diff --git a/app/graphql/sagittarius_schema.rb b/app/graphql/sagittarius_schema.rb index a766e14d..96ba2a26 100644 --- a/app/graphql/sagittarius_schema.rb +++ b/app/graphql/sagittarius_schema.rb @@ -57,4 +57,6 @@ def self.object_from_id(global_id, query_ctx = nil) # rubocop:enable GraphQL/MaxDepthSchema # rubocop:enable GraphQL/MaxComplexitySchema -Types::BaseObject.instance_variable_set(:@user_ability_types, nil) # release temporary type map +if Types::BaseObject.instance_variable_defined?(:@user_ability_types) + Types::BaseObject.remove_instance_variable(:@user_ability_types) # release temporary type map +end diff --git a/app/graphql/types/base_object.rb b/app/graphql/types/base_object.rb index d1fed1eb..cd4105f4 100644 --- a/app/graphql/types/base_object.rb +++ b/app/graphql/types/base_object.rb @@ -24,7 +24,7 @@ def self.timestamps(entity_name = graphql_name) field :updated_at, Types::TimeType, null: false, description: "Time when this #{entity_name} was last updated" end - def self.expose_abilities(abilities, entity_name = graphql_name) + def self.expose_abilities(abilities, entity_name: graphql_name, subject_resolver: nil) @user_ability_types ||= {} type_class = @user_ability_types.fetch("#{entity_name}UserAbilities", nil) @@ -43,10 +43,11 @@ def self.expose_abilities(abilities, entity_name = graphql_name) abilities.each do |ability| field ability, Boolean, null: false, - description: "Shows if the current user can #{ability} in this #{entity_name}" + description: "Shows if the current user has the `#{ability}` ability on this #{entity_name}" define_method(ability) do - Ability.allowed?(current_user, ability, object) + subject = subject_resolver.nil? ? object : subject_resolver.call + Ability.allowed?(current_authentication, ability, subject) end end end diff --git a/app/graphql/types/flow_type.rb b/app/graphql/types/flow_type.rb index db2d53ff..3456f998 100644 --- a/app/graphql/types/flow_type.rb +++ b/app/graphql/types/flow_type.rb @@ -30,6 +30,10 @@ class FlowType < Types::BaseObject description: 'Nodes of the flow', method: :collect_node_functions + expose_abilities %i[ + delete_flow + ] + id_field Flow timestamps diff --git a/app/graphql/types/namespace_member_type.rb b/app/graphql/types/namespace_member_type.rb index df2d5e43..fde18f9b 100644 --- a/app/graphql/types/namespace_member_type.rb +++ b/app/graphql/types/namespace_member_type.rb @@ -12,6 +12,11 @@ class NamespaceMemberType < Types::BaseObject field :member_roles, NamespaceMemberRoleType.connection_type, null: false, description: 'Memberroles of the member' field :roles, NamespaceRoleType.connection_type, null: false, description: 'Roles of the member' + expose_abilities %i[ + assign_member_roles + delete_member + ] + id_field NamespaceMember timestamps end diff --git a/app/graphql/types/namespace_project_type.rb b/app/graphql/types/namespace_project_type.rb index c7687533..69ffa9da 100644 --- a/app/graphql/types/namespace_project_type.rb +++ b/app/graphql/types/namespace_project_type.rb @@ -23,6 +23,13 @@ class NamespaceProjectType < Types::BaseObject field :flows, Types::FlowType.connection_type, null: true, description: 'Fetches all flows in this project' + expose_abilities %i[ + create_flow + assign_project_runtimes + delete_namespace_project + update_namespace_project + ] + id_field NamespaceProject timestamps diff --git a/app/graphql/types/namespace_role_type.rb b/app/graphql/types/namespace_role_type.rb index 63e5084e..15d9e5d8 100644 --- a/app/graphql/types/namespace_role_type.rb +++ b/app/graphql/types/namespace_role_type.rb @@ -15,6 +15,13 @@ class NamespaceRoleType < BaseObject field :assigned_projects, Types::NamespaceProjectType.connection_type, description: 'The projects this role is assigned to' + expose_abilities %i[ + assign_role_abilities + assign_role_projects + delete_namespace_role + update_namespace_role + ] + id_field ::NamespaceRole timestamps diff --git a/app/graphql/types/namespace_type.rb b/app/graphql/types/namespace_type.rb index 7aa072f4..493467f5 100644 --- a/app/graphql/types/namespace_type.rb +++ b/app/graphql/types/namespace_type.rb @@ -22,6 +22,13 @@ class NamespaceType < Types::BaseObject lookahead_field :members, base_scope: ->(object) { object.namespace_members }, conditional_lookaheads: { user: :user, namespace: :namespace } + expose_abilities %i[ + invite_member + create_namespace_role + create_namespace_project + create_runtime + ] + id_field Namespace timestamps end diff --git a/app/graphql/types/organization_type.rb b/app/graphql/types/organization_type.rb index 57dfe84f..9b5ca090 100644 --- a/app/graphql/types/organization_type.rb +++ b/app/graphql/types/organization_type.rb @@ -13,6 +13,11 @@ class OrganizationType < Types::BaseObject description: 'Namespace of this organization', method: :ensure_namespace + expose_abilities %i[ + delete_organization + update_organization + ] + id_field Organization timestamps end diff --git a/app/graphql/types/query_type.rb b/app/graphql/types/query_type.rb index 8a7ee22b..a7f0d24f 100644 --- a/app/graphql/types/query_type.rb +++ b/app/graphql/types/query_type.rb @@ -44,6 +44,15 @@ class QueryType < Types::BaseObject field :global_runtimes, Types::RuntimeType.connection_type, null: false, description: 'Find runtimes' + expose_abilities %i[ + create_organization + create_runtime + delete_runtime + update_runtime + rotate_runtime_token + update_application_setting + ], entity_name: 'Instance', subject_resolver: -> { :global } + def node(id:) context.schema.object_from_id(id, context) end diff --git a/app/graphql/types/runtime_type.rb b/app/graphql/types/runtime_type.rb index 1036e374..80c98162 100644 --- a/app/graphql/types/runtime_type.rb +++ b/app/graphql/types/runtime_type.rb @@ -17,6 +17,12 @@ class RuntimeType < Types::BaseObject field :token, String, null: true, description: 'Token belonging to the runtime, only present on creation' + expose_abilities %i[ + delete_runtime + update_runtime + rotate_runtime_token + ] + id_field Runtime timestamps diff --git a/app/graphql/types/user_session_type.rb b/app/graphql/types/user_session_type.rb index 412c0a36..bf5deb4e 100644 --- a/app/graphql/types/user_session_type.rb +++ b/app/graphql/types/user_session_type.rb @@ -11,6 +11,10 @@ class UserSessionType < Types::BaseObject field :token, String, null: true, description: 'Token belonging to the session, only present on creation' field :user, Types::UserType, null: false, description: 'User that belongs to the session' + expose_abilities %i[ + logout_session + ] + id_field UserSession timestamps diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb index 7eff1313..bd3c38e9 100644 --- a/app/graphql/types/user_type.rb +++ b/app/graphql/types/user_type.rb @@ -39,6 +39,11 @@ class UserType < Types::BaseObject base_scope: ->(object) { object.namespace_memberships }, conditional_lookaheads: { user: :user, namespace: { namespace: :namespace_members } } + expose_abilities %i[ + manage_mfa + update_user + ] + id_field User timestamps diff --git a/app/models/namespace_role_ability.rb b/app/models/namespace_role_ability.rb index 1d5fdd43..49a6fef2 100644 --- a/app/models/namespace_role_ability.rb +++ b/app/models/namespace_role_ability.rb @@ -25,9 +25,9 @@ class NamespaceRoleAbility < ApplicationRecord rotate_runtime_token: { db: 21, description: 'Allows to regenerate a runtime token' }, assign_role_projects: { db: 22, description: 'Allows to change the assigned projects of a namespace role' }, assign_project_runtimes: { db: 23, description: 'Allows to assign runtimes to a project in the namespace' }, - create_flows: { db: 24, description: 'Allows to create flows in a namespace project' }, - delete_flows: { db: 25, description: 'Allows to delete flows in a namespace project' }, - update_flows: { db: 26, description: 'Allows to update flows in the project' }, + create_flow: { db: 24, description: 'Allows to create flows in a namespace project' }, + delete_flow: { db: 25, description: 'Allows to delete flows in a namespace project' }, + update_flow: { db: 26, description: 'Allows to update flows in the project' }, }.with_indifferent_access enum :ability, ABILITIES.transform_values { |v| v[:db] }, prefix: :can diff --git a/app/policies/namespace_project_policy.rb b/app/policies/namespace_project_policy.rb index 7284b2d3..d76b96ff 100644 --- a/app/policies/namespace_project_policy.rb +++ b/app/policies/namespace_project_policy.rb @@ -17,7 +17,7 @@ class NamespaceProjectPolicy < BasePolicy customizable_permission :read_namespace_project customizable_permission :update_namespace_project customizable_permission :delete_namespace_project - customizable_permission :create_flows - customizable_permission :update_flows - customizable_permission :delete_flows + customizable_permission :create_flow + customizable_permission :update_flow + customizable_permission :delete_flow end diff --git a/app/services/namespaces/members/assign_roles_service.rb b/app/services/namespaces/members/assign_roles_service.rb index 3b39bcd7..de033b22 100644 --- a/app/services/namespaces/members/assign_roles_service.rb +++ b/app/services/namespaces/members/assign_roles_service.rb @@ -15,7 +15,7 @@ def initialize(current_authentication, member, roles) def execute namespace = member.namespace - unless Ability.allowed?(current_authentication, :assign_member_roles, namespace) + unless Ability.allowed?