feat: Migrate roles and permissions to MetaDB

[IFGGit]

Change Summary

• Moved all roles, permissions, and relations between roles and permissions to MetaDB.
• Changed middleware on backend to check whether this role has the necessary permission.
• Returning permissions of user in endpoint /me
• Changed function isUIAllowed on frontend checking existing permissions in user.

This is the first step to adding “Custom roles” functionality.
My plan is create page “Role management” in settings where user can see all roles in MetaDB and also create their own role from scratch or create own role based on an already existing one.
Next step I want to add page where user can manage permission for every role: add or remove some permissions from different roles.
This functionality is important for us and as far as we see for many other people too (#2712). We are open to your reviews, and proposals. We are ready to work on it.

Change type

• feat: (new feature for the user, not a new feature for build script)
• fix: (bug fix for the user, not a fix to a build script)
• docs: (changes to the documentation)
• style: (formatting, missing semi colons, etc; no production code change)
• refactor: (refactoring production code, eg. renaming a variable)
• test: (adding missing tests, refactoring tests; no production code change)
• chore: (updating grunt tasks etc; no production code change)

Test/ Verification

I tested on Postgres and SQLite.

Additional information / screenshots (optional)

Anything for maintainers to be made aware of

Summary by CodeRabbit

• New Features
  • Enhanced user role management with the addition of role permissions. Users can now be assigned specific permissions based on their roles, improving the app's security and customization capabilities.
  • Introduced a comprehensive system for managing roles, permissions, and their associations within the database, including predefined roles and permissions setup.
• Improvements
  • Updated user object to include role_permissions, allowing for more precise permission checks throughout the application.
• Refactor
  • Refactored authentication and user services to support the retrieval and handling of role-based permissions.

[IFGGit]

@o1lab
If you have any questions about this pull request or the next plan, we would be glad to answer them. If you have concerns about moving permissions to the database, please bring them up too, we could try to implement custom roles without this part (each approach has its pros and cons).

P.S. The test failures seem unrelated to my changes, am I missing something? Maybe the tests are flaky?

[coderabbitai]

Walkthrough

Walkthrough

The overall change introduces a more granular and flexible role-based permission system. It involves updating user and authentication models to include role permissions, enhancing the backend to handle permission checks more effectively, and migrating the database schema to support roles and permissions management. This change allows for a dynamic assignment of permissions to roles, improving the system's security and customizability.

Changes

Files	Change Summary
packages/nc-gui/composables/useRoles/index.ts packages/nocodb/src/services/users/users.service.ts	Updated to handle additional rolePermission parameter and logic for checking permissions; added method for retrieving frontend permissions based on roles.
packages/nc-gui/lib/types.ts packages/nocodb-sdk/src/lib/Api.ts packages/nocodb/src/controllers/auth/auth.controller.ts	Added role_permissions field to user-related interfaces and updated authentication controller to include role permissions retrieval.
packages/nocodb/src/meta/migrations/.../XcMigrationSourcev2.ts packages/nocodb/src/meta/migrations/v2/nc_043_roles_permissions.ts	Introduced and included new migration source for managing roles and permissions in the database schema.
packages/nocodb/src/middlewares/extract-ids/extract-ids.middleware.ts	Enhanced role mapping and permission checks by importing necessary modules and modifying middleware logic.
packages/nocodb/src/utils/acl.ts packages/nocodb/src/utils/globals.ts	Updated to export permissionScopes and add new enum values for roles and permissions management.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 3

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 028a11a and 71fe623.

Files ignored due to path filters (2)

• packages/nc-lib-gui/package-lock.json is excluded by: !**/*.json
• packages/nocodb/src/schema/swagger.json is excluded by: !**/*.json

Files selected for processing (10)

• packages/nc-gui/composables/useRoles/index.ts (7 hunks)
• packages/nc-gui/lib/types.ts (1 hunks)
• packages/nocodb-sdk/src/lib/Api.ts (1 hunks)
• packages/nocodb/src/controllers/auth/auth.controller.ts (1 hunks)
• packages/nocodb/src/meta/migrations/XcMigrationSourcev2.ts (3 hunks)
• packages/nocodb/src/meta/migrations/v2/nc_043_roles_permissions.ts (1 hunks)
• packages/nocodb/src/middlewares/extract-ids/extract-ids.middleware.ts (4 hunks)
• packages/nocodb/src/services/users/users.service.ts (1 hunks)
• packages/nocodb/src/utils/acl.ts (2 hunks)
• packages/nocodb/src/utils/globals.ts (1 hunks)

Additional comments: 14

packages/nc-gui/composables/useRoles/index.ts (2)

• 6-16: The changes to the hasPermission function, including the addition of the rolePermission parameter and the updated logic for checking permissions, are correctly implemented and enhance the flexibility of permission checking.
• 106-112: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [91-129]

The inclusion of role_permissions in the user object and the updated logic for checking permissions based on roles are correctly implemented. These changes enhance the system's ability to manage and check permissions in a centralized manner.

