From e8be1f302e3e5444ee4781c4f41967eae95b8dba Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Wed, 31 Jul 2024 22:31:16 +1000 Subject: [PATCH] fix: platform viewer/owner permission for groups --- services/api/src/apolloServer.js | 12 ++++++++++++ services/api/src/resources/group/resolvers.ts | 12 ++++++------ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/services/api/src/apolloServer.js b/services/api/src/apolloServer.js index fc5a6d36ff..2f8e569f02 100644 --- a/services/api/src/apolloServer.js +++ b/services/api/src/apolloServer.js @@ -147,6 +147,12 @@ const apolloServer = new ApolloServer({ // grab the users project ids and roles in the first request groupRoleProjectIds = await User.User(modelClients).getAllProjectsIdsForUser(currentUser.id, keycloakUsersGroups); } + if (legacyGrant) { + const { role } = legacyGrant; + if (role == 'admin') { + platformOwner = true + } + } return { keycloakAdminClient, @@ -227,6 +233,12 @@ const apolloServer = new ApolloServer({ groupRoleProjectIds = await User.User(modelClients).getAllProjectsIdsForUser(currentUser.id, keycloakUsersGroups); await User.User(modelClients).userLastAccessed(currentUser); } + if (legacyGrant) { + const { role } = legacyGrant; + if (role == 'admin') { + platformOwner = true + } + } // do a permission check to see if the user is platform admin/owner, or has permission for `viewAll` on certain resources // this reduces the number of `viewAll` permission look ups that could potentially occur during subfield resolvers for non admin users diff --git a/services/api/src/resources/group/resolvers.ts b/services/api/src/resources/group/resolvers.ts index 77b9eab7c3..47c96cf163 100644 --- a/services/api/src/resources/group/resolvers.ts +++ b/services/api/src/resources/group/resolvers.ts @@ -19,7 +19,7 @@ export const getAllGroups: ResolverFn = async ( { hasPermission, models, keycloakGrant, keycloakUsersGroups, adminScopes } ) => { // use the admin scope check instead of `hasPermission` for speed - if (adminScopes.platformOwner && adminScopes.platformViewer) { + if (adminScopes.platformOwner || adminScopes.platformViewer) { try { if (name) { @@ -99,7 +99,7 @@ export const getGroupRolesByUserId: ResolverFn =async ( { hasPermission, models, keycloakGrant, keycloakUsersGroups, adminScopes } ) => { // use the admin scope check instead of `hasPermission` for speed - if (adminScopes.platformOwner && adminScopes.platformViewer) { + if (adminScopes.platformOwner || adminScopes.platformViewer) { try { const queryUserGroups = await models.UserModel.getAllGroupsForUser(uid); let groups = [] @@ -192,7 +192,7 @@ export const getGroupsByProjectId: ResolverFn = async ( { hasPermission, sqlClientPool, models, keycloakGrant, keycloakUsersGroups, adminScopes } ) => { // use the admin scope check instead of `hasPermission` for speed - if (adminScopes.platformOwner && adminScopes.platformViewer) { + if (adminScopes.platformOwner || adminScopes.platformViewer) { try { const projectGroups = await Helpers(sqlClientPool).selectGroupsByProjectId(models, pid) return projectGroups; @@ -260,7 +260,7 @@ export const getGroupsByUserId: ResolverFn = async ( { hasPermission, models, keycloakGrant, keycloakUsersGroups, adminScopes } ) => { // use the admin scope check instead of `hasPermission` for speed - if (adminScopes.platformOwner && adminScopes.platformViewer) { + if (adminScopes.platformOwner || adminScopes.platformViewer) { try { const queryUserGroups = await models.UserModel.getAllGroupsForUser(uid); @@ -283,7 +283,7 @@ export const getGroupByName: ResolverFn = async ( { models, hasPermission, keycloakGrant, keycloakUsersGroups, adminScopes } ) => { // use the admin scope check instead of `hasPermission` for speed - if (adminScopes.platformOwner && adminScopes.platformViewer) { + if (adminScopes.platformOwner || adminScopes.platformViewer) { try { const group = await models.GroupModel.loadGroupByName(name); return group; @@ -748,7 +748,7 @@ export const getAllProjectsInGroup: ResolverFn = async ( } = models; // use the admin scope check instead of `hasPermission` for speed - if (adminScopes.platformOwner && adminScopes.platformViewer) { + if (adminScopes.platformOwner || adminScopes.platformViewer) { try { // get group from all keycloak groups apollo context const group = await loadGroupByIdOrName(groupInput);