Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: WIP rbac #20864

Draft
wants to merge 314 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
314 commits
Select commit Hold shift + click to select a range
15c6895
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 18, 2024
7198965
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 18, 2024
8e5829c
Fixes
benjackwhite Mar 18, 2024
bd599bd
Fixes
benjackwhite Mar 18, 2024
cf9999e
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 18, 2024
bdac00d
Merge branch 'master' into rbac
benjackwhite Mar 18, 2024
5a3bfd8
Update query snapshots
github-actions[bot] Mar 18, 2024
30003b6
Merge branch 'refactor/upgrade-modal' into rbac
benjackwhite Mar 18, 2024
ee741c5
Fixes
benjackwhite Mar 18, 2024
e85484a
Added permissions checking
benjackwhite Mar 18, 2024
ac9b72c
Fix
benjackwhite Mar 18, 2024
bad7548
Fixes
benjackwhite Mar 18, 2024
dbe6f63
Fixes
benjackwhite Mar 18, 2024
bf41c16
Update query snapshots
github-actions[bot] Mar 18, 2024
9ce4691
Fixes
benjackwhite Mar 18, 2024
740b772
Update query snapshots
github-actions[bot] Mar 18, 2024
5409eb7
Fixes
benjackwhite Mar 18, 2024
fb46133
Added check endpoint
benjackwhite Mar 18, 2024
b472f78
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 18, 2024
42c78dc
Update query snapshots
github-actions[bot] Mar 18, 2024
6b1c76e
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 18, 2024
6b6f3bf
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 18, 2024
bfc3fbb
Fix
benjackwhite Mar 19, 2024
7746ae4
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 19, 2024
2b1f015
Fix
benjackwhite Mar 19, 2024
db83128
Fixes
benjackwhite Mar 19, 2024
09a0358
Fixes all round
benjackwhite Mar 19, 2024
c0c68b8
fixes
benjackwhite Mar 19, 2024
73724b9
Make team required
benjackwhite Mar 19, 2024
0c86c73
Fixes
benjackwhite Mar 19, 2024
876ed1c
Fixes
benjackwhite Mar 19, 2024
9676173
Fix
benjackwhite Mar 19, 2024
4db65b1
Added more stuff
benjackwhite Mar 19, 2024
f56598e
Fixes
benjackwhite Mar 19, 2024
1e17fa3
Merge branch 'master' into rbac
benjackwhite Mar 19, 2024
50c190a
Update query snapshots
github-actions[bot] Mar 19, 2024
3f5d280
Update UI snapshots for `chromium` (1)
github-actions[bot] Mar 19, 2024
8b04f28
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 19, 2024
784d280
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 19, 2024
eaab720
Merge branch 'master' into rbac
benjackwhite Mar 19, 2024
a0ab828
Update UI snapshots for `chromium` (1)
github-actions[bot] Mar 19, 2024
c73a7d4
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 19, 2024
8e07413
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 19, 2024
d2cddc2
Merge branch 'master' into rbac
benjackwhite Mar 20, 2024
839ee79
Fixes
benjackwhite Mar 20, 2024
6dcab3c
Swapping over to proper object based checking
benjackwhite Mar 20, 2024
2247348
Fixes
benjackwhite Mar 20, 2024
d1d0a6d
Fixes
benjackwhite Mar 21, 2024
165f146
Swaps
benjackwhite Mar 21, 2024
abfd61d
Move things over to be based on api response
benjackwhite Mar 21, 2024
fcd85c2
Fixes
benjackwhite Mar 21, 2024
a660f67
Added warning banner
benjackwhite Mar 21, 2024
d774284
Fixes
benjackwhite Mar 21, 2024
8603847
Added controls to flags
benjackwhite Mar 21, 2024
79d920d
Fixes types
benjackwhite Mar 21, 2024
00892e0
Refactored activity scope
benjackwhite Mar 21, 2024
b6c5c9a
Fixed up access control
benjackwhite Mar 21, 2024
9fae6a6
Added scene logics
benjackwhite Mar 21, 2024
fa5bb53
Context everywhere
benjackwhite Mar 21, 2024
a84f8ca
Fixes
benjackwhite Mar 21, 2024
fc2dc97
Fixes
benjackwhite Mar 21, 2024
0c81c8d
Fixes
benjackwhite Mar 21, 2024
d51de25
Fixes
benjackwhite Mar 21, 2024
