From 62813928b524ab7b0d0b283343f8a03f4a01d368 Mon Sep 17 00:00:00 2001
From: Trisha Anand <trisha@appsmith.com>
Date: Wed, 4 Oct 2023 16:44:12 +0530
Subject: [PATCH] chore: Adding migrations to remove unassign permission from
 workspace developer and workspace app viewer roles (#27059)

Co-authored-by: Nilesh Sarupriya <20905988+nsarupr@users.noreply.github.com>
---
 ...nassignPermissionFromUnnecessaryRoles.java | 70 +++++++++++++++++++
 .../services/ce/WorkspaceServiceCEImpl.java   |  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration025RemoveUnassignPermissionFromUnnecessaryRoles.java

diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration025RemoveUnassignPermissionFromUnnecessaryRoles.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration025RemoveUnassignPermissionFromUnnecessaryRoles.java
new file mode 100644
index 0000000000..d3ef3b2158
--- /dev/null
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration025RemoveUnassignPermissionFromUnnecessaryRoles.java
@@ -0,0 +1,70 @@
+package com.appsmith.server.migrations.db.ce;
+
+import com.appsmith.external.models.Policy;
+import com.appsmith.server.domains.PermissionGroup;
+import com.appsmith.server.domains.QPermissionGroup;
+import com.appsmith.server.domains.Workspace;
+import io.mongock.api.annotations.ChangeUnit;
+import io.mongock.api.annotations.Execution;
+import io.mongock.api.annotations.RollbackExecution;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.data.mongodb.core.MongoTemplate;
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.data.mongodb.core.query.Update;
+
+import java.util.Optional;
+
+import static com.appsmith.server.migrations.utils.CompatibilityUtils.optimizeQueryForNoCursorTimeout;
+import static com.appsmith.server.repositories.ce.BaseAppsmithRepositoryCEImpl.fieldName;
+import static org.springframework.data.mongodb.core.query.Criteria.where;
+import static org.springframework.data.mongodb.core.query.Query.query;
+
+@Slf4j
+@RequiredArgsConstructor
+@ChangeUnit(order = "025", id = "remove-unassign-permission-from-workspace-dev-viewer-roles")
+public class Migration025RemoveUnassignPermissionFromUnnecessaryRoles {
+
+    private final MongoTemplate mongoTemplate;
+
+    @RollbackExecution
+    public void rollbackExecution() {}
+
+    @Execution
+    public void executeMigration() {
+
+        // Fetch all default workspace roles except administrators
+        Criteria workspaceDeveloperAndAppViewerRolesCriteria = new Criteria()
+                .andOperator(
+                        Criteria.where("defaultDomainType").is(Workspace.class.getSimpleName()),
+                        Criteria.where("name").not().regex("^Administrator - .*"));
+
+        Query queryInterestingPermissionGroups = new Query(workspaceDeveloperAndAppViewerRolesCriteria);
+        queryInterestingPermissionGroups.fields().include("id");
+        queryInterestingPermissionGroups.fields().include("policies");
+
+        Query optimizedQueryForInterestingPermissionGroups =
+                optimizeQueryForNoCursorTimeout(mongoTemplate, queryInterestingPermissionGroups, PermissionGroup.class);
+
+        mongoTemplate.stream(optimizedQueryForInterestingPermissionGroups, PermissionGroup.class)
+                .forEach(permissionGroup -> {
+                    Optional<Policy> optionalUnassignPolicy = permissionGroup.getPolicies().stream()
+                            .filter(policy -> policy.getPermission().equals("unassign:permissionGroups"))
+                            .findFirst();
+
+                    if (!optionalUnassignPolicy.isPresent()) {
+                        return;
+                    }
+
+                    Policy unAssignPolicy = optionalUnassignPolicy.get();
+                    unAssignPolicy.getPermissionGroups().remove(permissionGroup.getId());
+
+                    mongoTemplate.updateFirst(
+                            query(where(fieldName(QPermissionGroup.permissionGroup.id))
+                                    .is(permissionGroup.getId())),
+                            new Update().set("policies", permissionGroup.getPolicies()),
+                            PermissionGroup.class);
+                });
+    }
+}
diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/WorkspaceServiceCEImpl.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/WorkspaceServiceCEImpl.java
index 3b9853f412..622acd1a82 100644
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/WorkspaceServiceCEImpl.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/WorkspaceServiceCEImpl.java
@@ -320,6 +320,7 @@ public class WorkspaceServiceCEImpl extends BaseService<WorkspaceRepository, Wor
                 .map(permissionGroup ->
                         new Permission(permissionGroup.getId(), AclPermission.READ_PERMISSION_GROUP_MEMBERS))
                 .collect(Collectors.toSet());
+        // All the default permission groups should be unassignable by the administrator role of the workspace
         Set<Permission> unassignPermissionGroupPermissions = permissionGroups.stream()
                 .map(permissionGroup ->
                         new Permission(permissionGroup.getId(), AclPermission.UNASSIGN_PERMISSION_GROUPS))