From 6081283afc5ab5a6503c8f0f81181cd323b12297 Mon Sep 17 00:00:00 2001 From: Mani Chandra <84711804+ThisIsMani@users.noreply.github.com> Date: Mon, 16 Dec 2024 14:24:54 +0530 Subject: [PATCH] refactor(authz): Make connector list accessible by operation groups (#6792) --- crates/router/src/routes/admin.rs | 5 ++++- .../src/services/authorization/permission_groups.rs | 8 ++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/crates/router/src/routes/admin.rs b/crates/router/src/routes/admin.rs index 80d22ad22bf6..a57fd56e6c84 100644 --- a/crates/router/src/routes/admin.rs +++ b/crates/router/src/routes/admin.rs @@ -431,7 +431,10 @@ pub async fn connector_retrieve( &auth::AdminApiAuthWithMerchantIdFromHeader, &auth::JWTAuthMerchantFromRoute { merchant_id, - required_permission: Permission::ProfileConnectorRead, + // This should ideally be ProfileConnectorRead, but since this API responds with + // sensitive data, keeping this as ProfileConnectorWrite + // TODO: Convert this to ProfileConnectorRead once data is masked. + required_permission: Permission::ProfileConnectorWrite, }, req.headers(), ), diff --git a/crates/router/src/services/authorization/permission_groups.rs b/crates/router/src/services/authorization/permission_groups.rs index 14eda547e883..ceb943950d52 100644 --- a/crates/router/src/services/authorization/permission_groups.rs +++ b/crates/router/src/services/authorization/permission_groups.rs @@ -61,8 +61,12 @@ impl PermissionGroupExt for PermissionGroup { fn accessible_groups(&self) -> Vec { match self { - Self::OperationsView => vec![Self::OperationsView], - Self::OperationsManage => vec![Self::OperationsView, Self::OperationsManage], + Self::OperationsView => vec![Self::OperationsView, Self::ConnectorsView], + Self::OperationsManage => vec![ + Self::OperationsView, + Self::OperationsManage, + Self::ConnectorsView, + ], Self::ConnectorsView => vec![Self::ConnectorsView], Self::ConnectorsManage => vec![Self::ConnectorsView, Self::ConnectorsManage],