%   53.75%   +0.01%     
==========================================
  Files        2268     2269       +1     
  Lines       86468    86500      +32     
  Branches    24268    24279      +11     
==========================================
+ Hits        46468    46499      +31     
- Misses      39774    39775       +1     
  Partials      226      226              

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.70% <ø> (ø)		Carriedforward from 7bb75a9
ai-integrations	67.95% <ø> (ø)		Carriedforward from 7bb75a9
app-defaults	69.79% <ø> (ø)		Carriedforward from 7bb75a9
augment	46.39% <ø> (ø)		Carriedforward from 7bb75a9
boost	71.71% <ø> (ø)		Carriedforward from 7bb75a9
bulk-import	72.46% <ø> (ø)		Carriedforward from 7bb75a9
cost-management	14.10% <ø> (ø)		Carriedforward from 7bb75a9
dcm	61.79% <ø> (ø)		Carriedforward from 7bb75a9
extensions	61.53% <ø> (ø)		Carriedforward from 7bb75a9
global-floating-action-button	71.18% <ø> (ø)		Carriedforward from 7bb75a9
global-header	59.71% <ø> (ø)		Carriedforward from 7bb75a9
homepage	50.98% <97.22%> (+1.14%)	⬆️
install-dynamic-plugins	56.23% <ø> (ø)		Carriedforward from 7bb75a9
konflux	91.49% <ø> (ø)		Carriedforward from 7bb75a9
lightspeed	68.57% <ø> (ø)		Carriedforward from 7bb75a9
mcp-integrations	85.46% <ø> (ø)		Carriedforward from 7bb75a9
orchestrator	38.02% <ø> (ø)		Carriedforward from 7bb75a9
quickstart	63.76% <ø> (ø)		Carriedforward from 7bb75a9
sandbox	79.56% <ø> (ø)		Carriedforward from 7bb75a9
scorecard	83.96% <ø> (ø)		Carriedforward from 7bb75a9
theme	61.26% <ø> (ø)		Carriedforward from 7bb75a9
translations	7.25% <ø> (ø)		Carriedforward from 7bb75a9
x2a	78.68% <ø> (ø)		Carriedforward from 7bb75a9

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7bb75a9...5147ac1. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud