chore: Adding migrations to remove unassign permission from workspace developer and workspace app viewer roles (#27059)

Co-authored-by: Nilesh Sarupriya <20905988+nsarupr@users.noreply.github.com>
2023-10-04 16:44:12 +05:30 · 2023-10-04 16:44:12 +05:30 · 62813928b5
commit 62813928b5
parent 7fcba247c9
2 changed files with 71 additions and 0 deletions
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration025RemoveUnassignPermissionFromUnnecessaryRoles.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration025RemoveUnassignPermissionFromUnnecessaryRoles.java
@ -0,0 +1,70 @@
+package com.appsmith.server.migrations.db.ce;
+
+import com.appsmith.external.models.Policy;
+import com.appsmith.server.domains.PermissionGroup;
+import com.appsmith.server.domains.QPermissionGroup;
+import com.appsmith.server.domains.Workspace;
+import io.mongock.api.annotations.ChangeUnit;
+import io.mongock.api.annotations.Execution;
+import io.mongock.api.annotations.RollbackExecution;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.data.mongodb.core.MongoTemplate;
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.data.mongodb.core.query.Update;
+
+import java.util.Optional;
+
+import static com.appsmith.server.migrations.utils.CompatibilityUtils.optimizeQueryForNoCursorTimeout;
+import static com.appsmith.server.repositories.ce.BaseAppsmithRepositoryCEImpl.fieldName;
+import static org.springframework.data.mongodb.core.query.Criteria.where;
+import static org.springframework.data.mongodb.core.query.Query.query;
+
+@Slf4j
+@RequiredArgsConstructor
+@ChangeUnit(order = "025", id = "remove-unassign-permission-from-workspace-dev-viewer-roles")
+public class Migration025RemoveUnassignPermissionFromUnnecessaryRoles {
+
+    private final MongoTemplate mongoTemplate;
+
+    @RollbackExecution
+    public void rollbackExecution() {}
+
+    @Execution
+    public void executeMigration() {
+
+        // Fetch all default workspace roles except administrators
+        Criteria workspaceDeveloperAndAppViewerRolesCriteria = new Criteria()
+                .andOperator(
+                        Criteria.where("defaultDomainType").is(Workspace.class.getSimpleName()),
+                        Criteria.where("name").not().regex("^Administrator - .*"));
+
+        Query queryInterestingPermissionGroups = new Query(workspaceDeveloperAndAppViewerRolesCriteria);
+        queryInterestingPermissionGroups.fields().include("id");
+        queryInterestingPermissionGroups.fields().include("policies");
+
+        Query optimizedQueryForInterestingPermissionGroups =
+                optimizeQueryForNoCursorTimeout(mongoTemplate, queryInterestingPermissionGroups, PermissionGroup.class);
+
+        mongoTemplate.stream(optimizedQueryForInterestingPermissionGroups, PermissionGroup.class)
+                .forEach(permissionGroup -> {
+                    Optional<Policy> optionalUnassignPolicy = permissionGroup.getPolicies().stream()
+                            .filter(policy -> policy.getPermission().equals("unassign:permissionGroups"))
+                            .findFirst();
+
+                    if (!optionalUnassignPolicy.isPresent()) {
+                        return;
+                    }
+
+                    Policy unAssignPolicy = optionalUnassignPolicy.get();
+                    unAssignPolicy.getPermissionGroups().remove(permissionGroup.getId());
+
+                    mongoTemplate.updateFirst(
+                            query(where(fieldName(QPermissionGroup.permissionGroup.id))
+                                    .is(permissionGroup.getId())),
+                            new Update().set("policies", permissionGroup.getPolicies()),
+                            PermissionGroup.class);
+                });
+    }
+}
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/WorkspaceServiceCEImpl.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/WorkspaceServiceCEImpl.java
@ -320,6 +320,7 @@ public class WorkspaceServiceCEImpl extends BaseService<WorkspaceRepository, Wor
                .map(permissionGroup ->
                        new Permission(permissionGroup.getId(), AclPermission.READ_PERMISSION_GROUP_MEMBERS))
                .collect(Collectors.toSet());
+        // All the default permission groups should be unassignable by the administrator role of the workspace
        Set<Permission> unassignPermissionGroupPermissions = permissionGroups.stream()
                .map(permissionGroup ->
                        new Permission(permissionGroup.getId(), AclPermission.UNASSIGN_PERMISSION_GROUPS))