72ddd28
Fixes
benjackwhite Mar 21, 2024
3cb6f31
Added note about remaining tests to be added
benjackwhite Mar 21, 2024
9734354
Fixes
benjackwhite Mar 21, 2024
f2a6f50
Started adding access level
benjackwhite Mar 22, 2024
3086bdd
Merge branch 'master' into rbac
benjackwhite Mar 22, 2024
a613ae6
merge fixes
benjackwhite Mar 22, 2024
a3e594d
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 22, 2024
3f922d8
Fix current project checker
benjackwhite Mar 22, 2024
88ad6b3
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 22, 2024
4364290
Add filtering controls
benjackwhite Mar 22, 2024
709f8ee
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 25, 2024
f15070e
Fixes
benjackwhite Mar 25, 2024
e6e30ca
Fixes
benjackwhite Mar 25, 2024
d9fc0c5
Add comments
benjackwhite Mar 25, 2024
1101b53
Fixes
benjackwhite Mar 25, 2024
33070ed
Fixes
benjackwhite Mar 25, 2024
b4b6fb7
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 25, 2024
a798f3f
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 25, 2024
150bfdf
Fixes
benjackwhite Mar 25, 2024
c156013
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 25, 2024
29fcdbe
Fixed permissions
benjackwhite Mar 25, 2024
26bfb8f
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 25, 2024
8446cc7
Fix
benjackwhite Mar 25, 2024
fefa5b3
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 25, 2024
84d720d
Fixes
benjackwhite Mar 25, 2024
492716f
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 25, 2024
920a6da
Fixes
benjackwhite Mar 25, 2024
f00f985
Fixes tests
benjackwhite Mar 25, 2024
8d86639
Fixes
benjackwhite Mar 25, 2024
d8bd56f
Fixes
benjackwhite Mar 25, 2024
9559bca
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 25, 2024
428931f
Fixes
benjackwhite Mar 26, 2024
3d9cdd1
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
33a8666
Cache DB lookup calls
benjackwhite Mar 26, 2024
328bad7
Fix
benjackwhite Mar 26, 2024
137c67a
Merge branch 'master' into rbac
benjackwhite Mar 26, 2024
a9e02cc
Fixes
benjackwhite Mar 26, 2024
e3755a9
Update UI snapshots for `chromium` (1)
github-actions[bot] Mar 26, 2024
a3b56d0
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 26, 2024
1b0af82
Fix for if controls are disabled
benjackwhite Mar 26, 2024
c05fa43
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
d256172
Fixed tests
benjackwhite Mar 26, 2024
b29ce32
Update query snapshots
github-actions[bot] Mar 26, 2024
3c5dc09
Fixed a bunch of tests
benjackwhite Mar 26, 2024
af886f7
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
4cab91a
Fix tests
benjackwhite Mar 26, 2024
875d074
Update query snapshots
github-actions[bot] Mar 26, 2024
a1887ba
Fixed tests
benjackwhite Mar 26, 2024
1f8f739
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
564421a
fix
benjackwhite Mar 26, 2024
9586bef
Fix up permissions check
benjackwhite Mar 26, 2024
18ef7f0
Fixes
benjackwhite Mar 26, 2024
01f164a
Added note
benjackwhite Mar 26, 2024
a850e22
Update UI snapshots for `chromium` (1)
github-actions[bot] Mar 26, 2024
bb1b098
Fixed types
benjackwhite Mar 26, 2024
1d509a8
fix
benjackwhite Mar 26, 2024
82f1f22
Fixes
benjackwhite Mar 26, 2024
1be9365
Update UI snapshots for `chromium` (1)
github-actions[bot] Mar 26, 2024
f277aac
Fixes
benjackwhite Mar 26, 2024
9cf090b
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
4e523e0
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 26, 2024
4eb7d1a
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 26, 2024
37fce21
Fixes
benjackwhite Mar 26, 2024
b9b6dac
Fixed up tests
benjackwhite Mar 26, 2024
f56cfc9
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
0f3875f
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 26, 2024
591cae4
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 26, 2024
ce51aa0
Type fixes
benjackwhite Mar 26, 2024
b3c0f77
mypy fixes
benjackwhite Mar 26, 2024
00a0312
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
fed066d
Fix baseline
benjackwhite Mar 26, 2024
45fcaee
Fix
benjackwhite Mar 26, 2024
1b093d6
Filtered out search results
benjackwhite Mar 26, 2024
170687b
Fixed types
benjackwhite Mar 26, 2024
bdb981b
Update query snapshots
github-actions[bot] Mar 26, 2024
50f2aff
Fixes
benjackwhite Mar 26, 2024
3735754
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
fdaba0d
Fix
benjackwhite Mar 26, 2024
11b4f4a
Fix tests
benjackwhite Mar 26, 2024
2c8eb15
Fix permissions message
benjackwhite Mar 26, 2024
909c3d4
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 26, 2024
f204973
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 26, 2024
86ef6be
Added test and mentioned optimizing
benjackwhite Mar 26, 2024
92f0b40
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 26, 2024
3e91e51
Fixed up dashboard templates
benjackwhite Mar 27, 2024
dd0ed2e
Update query snapshots
github-actions[bot] Mar 27, 2024
388c1ff
Fixes
benjackwhite Mar 27, 2024
aefa59e
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 27, 2024
2f5374c
Fix tests
benjackwhite Mar 27, 2024
7e5fbdf
Update query snapshots
github-actions[bot] Mar 27, 2024
34d079e
More optimisations
benjackwhite Mar 28, 2024
8f9ec09
Fix
benjackwhite Mar 28, 2024
1c37f90
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 28, 2024
f324fee
Update UI snapshots for `chromium` (1)
github-actions[bot] Mar 28, 2024
0766a0a
Update UI snapshots for `chromium` (1)
github-actions[bot] Mar 28, 2024
72af322
Fix types
benjackwhite Mar 28, 2024
09f21f5
Fix snapshots
benjackwhite Mar 28, 2024
abe59f8
Merge branch 'master' into rbac
benjackwhite Mar 28, 2024
1c604ed
Fixes
benjackwhite Mar 28, 2024
c5a18f9
Fixed up notebook permissions
benjackwhite Mar 28, 2024
7b0f1ac
Fixes
benjackwhite Mar 28, 2024
f54ef1d
Fix
benjackwhite Mar 28, 2024
d28833e
Added access control info
benjackwhite Mar 28, 2024
f12017f
Update query snapshots
github-actions[bot] Mar 28, 2024
f31b77e
Connected can_edit
benjackwhite Mar 28, 2024
fd6f9a9
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 28, 2024
56a1bf6
Fixes
benjackwhite Mar 28, 2024
b892b67
Fixes
benjackwhite Mar 28, 2024
f29fc91
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 28, 2024
740de46
Update query snapshots
github-actions[bot] Mar 28, 2024
5f864ec
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 28, 2024
a6bea70
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 28, 2024
8e81a0c
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 28, 2024
c03bd3c
Fixes
benjackwhite Mar 28, 2024
382e0ca
fix
benjackwhite Mar 28, 2024
767c06d
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Mar 28, 2024
5d43a3f
Fixes
benjackwhite Mar 28, 2024
a91a6bc
Update UI snapshots for `chromium` (2)
github-actions[bot] Mar 28, 2024
8730562
Merge branch 'master' into rbac
benjackwhite Apr 8, 2024
d9c1525
Update UI snapshots for `chromium` (1)
github-actions[bot] Apr 8, 2024
529eddf
Update UI snapshots for `chromium` (2)
github-actions[bot] Apr 8, 2024
a9948bc
Update UI snapshots for `chromium` (2)
github-actions[bot] Apr 8, 2024
abf3068
Merge branch 'master' into rbac
benjackwhite Apr 8, 2024
963135e
Update query snapshots
github-actions[bot] Apr 8, 2024
7c02e36
Update UI snapshots for `webkit` (2)
github-actions[bot] Apr 8, 2024
3659858
Update UI snapshots for `chromium` (1)
github-actions[bot] Apr 8, 2024
27bb9bc
Update UI snapshots for `webkit` (2)
github-actions[bot] Apr 8, 2024
a64d761