Consider caching or optimizing the fetching of role permissions to improve performance, especially if there are many roles or if the permissions data is large.

packages/nc-gui/lib/types.ts (1)

• 16-16: The addition of the role_permissions field to the User interface is correctly implemented and necessary for storing the permissions associated with each role a user has.

packages/nocodb/src/utils/globals.ts (1)

• 49-51: The addition of the ROLES, PERMISSIONS, and ROLES_PERMISSIONS enum values to the MetaTable enum is correctly implemented and aligns with the migration towards a more dynamic and customizable access control mechanism.

packages/nocodb/src/meta/migrations/v2/nc_043_roles_permissions.ts (1)

• 20-178: The migration script nc_043_roles_permissions.ts is well-structured and correctly implements the creation of the ROLES, PERMISSIONS, and ROLES_PERMISSIONS tables, along with the initial population of these tables with roles and permissions. The script follows best practices for database migrations and correctly handles different scopes and types for permissions, including special handling for the super role.

packages/nocodb/src/controllers/auth/auth.controller.ts (1)

• 126-131: The enhancements to the AuthController, specifically the logic to retrieve role permissions for all roles associated with a user and include these permissions in the returned user object, are correctly implemented. These changes provide a clearer view of the user's capabilities and access rights within the system.

packages/nocodb/src/meta/migrations/XcMigrationSourcev2.ts (1)

• 32-32: The addition of the nc_043_roles_permissions migration to the XcMigrationSourcev2 class is correctly implemented, ensuring that the new migration script is integrated into the system's migration process.

packages/nocodb/src/middlewares/extract-ids/extract-ids.middleware.ts (5)

• 27-28: The addition of imports for Noco and MetaTable is noted. Ensure that these modules are used appropriately within the file and that their functionalities align with the intended changes in the middleware.
• 41-47: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [44-54]

The modification in getRolesLabels to utilize the allRoles parameter for role mapping introduces a more dynamic way of handling roles. This change aligns with the PR's objective of enhancing role and permission management. However, consider adding error handling for cases where allRoles.find((item) => item.name === role) returns undefined, which would lead to undefined being included in the returned array.

- .map((role) => allRoles.find((item) => item.name === role)?.label);
+ .map((role) => allRoles.find((item) => item.name === role)?.label).filter(label => label !== undefined);

• 261-263: Retrieving allRoles using Noco.ncMeta.knex(MetaTable.ROLES).select('name', 'label') is a critical change that supports the dynamic checking of roles against permissions. Ensure that this query is optimized for performance, especially if AclMiddleware is used frequently. Consider caching the roles if they don't change often to reduce database load.
• 273-287: The retrieval and usage of rolePermissions to check if the user has the specific permission required for the action is a significant enhancement. This aligns with the PR's objective of centralizing and streamlining permission checks. Ensure that the permissions are correctly defined in the database and that the query efficiently retrieves the necessary information without causing performance issues.
• 289-294: The final check for isAllowed and the subsequent error handling if the user is not allowed is crucial for enforcing permissions. The usage of getRolesLabels to provide a detailed error message is a good practice. Ensure that the error messages are clear and informative to aid in debugging and user understanding.

packages/nocodb/src/utils/acl.ts (2)

• 14-14: Exporting permissionScopes is a necessary change to make these scopes accessible outside the module, which aligns with the PR's objectives of enhancing role and permission management. Ensure that the permissions defined within are accurate and comprehensive.
• 435-514: The addition of notAssignedPermissionsBE to define permissions for superadmins that are not assigned to any roles is a significant enhancement. This allows for a more granular control of permissions, especially for superadmins. Ensure that all permissions listed are necessary and correctly categorized under org and base scopes.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between c0ccb1c and 47f56c6.

Files ignored due to path filters (2)

• packages/nc-lib-gui/package-lock.json is excluded by: !**/*.json
• packages/nocodb/src/schema/swagger.json is excluded by: !**/*.json

Files selected for processing (10)

• packages/nc-gui/composables/useRoles/index.ts (7 hunks)
• packages/nc-gui/lib/types.ts (1 hunks)
• packages/nocodb-sdk/src/lib/Api.ts (1 hunks)
• packages/nocodb/src/controllers/auth/auth.controller.ts (1 hunks)
• packages/nocodb/src/meta/migrations/XcMigrationSourcev2.ts (3 hunks)
• packages/nocodb/src/meta/migrations/v2/nc_043_roles_permissions.ts (1 hunks)
• packages/nocodb/src/middlewares/extract-ids/extract-ids.middleware.ts (4 hunks)
• packages/nocodb/src/services/users/users.service.ts (1 hunks)
• packages/nocodb/src/utils/acl.ts (2 hunks)
• packages/nocodb/src/utils/globals.ts (1 hunks)

Files skipped from review as they are similar to previous changes (10)

• packages/nc-gui/composables/useRoles/index.ts
• packages/nc-gui/lib/types.ts
• packages/nocodb-sdk/src/lib/Api.ts
• packages/nocodb/src/controllers/auth/auth.controller.ts
• packages/nocodb/src/meta/migrations/XcMigrationSourcev2.ts
• packages/nocodb/src/meta/migrations/v2/nc_043_roles_permissions.ts
• packages/nocodb/src/middlewares/extract-ids/extract-ids.middleware.ts
• packages/nocodb/src/services/users/users.service.ts
• packages/nocodb/src/utils/acl.ts
• packages/nocodb/src/utils/globals.ts