(current_authentication, :assign_member_roles, member) return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission) end diff --git a/app/services/namespaces/projects/flows/create_service.rb b/app/services/namespaces/projects/flows/create_service.rb index f51639b6..41f3fe40 100644 --- a/app/services/namespaces/projects/flows/create_service.rb +++ b/app/services/namespaces/projects/flows/create_service.rb @@ -15,7 +15,7 @@ def initialize(current_authentication, namespace_project:, **params) end def execute - unless Ability.allowed?(current_authentication, :create_flows, namespace_project) + unless Ability.allowed?(current_authentication, :create_flow, namespace_project) return ServiceResponse.error(message: 'Missing permission', payload: :missing_permission) end diff --git a/app/services/namespaces/projects/flows/delete_service.rb b/app/services/namespaces/projects/flows/delete_service.rb index 8cf9e0d9..d436e0a9 100644 --- a/app/services/namespaces/projects/flows/delete_service.rb +++ b/app/services/namespaces/projects/flows/delete_service.rb @@ -14,7 +14,7 @@ def initialize(current_authentication, flow:) end def execute - unless Ability.allowed?(current_authentication, :delete_flows, flow.project) + unless Ability.allowed?(current_authentication, :delete_flow, flow) return ServiceResponse.error(message: 'Missing permission', payload: :missing_permission) end diff --git a/app/services/namespaces/roles/assign_abilities_service.rb b/app/services/namespaces/roles/assign_abilities_service.rb index 5b5f6d61..29dcd8ba 100644 --- a/app/services/namespaces/roles/assign_abilities_service.rb +++ b/app/services/namespaces/roles/assign_abilities_service.rb @@ -15,7 +15,7 @@ def initialize(current_authentication, role, abilities) def execute namespace = role.namespace - unless Ability.allowed?(current_authentication, :assign_role_abilities, namespace) + unless Ability.allowed?(current_authentication, :assign_role_abilities, role) return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission) end diff --git a/app/services/namespaces/roles/assign_projects_service.rb b/app/services/namespaces/roles/assign_projects_service.rb index 782f1912..cdf80068 100644 --- a/app/services/namespaces/roles/assign_projects_service.rb +++ b/app/services/namespaces/roles/assign_projects_service.rb @@ -15,7 +15,7 @@ def initialize(current_authentication, role, projects) def execute namespace = role.namespace - unless Ability.allowed?(current_authentication, :assign_role_projects, namespace) + unless Ability.allowed?(current_authentication, :assign_role_projects, role) return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission) end diff --git a/app/services/runtimes/delete_service.rb b/app/services/runtimes/delete_service.rb index bd4d2e25..d55914c1 100644 --- a/app/services/runtimes/delete_service.rb +++ b/app/services/runtimes/delete_service.rb @@ -12,7 +12,7 @@ def initialize(current_authentication, runtime) end def execute - unless Ability.allowed?(current_authentication, :delete_runtime, runtime.namespace || :global) + unless Ability.allowed?(current_authentication, :delete_runtime, runtime || :global) return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission) end diff --git a/app/services/runtimes/rotate_token_service.rb b/app/services/runtimes/rotate_token_service.rb index bb5ee3c7..6757179b 100644 --- a/app/services/runtimes/rotate_token_service.rb +++ b/app/services/runtimes/rotate_token_service.rb @@ -12,7 +12,7 @@ def initialize(current_authentication, runtime) end def execute - unless Ability.allowed?(current_authentication, :rotate_runtime_token, runtime.namespace || :global) + unless Ability.allowed?(current_authentication, :rotate_runtime_token, runtime || :global) return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission) end diff --git a/app/services/runtimes/update_service.rb b/app/services/runtimes/update_service.rb index 66e5db24..33985374 100644 --- a/app/services/runtimes/update_service.rb +++ b/app/services/runtimes/update_service.rb @@ -13,7 +13,7 @@ def initialize(current_authentication, runtime, params) end def execute - unless Ability.allowed?(current_authentication, :update_runtime, runtime.namespace || :global) + unless Ability.allowed?(current_authentication, :update_runtime, runtime || :global) return ServiceResponse.error(message: 'Missing permissions', payload: :missing_permission) end diff --git a/docs/graphql/enum/namespaceroleability.md b/docs/graphql/enum/namespaceroleability.md index c229f408..00dc015f 100644 --- a/docs/graphql/enum/namespaceroleability.md +++ b/docs/graphql/enum/namespaceroleability.md @@ -10,12 +10,12 @@ Represents abilities that can be granted to roles in namespaces. | `ASSIGN_PROJECT_RUNTIMES` | Allows to assign runtimes to a project in the namespace | | `ASSIGN_ROLE_ABILITIES` | Allows to change the abilities of a namespace role | | `ASSIGN_ROLE_PROJECTS` | Allows to change the assigned projects of a namespace role | -| `CREATE_FLOWS` | Allows to create flows in a namespace project | +| `CREATE_FLOW` | Allows to create flows in a namespace