From c03bd3c228f643c99b304b54c723e0e7c65348dc Mon Sep 17 00:00:00 2001 From: Ben White Date: Thu, 28 Mar 2024 17:45:48 +0100 Subject: [PATCH] Fixes --- ee/api/rbac/test/test_access_control.py | 42 ++++++++++++------- .../roleBasedAccessControlLogic.ts | 2 +- posthog/rbac/user_access_control.py | 4 +- 3 files changed, 32 insertions(+), 16 deletions(-) diff --git a/ee/api/rbac/test/test_access_control.py b/ee/api/rbac/test/test_access_control.py index 398edaa75837c..f7d5c4d7dc047 100644 --- a/ee/api/rbac/test/test_access_control.py +++ b/ee/api/rbac/test/test_access_control.py @@ -34,6 +34,15 @@ def _put_project_access_control(self, data={}): payload, ) + def _put_global_access_control(self, data={}): + payload = {"access_level": "editor"} + payload.update(data) + + return self.client.put( + "/api/projects/@current/global_access_controls", + payload, + ) + def _org_membership(self, level: OrganizationMembership.Level = OrganizationMembership.Level.ADMIN): self.organization_membership.level = level self.organization_membership.save() @@ -161,23 +170,20 @@ def setUp(self): self.role = Role.objects.create(name="Engineers", organization=self.organization) self.role_membership = RoleMembership.objects.create(user=self.user, role=self.role) - def _put_rbac(self, data={}): - payload = {"access_level": "editor"} - payload.update(data) - - return self.client.put( - "/api/projects/@current/global_access_controls", - payload, - ) - def test_admin_can_always_access(self): self._org_membership(OrganizationMembership.Level.ADMIN) - assert self._put_rbac({"resource": "feature_flag", "access_level": "none"}).status_code == status.HTTP_200_OK + assert ( + self._put_global_access_control({"resource": "feature_flag", "access_level": "none"}).status_code + == status.HTTP_200_OK + ) assert self.client.get("/api/projects/@current/feature_flags").status_code == status.HTTP_200_OK def test_forbidden_access_if_resource_wide_control_in_place(self): self._org_membership(OrganizationMembership.Level.ADMIN) - assert self._put_rbac({"resource": "feature_flag", "access_level": "none"}).status_code == status.HTTP_200_OK + assert ( + self._put_global_access_control({"resource": "feature_flag", "access_level": "none"}).status_code + == status.HTTP_200_OK + ) self._org_membership(OrganizationMembership.Level.MEMBER) assert self.client.get("/api/projects/@current/feature_flags").status_code == status.HTTP_403_FORBIDDEN @@ -185,7 +191,10 @@ def test_forbidden_access_if_resource_wide_control_in_place(self): def test_forbidden_write_access_if_resource_wide_control_in_place(self): self._org_membership(OrganizationMembership.Level.ADMIN) - assert self._put_rbac({"resource": "feature_flag", "access_level": "viewer"}).status_code == status.HTTP_200_OK + assert ( + self._put_global_access_control({"resource": "feature_flag", "access_level": "viewer"}).status_code + == status.HTTP_200_OK + ) self._org_membership(OrganizationMembership.Level.MEMBER) assert self.client.get("/api/projects/@current/feature_flags").status_code == status.HTTP_200_OK @@ -193,9 +202,14 @@ def test_forbidden_write_access_if_resource_wide_control_in_place(self): def test_access_granted_with_granted_role(self): self._org_membership(OrganizationMembership.Level.ADMIN) - assert self._put_rbac({"resource": "feature_flag", "access_level": "none"}).status_code == status.HTTP_200_OK assert ( - self._put_rbac({"resource": "feature_flag", "access_level": "viewer", "role": self.role.id}).status_code + self._put_global_access_control({"resource": "feature_flag", "access_level": "none"}).status_code + == status.HTTP_200_OK + ) + assert ( + self._put_global_access_control( + {"resource": "feature_flag", "access_level": "viewer", "role": self.role.id} + ).status_code == status.HTTP_200_OK ) self._org_membership(OrganizationMembership.Level.MEMBER) diff --git a/frontend/src/layout/navigation-3000/sidepanel/panels/access_control/roleBasedAccessControlLogic.ts b/frontend/src/layout/navigation-3000/sidepanel/panels/access_control/roleBasedAccessControlLogic.ts index 76e1ecf39227a..42294d39469f5 100644 --- a/frontend/src/layout/navigation-3000/sidepanel/panels/access_control/roleBasedAccessControlLogic.ts +++ b/frontend/src/layout/navigation-3000/sidepanel/panels/access_control/roleBasedAccessControlLogic.ts @@ -231,7 +231,7 @@ export const roleBasedAccessControlLogic = kea( () => [], (): AccessControlType['resource'][] => { // TODO: Sync this as an enum - return ['feature_flag', 'dashboard', 'insight', 'session_recording'] + return ['feature_flag', 'dashboard', 'insight', 'session_recording', 'plugin'] }, ], }), diff --git a/posthog/rbac/user_access_control.py b/posthog/rbac/user_access_control.py index 4ea0a62291933..b4b22730c0c0a 100644 --- a/posthog/rbac/user_access_control.py +++ b/posthog/rbac/user_access_control.py @@ -74,6 +74,8 @@ def model_to_resource(model: Model) -> Optional[APIScopeObject]: return "project" if name == "featureflag": return "feature_flag" + if name == "plugin_config": + return "plugin" if name not in API_SCOPE_OBJECTS: return None @@ -194,7 +196,7 @@ def _access_controls_filters_for_queryset(self, resource: APIScopeObject) -> dic if self._team and resource != "project": common_filters["team_id"] = self._team.id else: - common_filters["team__organization_id"] = self._organization_id + common_filters["team__organization_id"] = str(self._organization_id) return common_filters