Update UI snapshots for `chromium` (1)
github-actions[bot] Apr 8, 2024
bfaf7c5
Fixes?
benjackwhite Apr 9, 2024
de94f30
Fixes
benjackwhite Apr 9, 2024
fac58ed
Update UI snapshots for `chromium` (1)
github-actions[bot] Apr 9, 2024
6929324
Merge branch 'master' into rbac
benjackwhite Apr 18, 2024
19f70b5
fix
benjackwhite Apr 18, 2024
2d8e95b
fix
benjackwhite Apr 18, 2024
f679ea2
Update query snapshots
github-actions[bot] Apr 18, 2024
bda87d8
Update query snapshots
github-actions[bot] Apr 18, 2024
b335c6c
Fixes
benjackwhite Apr 18, 2024
32e9ff5
Fix admin access
benjackwhite Apr 18, 2024
f9bd843
Update query snapshots
github-actions[bot] Apr 18, 2024
248912b
Merge branch 'master' into rbac
benjackwhite Apr 22, 2024
81d97bf
Fix for org access
benjackwhite Apr 22, 2024
427245e
Fixes
benjackwhite Apr 22, 2024
76c6726
merge
benjackwhite Apr 22, 2024
d623d3b
Fix tests
benjackwhite Apr 22, 2024
ef4fa0a
Fixes
benjackwhite Apr 22, 2024
1d4bbba
Fixed tests
benjackwhite Apr 22, 2024
f897827
Fixes
benjackwhite Apr 22, 2024
4a8a6b6
Fixes
benjackwhite Apr 22, 2024
fe6e143
Update query snapshots
github-actions[bot] Apr 22, 2024
457b3e7
Swap to always check queryset
benjackwhite Apr 22, 2024
11cc677
Update query snapshots
github-actions[bot] Apr 22, 2024
0472187
Merge branch 'master' into rbac
benjackwhite Apr 23, 2024
1e0cf64
Update query snapshots
github-actions[bot] Apr 23, 2024
7a02726
Update UI snapshots for `chromium` (2)
github-actions[bot] Apr 23, 2024
ec12494
Update UI snapshots for `chromium` (2)
github-actions[bot] Apr 23, 2024
70630af
Fix?
benjackwhite Apr 23, 2024
687a6e6
Merge branch 'master' into rbac
benjackwhite Apr 24, 2024
7fe0954
Fixes
benjackwhite Apr 24, 2024
445d300
Merge branch 'master' into rbac
benjackwhite Apr 25, 2024
b957ffc
Update query snapshots
github-actions[bot] Apr 25, 2024
9bc0ed6
Update query snapshots
github-actions[bot] Apr 25, 2024
60231cf
merge
benjackwhite Apr 26, 2024
7bd93b6
Update query snapshots
github-actions[bot] Apr 26, 2024
903878d
Merge branch 'master' into rbac
benjackwhite May 6, 2024
c2ef85e
Fix?
benjackwhite May 6, 2024
394476d
Fix double access
benjackwhite May 6, 2024
526cfff
Fix
benjackwhite May 6, 2024
8eafd63
Update query snapshots
github-actions[bot] May 6, 2024
695db54
Fixes
benjackwhite May 6, 2024
6a2b4f9
Fix logic
benjackwhite May 6, 2024
aa3ae07
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite May 6, 2024
ce7a020
Update UI snapshots for `chromium` (1)
github-actions[bot] May 6, 2024
9126bb9
Merge branch 'master' into rbac
benjackwhite Sep 20, 2024
7225430
Fix up logic
benjackwhite Sep 20, 2024
10ebba7
Update UI snapshots for `chromium` (1)
github-actions[bot] Sep 20, 2024
dae775b
Update UI snapshots for `chromium` (2)
github-actions[bot] Sep 20, 2024
cd72eef
Update query snapshots
github-actions[bot] Sep 20, 2024
c084f16
Fixes
benjackwhite Sep 20, 2024
d2ca7a4
Fixes
benjackwhite Sep 20, 2024
50ade6c
fix
benjackwhite Sep 20, 2024
bd09693
Merge branch 'rbac' of github.com:PostHog/posthog into rbac
benjackwhite Sep 20, 2024
9c3be64
Fixes
benjackwhite Sep 20, 2024
bad6a65
fix
benjackwhite Sep 20, 2024
06d75c1
Merge master in
zlwaterfield Oct 22, 2024
987edcf
Update UI snapshots for `chromium` (1)
github-actions[bot] Oct 22, 2024
5e85bb4
Update query snapshots
github-actions[bot] Oct 22, 2024
29abec6
Update UI snapshots for `chromium` (2)
github-actions[bot] Oct 22, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ee/api/feature_flag_role_access.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
from rest_framework import exceptions, mixins, serializers, viewsets
from rest_framework.permissions import SAFE_METHODS, BasePermission