project | | `CREATE_NAMESPACE_LICENSE` | Allows to create a license for the namespace | | `CREATE_NAMESPACE_PROJECT` | Allows to create a project in the namespace | | `CREATE_NAMESPACE_ROLE` | Allows the creation of roles in a namespace | | `CREATE_RUNTIME` | Allows to create a runtime globally or for the namespace | -| `DELETE_FLOWS` | Allows to delete flows in a namespace project | +| `DELETE_FLOW` | Allows to delete flows in a namespace project | | `DELETE_MEMBER` | Allows to remove members of a namespace | | `DELETE_NAMESPACE_LICENSE` | Allows to delete the license of the namespace | | `DELETE_NAMESPACE_PROJECT` | Allows to delete the project of the namespace | @@ -27,7 +27,7 @@ Represents abilities that can be granted to roles in namespaces. | `READ_NAMESPACE_LICENSE` | Allows to read the license of the namespace | | `READ_NAMESPACE_PROJECT` | Allows to read the project of the namespace | | `ROTATE_RUNTIME_TOKEN` | Allows to regenerate a runtime token | -| `UPDATE_FLOWS` | Allows to update flows in the project | +| `UPDATE_FLOW` | Allows to update flows in the project | | `UPDATE_NAMESPACE_PROJECT` | Allows to update the project of the namespace | | `UPDATE_NAMESPACE_ROLE` | Allows to update the namespace role | | `UPDATE_ORGANIZATION` | Allows to update the organization | diff --git a/docs/graphql/object/flow.md b/docs/graphql/object/flow.md index e496df00..060e4f43 100644 --- a/docs/graphql/object/flow.md +++ b/docs/graphql/object/flow.md @@ -18,4 +18,5 @@ Represents a flow | `startingNodeId` | [`NodeFunctionID!`](../scalar/nodefunctionid.md) | The ID of the starting node of the flow | | `type` | [`FlowType!`](../object/flowtype.md) | The flow type of the flow | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this Flow was last updated | +| `userAbilities` | [`FlowUserAbilities!`](../object/flowuserabilities.md) | Abilities for the current user on this Flow | diff --git a/docs/graphql/object/flowuserabilities.md b/docs/graphql/object/flowuserabilities.md new file mode 100644 index 00000000..42326a6e --- /dev/null +++ b/docs/graphql/object/flowuserabilities.md @@ -0,0 +1,12 @@ +--- +title: FlowUserAbilities +--- + +Abilities for the current user on this Flow + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `deleteFlow` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_flow` ability on this Flow | + diff --git a/docs/graphql/object/instanceuserabilities.md b/docs/graphql/object/instanceuserabilities.md new file mode 100644 index 00000000..c079e9d1 --- /dev/null +++ b/docs/graphql/object/instanceuserabilities.md @@ -0,0 +1,17 @@ +--- +title: InstanceUserAbilities +--- + +Abilities for the current user on this Instance + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `createOrganization` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_organization` ability on this Instance | +| `createRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_runtime` ability on this Instance | +| `deleteRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_runtime` ability on this Instance | +| `rotateRuntimeToken` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `rotate_runtime_token` ability on this Instance | +| `updateApplicationSetting` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_application_setting` ability on this Instance | +| `updateRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_runtime` ability on this Instance | + diff --git a/docs/graphql/object/namespace.md b/docs/graphql/object/namespace.md index 8f97dedc..91bcd647 100644 --- a/docs/graphql/object/namespace.md +++ b/docs/graphql/object/namespace.md @@ -17,4 +17,5 @@ Represents a Namespace | `roles` | [`NamespaceRoleConnection!`](../object/namespaceroleconnection.md) | Roles of the namespace | | `runtimes` | [`RuntimeConnection!`](../object/runtimeconnection.md) | Runtime of the namespace | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this Namespace was last updated | +| `userAbilities` | [`NamespaceUserAbilities!`](../object/namespaceuserabilities.md) | Abilities for the current user on this Namespace | diff --git a/docs/graphql/object/namespacelicense.md b/docs/graphql/object/namespacelicense.md index 774bc734..5ab3b348 100644 --- a/docs/graphql/object/namespacelicense.md +++ b/docs/graphql/object/namespacelicense.md @@ -15,4 +15,5 @@ title: NamespaceLicense | `namespace` | [`Namespace!`](../object/namespace.md) | The namespace the license belongs to | | `startDate` | [`Time!`](../scalar/time.md) | The start date of the license | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceLicense was last updated | +| `userAbilities` | [`NamespaceLicenseUserAbilities!