Skip to content

Commit

Permalink
Fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
benjackwhite committed Mar 28, 2024
1 parent b892b67 commit c03bd3c
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 16 deletions.
42 changes: 28 additions & 14 deletions ee/api/rbac/test/test_access_control.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,15 @@ def _put_project_access_control(self, data={}):
payload,
)

def _put_global_access_control(self, data={}):
payload = {"access_level": "editor"}
payload.update(data)

return self.client.put(
"/api/projects/@current/global_access_controls",
payload,
)

def _org_membership(self, level: OrganizationMembership.Level = OrganizationMembership.Level.ADMIN):
self.organization_membership.level = level
self.organization_membership.save()
Expand Down Expand Up @@ -161,41 +170,46 @@ def setUp(self):
self.role = Role.objects.create(name="Engineers", organization=self.organization)
self.role_membership = RoleMembership.objects.create(user=self.user, role=self.role)

def _put_rbac(self, data={}):
payload = {"access_level": "editor"}
payload.update(data)

return self.client.put(
"/api/projects/@current/global_access_controls",
payload,
)

def test_admin_can_always_access(self):
self._org_membership(OrganizationMembership.Level.ADMIN)
assert self._put_rbac({"resource": "feature_flag", "access_level": "none"}).status_code == status.HTTP_200_OK
assert (
self._put_global_access_control({"resource": "feature_flag", "access_level": "none"}).status_code
== status.HTTP_200_OK
)
assert self.client.get("/api/projects/@current/feature_flags").status_code == status.HTTP_200_OK

def test_forbidden_access_if_resource_wide_control_in_place(self):
self._org_membership(OrganizationMembership.Level.ADMIN)
assert self._put_rbac({"resource": "feature_flag", "access_level": "none"}).status_code == status.HTTP_200_OK
assert (
self._put_global_access_control({"resource": "feature_flag", "access_level": "none"}).status_code
== status.HTTP_200_OK
)
self._org_membership(OrganizationMembership.Level.MEMBER)

assert self.client.get("/api/projects/@current/feature_flags").status_code == status.HTTP_403_FORBIDDEN
assert self.client.post("/api/projects/@current/feature_flags").status_code == status.HTTP_403_FORBIDDEN

def test_forbidden_write_access_if_resource_wide_control_in_place(self):
self._org_membership(OrganizationMembership.Level.ADMIN)
assert self._put_rbac({"resource": "feature_flag", "access_level": "viewer"}).status_code == status.HTTP_200_OK
assert (
self._put_global_access_control({"resource": "feature_flag", "access_level": "viewer"}).status_code
== status.HTTP_200_OK
)
self._org_membership(OrganizationMembership.Level.MEMBER)

assert self.client.get("/api/projects/@current/feature_flags").status_code == status.HTTP_200_OK
assert self.client.post("/api/projects/@current/feature_flags").status_code == status.HTTP_403_FORBIDDEN

def test_access_granted_with_granted_role(self):
self._org_membership(OrganizationMembership.Level.ADMIN)
assert self._put_rbac({"resource": "feature_flag", "access_level": "none"}).status_code == status.HTTP_200_OK
assert (
self._put_rbac({"resource": "feature_flag", "access_level": "viewer", "role": self.role.id}).status_code
self._put_global_access_control({"resource": "feature_flag", "access_level": "none"}).status_code
== status.HTTP_200_OK
)
assert (
self._put_global_access_control(
{"resource": "feature_flag", "access_level": "viewer", "role": self.role.id}
).status_code
== status.HTTP_200_OK
)
self._org_membership(OrganizationMembership.Level.MEMBER)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ export const roleBasedAccessControlLogic = kea<roleBasedAccessControlLogicType>(
() => [],
(): AccessControlType['resource'][] => {
// TODO: Sync this as an enum
return ['feature_flag', 'dashboard', 'insight', 'session_recording']
return ['feature_flag', 'dashboard', 'insight', 'session_recording', 'plugin']
},
],
}),
Expand Down
4 changes: 3 additions & 1 deletion posthog/rbac/user_access_control.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ def model_to_resource(model: Model) -> Optional[APIScopeObject]:
return "project"
if name == "featureflag":
return "feature_flag"
if name == "plugin_config":
return "plugin"

if name not in API_SCOPE_OBJECTS:
return None
Expand Down Expand Up @@ -194,7 +196,7 @@ def _access_controls_filters_for_queryset(self, resource: APIScopeObject) -> dic
if self._team and resource != "project":
common_filters["team_id"] = self._team.id
else:
common_filters["team__organization_id"] = self._organization_id
common_filters["team__organization_id"] = str(self._organization_id)

return common_filters

Expand Down

0 comments on commit c03bd3c

Please sign in to comment.