Add field filtering based on permissions in OpenAPI schema

Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com>

Author: Copilot

src/Core/Services/OpenAPI/OpenApiDocumentor.cs

@@ -776,6 +776,73 @@ private static bool HasAnyAvailableOperations(Entity entity)
             return false;
         }
 
+        /// <summary>
+        /// Filters the exposed column names based on the superset of available fields across all role permissions.
+        /// A field is included if at least one role has access to it (through include/exclude settings).
+        /// </summary>
+        /// <param name="entity">The entity to check permissions for.</param>
+        /// <param name="exposedColumnNames">All exposed column names from the database.</param>
+        /// <returns>Filtered set of column names that are available based on permissions.</returns>
+        private static HashSet<string> FilterFieldsByPermissions(Entity entity, HashSet<string> exposedColumnNames)
+        {
+            if (entity?.Permissions is null || entity.Permissions.Length == 0)
+            {
+                return exposedColumnNames;
+            }
+
+            HashSet<string> availableFields = new();
+
+            foreach (EntityPermission permission in entity.Permissions)
+            {
+                if (permission.Actions is null)
+                {
+                    continue;
+                }
+
+                foreach (EntityAction action in permission.Actions)
+                {
+                    // If Fields is null, all fields are available for this action
+                    if (action.Fields is null)
+                    {
+                        availableFields.UnionWith(exposedColumnNames);
+                        continue;
+                    }
+
+                    // Determine included fields
+                    HashSet<string> actionFields;
+                    if (action.Fields.Include is null || action.Fields.Include.Contains("*"))
+                    {
+                        // Include is null or contains wildcard - start with all fields
+                        actionFields = new HashSet<string>(exposedColumnNames);
+                    }
+                    else
+                    {
+                        // Only include explicitly listed fields that exist in exposed columns
+                        actionFields = new HashSet<string>(action.Fields.Include.Where(f => exposedColumnNames.Contains(f)));
+                    }
+
+                    // Remove excluded fields
+                    if (action.Fields.Exclude is not null && action.Fields.Exclude.Count > 0)
+                    {
+                        if (action.Fields.Exclude.Contains("*"))
+                        {
+                            // Exclude all - no fields available for this action
+                            actionFields.Clear();
+                        }
+                        else
+                        {
+                            actionFields.ExceptWith(action.Fields.Exclude);
+                        }
+                    }
+
+                    // Add to superset of available fields
+                    availableFields.UnionWith(actionFields);
+                }
+            }
+
+            return availableFields;
+        }
+
         /// <summary>
         /// Creates the request body definition, which includes the expected media type (application/json)
         /// and reference to request body schema.
@@ -1088,6 +1155,10 @@ private Dictionary<string, OpenApiSchema> CreateComponentSchemas(RuntimeEntities
 
                 SourceDefinition sourceDefinition = metadataProvider.GetSourceDefinition(entityName);
                 HashSet<string> exposedColumnNames = GetExposedColumnNames(entityName, sourceDefinition.Columns.Keys.ToList(), metadataProvider);
+
+                // Filter fields based on the superset of permissions across all roles
+                exposedColumnNames = FilterFieldsByPermissions(entity, exposedColumnNames);
+
                 HashSet<string> nonAutoGeneratedPKColumnNames = new();
 
                 if (dbObject.SourceType is EntitySourceType.StoredProcedure)

src/Service.Tests/OpenApiDocumentor/PermissionBasedOperationFilteringTests.cs

@@ -116,6 +116,49 @@ public async Task MixedRolePermissions_ShowsSupersetOfOperations()
             Assert.IsTrue(doc.Paths.Any(p => p.Value.Operations.ContainsKey(OperationType.Post)), "POST should exist from authenticated create");
         }
 
+        /// <summary>
+        /// Validates that excluded fields are not shown in OpenAPI schema.
+        /// </summary>
+        [TestMethod]
+        public async Task ExcludedFields_NotShownInSchema()
+        {
+            // Create permission with excluded field
+            EntityActionFields fields = new(Exclude: new HashSet<string> { "publisher_id" }, Include: null);
+            EntityPermission[] permissions = new[]
+            {
+                new EntityPermission(Role: "anonymous", Actions: new[] { new EntityAction(EntityActionOperation.All, fields, new()) })
+            };
+
+            OpenApiDocument doc = await GenerateDocumentWithPermissions(permissions);
+
+            // Check that the excluded field is not in the schema
+            Assert.IsTrue(doc.Components.Schemas.ContainsKey("book"), "Schema should exist for book entity");
+            Assert.IsFalse(doc.Components.Schemas["book"].Properties.ContainsKey("publisher_id"), "Excluded field should not be in schema");
+        }
+
+        /// <summary>
+        /// Validates superset of fields across different role permissions is shown.
+        /// </summary>
+        [TestMethod]
+        public async Task MixedRoleFieldPermissions_ShowsSupersetOfFields()
+        {
+            // Anonymous can see id only, authenticated can see title only
+            EntityActionFields anonymousFields = new(Exclude: new HashSet<string>(), Include: new HashSet<string> { "id" });
+            EntityActionFields authenticatedFields = new(Exclude: new HashSet<string>(), Include: new HashSet<string> { "title" });
+            EntityPermission[] permissions = new[]
+            {
+                new EntityPermission(Role: "anonymous", Actions: new[] { new EntityAction(EntityActionOperation.Read, anonymousFields, new()) }),
+                new EntityPermission(Role: "authenticated", Actions: new[] { new EntityAction(EntityActionOperation.Read, authenticatedFields, new()) })
+            };
+
+            OpenApiDocument doc = await GenerateDocumentWithPermissions(permissions);
+
+            // Should have both id (from anonymous) and title (from authenticated) - superset of fields
+            Assert.IsTrue(doc.Components.Schemas.ContainsKey("book"), "Schema should exist for book entity");
+            Assert.IsTrue(doc.Components.Schemas["book"].Properties.ContainsKey("id"), "Field 'id' should be in schema from anonymous role");
+            Assert.IsTrue(doc.Components.Schemas["book"].Properties.ContainsKey("title"), "Field 'title' should be in schema from authenticated role");
+        }
+
         private static async Task<OpenApiDocument> GenerateDocumentWithPermissions(EntityPermission[] permissions)
         {
             Entity entity = new(