`](../object/namespacelicenseuserabilities.md) | Abilities for the current user on this NamespaceLicense | diff --git a/docs/graphql/object/namespacelicenseuserabilities.md b/docs/graphql/object/namespacelicenseuserabilities.md new file mode 100644 index 00000000..6de121f8 --- /dev/null +++ b/docs/graphql/object/namespacelicenseuserabilities.md @@ -0,0 +1,12 @@ +--- +title: NamespaceLicenseUserAbilities +--- + +Abilities for the current user on this NamespaceLicense + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `deleteNamespaceLicense` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_namespace_license` ability on this NamespaceLicense | + diff --git a/docs/graphql/object/namespacemember.md b/docs/graphql/object/namespacemember.md index da950848..aa72ce15 100644 --- a/docs/graphql/object/namespacemember.md +++ b/docs/graphql/object/namespacemember.md @@ -15,4 +15,5 @@ Represents a namespace member | `roles` | [`NamespaceRoleConnection!`](../object/namespaceroleconnection.md) | Roles of the member | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceMember was last updated | | `user` | [`User!`](../object/user.md) | User this member belongs to | +| `userAbilities` | [`NamespaceMemberUserAbilities!`](../object/namespacememberuserabilities.md) | Abilities for the current user on this NamespaceMember | diff --git a/docs/graphql/object/namespacememberuserabilities.md b/docs/graphql/object/namespacememberuserabilities.md new file mode 100644 index 00000000..bc754830 --- /dev/null +++ b/docs/graphql/object/namespacememberuserabilities.md @@ -0,0 +1,13 @@ +--- +title: NamespaceMemberUserAbilities +--- + +Abilities for the current user on this NamespaceMember + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `assignMemberRoles` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `assign_member_roles` ability on this NamespaceMember | +| `deleteMember` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_member` ability on this NamespaceMember | + diff --git a/docs/graphql/object/namespaceproject.md b/docs/graphql/object/namespaceproject.md index 7582b3cf..ef2fff01 100644 --- a/docs/graphql/object/namespaceproject.md +++ b/docs/graphql/object/namespaceproject.md @@ -17,6 +17,7 @@ Represents a namespace project | `primaryRuntime` | [`Runtime`](../object/runtime.md) | The primary runtime for the project | | `runtimes` | [`RuntimeConnection!`](../object/runtimeconnection.md) | Runtimes assigned to this project | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceProject was last updated | +| `userAbilities` | [`NamespaceProjectUserAbilities!`](../object/namespaceprojectuserabilities.md) | Abilities for the current user on this NamespaceProject | ## Fields with arguments diff --git a/docs/graphql/object/namespaceprojectuserabilities.md b/docs/graphql/object/namespaceprojectuserabilities.md new file mode 100644 index 00000000..4ba54d0b --- /dev/null +++ b/docs/graphql/object/namespaceprojectuserabilities.md @@ -0,0 +1,15 @@ +--- +title: NamespaceProjectUserAbilities +--- + +Abilities for the current user on this NamespaceProject + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `assignProjectRuntimes` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `assign_project_runtimes` ability on this NamespaceProject | +| `createFlow` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_flow` ability on this NamespaceProject | +| `deleteNamespaceProject` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_namespace_project` ability on this NamespaceProject | +| `updateNamespaceProject` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_namespace_project` ability on this NamespaceProject | + diff --git a/docs/graphql/object/namespacerole.md b/docs/graphql/object/namespacerole.md index c036d508..864ff155 100644 --- a/docs/graphql/object/namespacerole.md +++ b/docs/graphql/object/namespacerole.md @@ -15,4 +15,5 @@ Represents a namespace role. | `name` | [`String!`](../scalar/string.md) | The name of this role | | `namespace` | [`Namespace`](../object/namespace.md) | The namespace where this role belongs to | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this NamespaceRole was last updated | +| `userAbilities` | [`NamespaceRoleUserAbilities!`](../object/namespaceroleuserabilities.md) | Abilities for the current user on this NamespaceRole | diff --git a/docs/graphql/object/namespaceroleuserabilities.md b/docs/graphql/object/namespaceroleuserabilities.md new file mode 100644 index 00000000..1c2c7bb8 --- /dev/null +++ b/docs/graphql/object/namespaceroleuserabilities.md @@ -0,0 +1,15 @@ +--- +title: NamespaceRoleUserAbilities +--- + +Abilities for the current user on this NamespaceRole + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `assignRoleAbilities` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `assign_role_abilities` ability on this NamespaceRole | +| `assignRoleProjects` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `assign_role_projects` ability on this NamespaceRole | +| `deleteNamespaceRole` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_namespace_role` ability on this NamespaceRole | +| `updateNamespaceRole` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_namespace_role` ability on this NamespaceRole | + diff --git a/docs/graphql/object/namespaceuserabilities.md b/docs/graphql/object/namespaceuserabilities.md new file mode 100644 index 00000000..d7e457ad --- /dev/null +++ b/docs/graphql/object/namespaceuserabilities.md @@ -0,0 +1,16 @@ +--- +title: NamespaceUserAbilities +--- + +Abilities for the current user on this Namespace + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `createNamespaceLicense` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_namespace_license` ability on this Namespace | +| `createNamespaceProject` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_namespace_project` ability on this Namespace | +| `createNamespaceRole` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_namespace_role` ability on this Namespace | +| `createRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `create_runtime` ability on this Namespace | +| `inviteMember` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `invite_member` ability on this Namespace | + diff --git a/docs/graphql/object/organization.md b/docs/graphql/object/organization.md index ecc7cc97..7756bc79 100644 --- a/docs/graphql/object/organization.md +++ b/docs/graphql/object/organization.md @@ -13,4 +13,5 @@ Represents a Organization | `name` | [`String!`](../scalar/string.md) | Name of the organization | | `namespace` | [`Namespace!`](../object/namespace.md) | Namespace of this organization | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this Organization was last updated | +| `userAbilities` | [`OrganizationUserAbilities!`](../object/organizationuserabilities.md) | Abilities for the current user on this Organization | diff --git a/docs/graphql/object/organizationuserabilities.md b/docs/graphql/object/organizationuserabilities.md new file mode 100644 index 00000000..2f46d3f2 --- /dev/null +++ b/docs/graphql/object/organizationuserabilities.md @@ -0,0 +1,13 @@ +--- +title: OrganizationUserAbilities +--- + +Abilities for the current user on this Organization + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `deleteOrganization` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_organization` ability on this Organization | +| `updateOrganization` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_organization` ability on this Organization | + diff --git a/docs/graphql/object/query.md b/docs/graphql/object/query.md index fea125e0..f7046c80 100644 --- a/docs/graphql/object/query.md +++ b/docs/graphql/object/query.md @@ -13,6 +13,7 @@ Root Query type | `currentUser` | [`User`](../object/user.md) | Get the currently logged in user | | `globalRuntimes` | [`RuntimeConnection!`](../object/runtimeconnection.md) | Find runtimes | | `organizations` | [`OrganizationConnection!`](../object/organizationconnection.md) | Find organizations | +| `userAbilities` | [`InstanceUserAbilities!`](../object/instanceuserabilities.md) | Abilities for the current user on this Instance | | `users` | [`UserConnection!`](../object/userconnection.md) | Find users | ## Fields with arguments diff --git a/docs/graphql/object/runtime.md b/docs/graphql/object/runtime.md index f17b0b06..edee1f73 100644 --- a/docs/graphql/object/runtime.md +++ b/docs/graphql/object/runtime.md @@ -19,4 +19,5 @@ Represents a runtime | `status` | [`RuntimeStatusType!`](../enum/runtimestatustype.md) | The status of the runtime | | `token` | [`String`](../scalar/string.md) | Token belonging to the runtime, only present on creation | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this Runtime was last updated | +| `userAbilities` | [`RuntimeUserAbilities!`](../object/runtimeuserabilities.md) | Abilities for the current user on this Runtime | diff --git a/docs/graphql/object/runtimeuserabilities.md b/docs/graphql/object/runtimeuserabilities.md new file mode 100644 index 00000000..73becd8f --- /dev/null +++ b/docs/graphql/object/runtimeuserabilities.md @@ -0,0 +1,14 @@ +--- +title: RuntimeUserAbilities +--- + +Abilities for the current user on this Runtime + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `deleteRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `delete_runtime` ability on this Runtime | +| `rotateRuntimeToken` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `rotate_runtime_token` ability on this Runtime | +| `updateRuntime` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_runtime` ability on this Runtime | + diff --git a/docs/graphql/object/user.md b/docs/graphql/object/user.md index 834f406a..a7caaf16 100644 --- a/docs/graphql/object/user.md +++ b/docs/graphql/object/user.md @@ -21,5 +21,6 @@ Represents a user | `namespaceMemberships` | [`NamespaceMemberConnection!