from ee.api.role import RoleSerializer
from ee.api.rbac.role import RoleSerializer
from ee.models.feature_flag_role_access import FeatureFlagRoleAccess
from ee.models.organization_resource_access import OrganizationResourceAccess
from ee.models.role import Role
from ee.models.rbac.organization_resource_access import OrganizationResourceAccess
from ee.models.rbac.role import Role
from posthog.api.feature_flag import FeatureFlagSerializer
from posthog.api.routing import TeamAndOrgViewSetMixin
from posthog.models import FeatureFlag
Expand Down
192 changes: 192 additions & 0 deletions ee/api/rbac/access_control.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
from typing import TYPE_CHECKING, cast


from rest_framework import exceptions, serializers, status
from rest_framework.decorators import action
from rest_framework.request import Request
from rest_framework.response import Response
from rest_framework.viewsets import GenericViewSet

from ee.models.rbac.access_control import AccessControl
from posthog.models.scopes import API_SCOPE_OBJECTS, APIScopeObjectOrNotSupported
from posthog.models.team.team import Team
from posthog.rbac.user_access_control import (
ACCESS_CONTROL_LEVELS_RESOURCE,
UserAccessControl,
default_access_level,
highest_access_level,
ordered_access_levels,
)


if TYPE_CHECKING:
_GenericViewSet = GenericViewSet
else:
_GenericViewSet = object


class AccessControlSerializer(serializers.ModelSerializer):
access_level = serializers.CharField(allow_null=True)

class Meta:
model = AccessControl
fields = [
"resource",
"resource_id",
"access_level",
"organization_member",
"role",
"created_by",
"created_at",
"updated_at",
]
read_only_fields = ["id", "created_at", "created_by"]

def validate_resource(self, resource):
if resource not in API_SCOPE_OBJECTS:
raise serializers.ValidationError("Invalid resource. Must be one of: {}".format(API_SCOPE_OBJECTS))

return resource

# validate that access control is a valid option
def validate_access_level(self, access_level):
if access_level and access_level not in ordered_access_levels(self.initial_data["resource"]):
raise serializers.ValidationError(
f"Invalid access level. Must be one of: {', '.join(ordered_access_levels(self.initial_data['resource']))}"
)

return access_level

def validate(self, data):
context = self.context
# Ensure that only one of organization_member or role is set
if data.get("organization_member") and data.get("role"):
raise serializers.ValidationError("You can not scope an access control to both a member and a role.")

