fix: resolved edge case in folder empty action

2025-03-29 22:02:57 +00:00 · 2024-10-18 16:07:06 +05:30
parent 91c11d61f1
commit a1397f0a66
3 changed files with 24 additions and 9 deletions
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -10,7 +10,7 @@ import {
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedRoleSchemaV1 } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
@ -50,7 +50,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -110,7 +110,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -153,7 +153,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
@ -219,7 +219,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchemaV1
        })
      }
    },
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@ -768,10 +768,14 @@ export const backfillPermissionV1SchemaToV2Schema = (data: z.infer<typeof Projec
    subject: ProjectPermissionSub.SecretImports as const
  }));

-  const secretFolderPolicies = secretSubjects.map(({ subject, ...el }) => ({
-    ...el,
-    subject: ProjectPermissionSub.SecretFolders
-  }));
+  const secretFolderPolicies = secretSubjects
+    .map(({ subject, ...el }) => ({
+      ...el,
+      // read permission is not needed anymore
+      action: el.action.filter((caslAction) => caslAction !== ProjectPermissionActions.Read),
+      subject: ProjectPermissionSub.SecretFolders
+    }))
+    .filter((el) => el.action?.length > 0);

  const dynamicSecretPolicies = secretSubjects.map(({ subject, ...el }) => {
    const action = el.action.map((e) => {
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@ -157,6 +157,17 @@ export const SanitizedRoleSchema = ProjectRolesSchema.extend({
  permissions: UnpackedPermissionSchema.array()
 });

+export const SanitizedRoleSchemaV1 = ProjectRolesSchema.extend({
+  permissions: UnpackedPermissionSchema.array().transform((el) =>
+    el.filter(
+      (i) =>
+        ![ProjectPermissionSub.DynamicSecrets, ProjectPermissionSub.SecretImports].includes(
+          (i?.subject as ProjectPermissionSub) || ""
+        )
+    )
+  )
+});
+
 export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
  inputIV: true,
  inputTag: true,