`](../object/namespacememberconnection.md) | Namespace Memberships of this user | | `sessions` | [`UserSessionConnection!`](../object/usersessionconnection.md) | Sessions of this user | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this User was last updated | +| `userAbilities` | [`UserUserAbilities!`](../object/useruserabilities.md) | Abilities for the current user on this User | | `username` | [`String!`](../scalar/string.md) | Username of the user | diff --git a/docs/graphql/object/usersession.md b/docs/graphql/object/usersession.md index c8416500..d40205f4 100644 --- a/docs/graphql/object/usersession.md +++ b/docs/graphql/object/usersession.md @@ -14,4 +14,5 @@ Represents a user session | `token` | [`String`](../scalar/string.md) | Token belonging to the session, only present on creation | | `updatedAt` | [`Time!`](../scalar/time.md) | Time when this UserSession was last updated | | `user` | [`User!`](../object/user.md) | User that belongs to the session | +| `userAbilities` | [`UserSessionUserAbilities!`](../object/usersessionuserabilities.md) | Abilities for the current user on this UserSession | diff --git a/docs/graphql/object/usersessionuserabilities.md b/docs/graphql/object/usersessionuserabilities.md new file mode 100644 index 00000000..db505d1f --- /dev/null +++ b/docs/graphql/object/usersessionuserabilities.md @@ -0,0 +1,12 @@ +--- +title: UserSessionUserAbilities +--- + +Abilities for the current user on this UserSession + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `logoutSession` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `logout_session` ability on this UserSession | + diff --git a/docs/graphql/object/useruserabilities.md b/docs/graphql/object/useruserabilities.md new file mode 100644 index 00000000..48987174 --- /dev/null +++ b/docs/graphql/object/useruserabilities.md @@ -0,0 +1,13 @@ +--- +title: UserUserAbilities +--- + +Abilities for the current user on this User + +## Fields without arguments + +| Name | Type | Description | +|------|------|-------------| +| `manageMfa` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `manage_mfa` ability on this User | +| `updateUser` | [`Boolean!`](../scalar/boolean.md) | Shows if the current user has the `update_user` ability on this User | + diff --git a/extensions/ee/app/graphql/ee/types/namespace_type.rb b/extensions/ee/app/graphql/ee/types/namespace_type.rb index 0b079b95..5453676e 100644 --- a/extensions/ee/app/graphql/ee/types/namespace_type.rb +++ b/extensions/ee/app/graphql/ee/types/namespace_type.rb @@ -9,6 +9,10 @@ module NamespaceType field :namespace_licenses, ::Types::NamespaceLicenseType.connection_type, null: false, description: '(EE only) Licenses of the namespace' + + expose_abilities %i[ + create_namespace_license + ] end end end diff --git a/extensions/ee/app/graphql/types/namespace_license_type.rb b/extensions/ee/app/graphql/types/namespace_license_type.rb index 084962bc..aece7fe4 100644 --- a/extensions/ee/app/graphql/types/namespace_license_type.rb +++ b/extensions/ee/app/graphql/types/namespace_license_type.rb @@ -14,6 +14,10 @@ class NamespaceLicenseType < Types::BaseObject field :licensee, GraphQL::Types::JSON, null: false, description: 'The licensee information' + expose_abilities %i[ + delete_namespace_license + ] + id_field NamespaceLicense timestamps end diff --git a/extensions/ee/app/services/namespaces/licenses/delete_service.rb b/extensions/ee/app/services/namespaces/licenses/delete_service.rb index 9dc4e1af..4a3a5476 100644 --- a/extensions/ee/app/services/namespaces/licenses/delete_service.rb +++ b/extensions/ee/app/services/namespaces/licenses/delete_service.rb @@ -13,7 +13,7 @@ def initialize(current_authentication, namespace_license:) end def execute - unless Ability.allowed?(current_authentication, :delete_namespace_license, namespace_license.namespace) + unless Ability.allowed?(current_authentication, :delete_namespace_license, namespace_license) return ServiceResponse.error(message: 'Missing permission', payload: :missing_permission) end diff --git a/extensions/ee/spec/graphql/types/ee/types/namespace_type_spec.rb b/extensions/ee/spec/graphql/types/ee/types/namespace_type_spec.rb index 57f40113..87d1e1d2 100644 --- a/extensions/ee/spec/graphql/types/ee/types/namespace_type_spec.rb +++ b/extensions/ee/spec/graphql/types/ee/types/namespace_type_spec.rb @@ -14,6 +14,7 @@ createdAt updatedAt namespaceLicenses + userAbilities ] end diff --git a/extensions/ee/spec/graphql/types/namespace_license_type_spec.rb b/extensions/ee/spec/graphql/types/namespace_license_type_spec.rb index 91aed9c9..d466adbb 100644 --- a/extensions/ee/spec/graphql/types/namespace_license_type_spec.rb +++ b/extensions/ee/spec/graphql/types/namespace_license_type_spec.rb @@ -10,6 +10,7 @@ startDate