access_control = cast(UserAccessControl, self.context["view"].user_access_control)
resource = data["resource"]
resource_id = data.get("resource_id")

# We assume the highest level is required for the given resource to edit access controls
required_level = highest_access_level(resource)
team = context["view"].team
the_object = context["view"].get_object()

if resource_id:
# Check that they have the right access level for this specific resource object
if not access_control.check_can_modify_access_levels_for_object(the_object):
raise exceptions.PermissionDenied(f"Must be {required_level} to modify {resource} permissions.")
else:
# If modifying the base resource rules then we are checking the parent membership (project or organization)
# NOTE: Currently we only support org level in the UI so its simply an org level check
if not access_control.check_can_modify_access_levels_for_object(team):
raise exceptions.PermissionDenied("Must be an Organization admin to modify project-wide permissions.")

return data


class AccessControlViewSetMixin(_GenericViewSet):
"""
Adds an "access_controls" action to the viewset that handles access control for the given resource

Why a mixin? We want to easily add this to any existing resource, including providing easy helpers for adding access control info such
as the current users access level to any response.
"""

# 1. Know that the project level access is covered by the Permission check
# 2. Get the actual object which we can pass to the serializer to check if the user created it
# 3. We can also use the serializer to check the access level for the object

def _get_access_control_serializer(self, *args, **kwargs):
kwargs.setdefault("context", self.get_serializer_context())
return AccessControlSerializer(*args, **kwargs)

def _get_access_controls(self, request: Request, is_global=False):
resource = cast(APIScopeObjectOrNotSupported, getattr(self, "scope_object", None))
user_access_control = cast(UserAccessControl, self.user_access_control) # type: ignore
team = cast(Team, self.team) # type: ignore

if is_global and resource != "project" or not resource or resource == "INTERNAL":
raise exceptions.NotFound("Role based access controls are only available for projects.")

obj = self.get_object()
resource_id = obj.id

if is_global:
# If role based then we are getting all controls for the project that aren't specific to a resource
access_controls = AccessControl.objects.filter(team=team, resource_id=None).all()
else:
# Otherwise we are getting all controls for the specific resource
access_controls = AccessControl.objects.filter(team=team, resource=resource, resource_id=resource_id).all()

serializer = self._get_access_control_serializer(instance=access_controls, many=True)
user_access_level = user_access_control.access_level_for_object(obj, resource)

return Response(
{
"access_controls": serializer.data,
# NOTE: For Role based controls we are always configuring resource level items
"available_access_levels": ACCESS_CONTROL_LEVELS_RESOURCE
if is_global
else ordered_access_levels(resource),
"default_access_level": "editor" if is_global else default_access_level(resource),
"user_access_level": user_access_level,
"user_can_edit_access_levels": user_access_control.check_can_modify_access_levels_for_object(obj),
}
)

def _update_access_controls(self, request: Request, is_global=False):
resource = getattr(self, "scope_object", None)
obj = self.get_object()
resource_id = str(obj.id)
team = cast(Team, self.team) # type: ignore

# Generically validate the incoming data
if not is_global:
# If not role based we are deriving from the viewset
data = request.data
data["resource"] = resource
data["resource_id"] = resource_id

partial_serializer = self._get_access_control_serializer(data=request.data)
partial_serializer.is_valid(raise_exception=True)
params = partial_serializer.validated_data

instance = AccessControl.objects.filter(
team=team,
resource=params["resource"],
resource_id=params.get("resource_id"),
organization_member=params.get("organization_member"),
role=params.get("role"),
).first()

if params["access_level"] is None:
if instance:
instance.delete()
return Response(status=status.HTTP_204_NO_CONTENT)

# Perform the upsert
if instance:
serializer = self._get_access_control_serializer(instance, data=request.data)
else:
serializer = self._get_access_control_serializer(data=request.data)

serializer.is_valid(raise_exception=True)
serializer.validated_data["team"] = team
serializer.save()

return Response(serializer.data, status=status.HTTP_200_OK)

