Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

chore: Adding migrations to remove unassign permission from workspace developer and workspace app viewer roles (#27059)

Browse Source 
Co-authored-by: Nilesh Sarupriya <20905988+nsarupr@users.noreply.github.com>
This commit is contained in:
Trisha Anand 2023-10-04 16:44:12 +05:30 committed by GitHub
parent 7fcba247c9
commit 62813928b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
app/server/appsmith-server/src/main/java/com/appsmith/server/migrations/db/ce/Migration025RemoveUnassignPermissionFromUnnecessaryRoles.java Normal file
View File

@ -0,0 +1,70 @@
package com.appsmith.server.migrations.db.ce;
import com.appsmith.external.models.Policy;
import com.appsmith.server.domains.PermissionGroup;
import com.appsmith.server.domains.QPermissionGroup;
import com.appsmith.server.domains.Workspace;
import io.mongock.api.annotations.ChangeUnit;
import io.mongock.api.annotations.Execution;
import io.mongock.api.annotations.RollbackExecution;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.data.mongodb.core.MongoTemplate;
import org.springframework.data.mongodb.core.query.Criteria;
import org.springframework.data.mongodb.core.query.Query;
import org.springframework.data.mongodb.core.query.Update;
import java.util.Optional;
import static com.appsmith.server.migrations.utils.CompatibilityUtils.optimizeQueryForNoCursorTimeout;
import static com.appsmith.server.repositories.ce.BaseAppsmithRepositoryCEImpl.fieldName;
import static org.springframework.data.mongodb.core.query.Criteria.where;
import static org.springframework.data.mongodb.core.query.Query.query;
@Slf4j
@RequiredArgsConstructor
@ChangeUnit(order = "025", id = "remove-unassign-permission-from-workspace-dev-viewer-roles")
public class Migration025RemoveUnassignPermissionFromUnnecessaryRoles {
private final MongoTemplate mongoTemplate;
@RollbackExecution
public void rollbackExecution() {}
@Execution
public void executeMigration() {
// Fetch all default workspace roles except administrators
Criteria workspaceDeveloperAndAppViewerRolesCriteria = new Criteria()
.andOperator(
Criteria.where("defaultDomainType").is(Workspace.class.getSimpleName()),
Criteria.where("name").not().regex("^Administrator - .*"));
Query queryInterestingPermissionGroups = new Query(workspaceDeveloperAndAppViewerRolesCriteria);
queryInterestingPermissionGroups.fields().include("id");
queryInterestingPermissionGroups.fields().include("policies");
Query optimizedQueryForInterestingPermissionGroups =
optimizeQueryForNoCursorTimeout(mongoTemplate, queryInterestingPermissionGroups, PermissionGroup.class);
mongoTemplate.stream(optimizedQueryForInterestingPermissionGroups, PermissionGroup.class)
.forEach(permissionGroup -> {
Optional<Policy> optionalUnassignPolicy = permissionGroup.getPolicies().stream()
.filter(policy -> policy.getPermission().equals("unassign:permissionGroups"))
.findFirst();
if (!optionalUnassignPolicy.isPresent()) {
return;
}
Policy unAssignPolicy = optionalUnassignPolicy.get();
unAssignPolicy.getPermissionGroups().remove(permissionGroup.getId());
mongoTemplate.updateFirst(
query(where(fieldName(QPermissionGroup.permissionGroup.id))
.is(permissionGroup.getId())),
new Update().set("policies", permissionGroup.getPolicies()),
PermissionGroup.class);
});
}
}

1
app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/WorkspaceServiceCEImpl.java
View File

@ -320,6 +320,7 @@ public class WorkspaceServiceCEImpl extends BaseService<WorkspaceRepository, Wor
.map(permissionGroup -> .map(permissionGroup ->
new Permission(permissionGroup.getId(), AclPermission.READ_PERMISSION_GROUP_MEMBERS)) new Permission(permissionGroup.getId(), AclPermission.READ_PERMISSION_GROUP_MEMBERS))
.collect(Collectors.toSet()); .collect(Collectors.toSet());
// All the default permission groups should be unassignable by the administrator role of the workspace
Set<Permission> unassignPermissionGroupPermissions = permissionGroups.stream() Set<Permission> unassignPermissionGroupPermissions = permissionGroups.stream()
.map(permissionGroup -> .map(permissionGroup ->
new Permission(permissionGroup.getId(), AclPermission.UNASSIGN_PERMISSION_GROUPS)) new Permission(permissionGroup.getId(), AclPermission.UNASSIGN_PERMISSION_GROUPS))