@action(methods=["GET", "PUT"], detail=True)
def access_controls(self, request: Request, *args, **kwargs):
if request.method == "PUT":
return self._update_access_controls(request)

return self._get_access_controls(request)

@action(methods=["GET", "PUT"], detail=True)
def global_access_controls(self, request: Request, *args, **kwargs):
if request.method == "PUT":
return self._update_access_controls(request, is_global=True)

return self._get_access_controls(request, is_global=True)
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from rest_framework import mixins, serializers, viewsets
from ee.api.rbac.role import RolePermissions

from ee.api.role import RolePermissions
from ee.models.organization_resource_access import OrganizationResourceAccess
from ee.models.rbac.organization_resource_access import OrganizationResourceAccess
from posthog.api.routing import TeamAndOrgViewSetMixin


Expand Down
35 changes: 9 additions & 26 deletions ee/api/role.py → ee/api/rbac/role.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
from rest_framework import mixins, serializers, viewsets
from rest_framework.permissions import SAFE_METHODS, BasePermission

from ee.models.feature_flag_role_access import FeatureFlagRoleAccess
from ee.models.organization_resource_access import OrganizationResourceAccess
from ee.models.role import Role, RoleMembership
from ee.models.rbac.organization_resource_access import OrganizationResourceAccess
from ee.models.rbac.role import Role, RoleMembership
from posthog.api.organization_member import OrganizationMemberSerializer
from posthog.api.routing import TeamAndOrgViewSetMixin
from posthog.api.shared import UserBasicSerializer
from posthog.constants import AvailableFeature
from posthog.models import OrganizationMembership
from posthog.models.feature_flag import FeatureFlag
from posthog.models.user import User
from posthog.permissions import PremiumFeaturePermission


class RolePermissions(BasePermission):
Expand All @@ -38,7 +38,6 @@ def has_permission(self, request, view):
class RoleSerializer(serializers.ModelSerializer):
created_by = UserBasicSerializer(read_only=True)
members = serializers.SerializerMethodField()
associated_flags = serializers.SerializerMethodField()

class Meta:
model = Role
Expand All @@ -49,7 +48,6 @@ class Meta:
"created_at",
"created_by",
"members",
"associated_flags",
]
read_only_fields = ["id", "created_at", "created_by"]

Expand All @@ -75,29 +73,13 @@ def get_members(self, role: Role):
members = RoleMembership.objects.filter(role=role)
return RoleMembershipSerializer(members, many=True).data

def get_associated_flags(self, role: Role):
associated_flags: list[dict] = []

role_access_objects = FeatureFlagRoleAccess.objects.filter(role=role).values_list("feature_flag_id")
flags = FeatureFlag.objects.filter(id__in=role_access_objects)
for flag in flags:
associated_flags.append({"id": flag.id, "key": flag.key})
return associated_flags


class RoleViewSet(
TeamAndOrgViewSetMixin,
mixins.ListModelMixin,
mixins.CreateModelMixin,
mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
mixins.DestroyModelMixin,
viewsets.GenericViewSet,
):
class RoleViewSet(TeamAndOrgViewSetMixin, viewsets.ModelViewSet):
scope_object = "organization"
permission_classes = [RolePermissions]
serializer_class = RoleSerializer
queryset = Role.objects.all()
permission_classes = [RolePermissions, PremiumFeaturePermission]
premium_feature = AvailableFeature.ROLE_BASED_ACCESS

def safely_get_queryset(self, queryset):
return queryset.filter(**self.request.GET.dict())
Expand Down Expand Up @@ -139,7 +121,8 @@ class RoleMembershipViewSet(
viewsets.GenericViewSet,
):
scope_object = "organization"
permission_classes = [RolePermissions]
permission_classes = [RolePermissions, PremiumFeaturePermission]
premium_feature = AvailableFeature.ROLE_BASED_ACCESS
serializer_class = RoleMembershipSerializer
queryset = RoleMembership.objects.select_related("role")
filter_rewrite_rules = {"organization_id": "role__organization_id"}
Loading
Loading