endDate licensee + userAbilities createdAt updatedAt ] diff --git a/spec/graphql/types/namespace_member_type_spec.rb b/spec/graphql/types/namespace_member_type_spec.rb index c45715eb..8380a897 100644 --- a/spec/graphql/types/namespace_member_type_spec.rb +++ b/spec/graphql/types/namespace_member_type_spec.rb @@ -10,6 +10,7 @@ namespace memberRoles roles + userAbilities createdAt updatedAt ] diff --git a/spec/graphql/types/namespace_project_type_spec.rb b/spec/graphql/types/namespace_project_type_spec.rb index 1b900bd6..bda7f7c2 100644 --- a/spec/graphql/types/namespace_project_type_spec.rb +++ b/spec/graphql/types/namespace_project_type_spec.rb @@ -13,6 +13,7 @@ runtimes flows flow + user_abilities created_at updated_at ] diff --git a/spec/graphql/types/namespace_role_type_spec.rb b/spec/graphql/types/namespace_role_type_spec.rb index 70a032a5..2e98b702 100644 --- a/spec/graphql/types/namespace_role_type_spec.rb +++ b/spec/graphql/types/namespace_role_type_spec.rb @@ -10,6 +10,7 @@ name abilities assignedProjects + userAbilities createdAt updatedAt ] diff --git a/spec/graphql/types/namespace_type_spec.rb b/spec/graphql/types/namespace_type_spec.rb index e1c9a1ca..10021877 100644 --- a/spec/graphql/types/namespace_type_spec.rb +++ b/spec/graphql/types/namespace_type_spec.rb @@ -11,6 +11,7 @@ roles runtimes projects + userAbilities createdAt updatedAt ] diff --git a/spec/graphql/types/organization_type_spec.rb b/spec/graphql/types/organization_type_spec.rb index 1055d408..c58473d4 100644 --- a/spec/graphql/types/organization_type_spec.rb +++ b/spec/graphql/types/organization_type_spec.rb @@ -8,6 +8,7 @@ id name namespace + userAbilities createdAt updatedAt ] diff --git a/spec/graphql/types/query_type_spec.rb b/spec/graphql/types/query_type_spec.rb index 2eea6db4..179b49ba 100644 --- a/spec/graphql/types/query_type_spec.rb +++ b/spec/graphql/types/query_type_spec.rb @@ -14,6 +14,7 @@ users global_runtimes namespace + userAbilities node nodes ] diff --git a/spec/graphql/types/runtime_type_spec.rb b/spec/graphql/types/runtime_type_spec.rb index 2dffd4b7..094ad85f 100644 --- a/spec/graphql/types/runtime_type_spec.rb +++ b/spec/graphql/types/runtime_type_spec.rb @@ -14,6 +14,7 @@ projects status token + userAbilities createdAt updatedAt ] diff --git a/spec/graphql/types/user_session_type_spec.rb b/spec/graphql/types/user_session_type_spec.rb index 6d709e78..ebe71893 100644 --- a/spec/graphql/types/user_session_type_spec.rb +++ b/spec/graphql/types/user_session_type_spec.rb @@ -9,6 +9,7 @@ user token active + userAbilities createdAt updatedAt ] diff --git a/spec/graphql/types/user_type_spec.rb b/spec/graphql/types/user_type_spec.rb index 9b6fc180..abea61a6 100644 --- a/spec/graphql/types/user_type_spec.rb +++ b/spec/graphql/types/user_type_spec.rb @@ -17,6 +17,7 @@ emailVerifiedAt sessions identities + userAbilities createdAt updatedAt ] diff --git a/spec/requests/graphql/mutation/namespace/projects/flows/create_mutation_spec.rb b/spec/requests/graphql/mutation/namespace/projects/flows/create_mutation_spec.rb index 2c15b982..b350520b 100644 --- a/spec/requests/graphql/mutation/namespace/projects/flows/create_mutation_spec.rb +++ b/spec/requests/graphql/mutation/namespace/projects/flows/create_mutation_spec.rb @@ -84,7 +84,7 @@ context 'when user has the permission' do before do namespace_role = create(:namespace_role, namespace: project.namespace).tap do |role| - create(:namespace_role_ability, namespace_role: role, ability: :create_flows) + create(:namespace_role_ability, namespace_role: role, ability: :create_flow) create(:namespace_role_ability, namespace_role: role, ability: :read_namespace_project) end namespace_member = create(:namespace_member, namespace: project.namespace, user: current_user) diff --git a/spec/requests/graphql/mutation/namespace/projects/flows/delete_mutation_spec.rb b/spec/requests/graphql/mutation/namespace/projects/flows/delete_mutation_spec.rb index 2f6ed50b..4326f6ef 100644 --- a/spec/requests/graphql/mutation/namespace/projects/flows/delete_mutation_spec.rb +++ b/spec/requests/graphql/mutation/namespace/projects/flows/delete_mutation_spec.rb @@ -36,7 +36,7 @@ context 'when user has permission' do before do namespace_role = create(:namespace_role, namespace: namespace_project.namespace).tap do |role| - create(:namespace_role_ability, namespace_role: role, ability: :delete_flows) + create(:namespace_role_ability, namespace_role: role, ability: :delete_flow) create(:namespace_role_ability, namespace_role: role, ability: :read_namespace_project) end namespace_member = create(:namespace_member, namespace: namespace_project.namespace, user: current_user) diff --git a/spec/services/namespaces/projects/flows/create_service_spec.rb b/spec/services/namespaces/projects/flows/create_service_spec.rb index a4cd747b..6607c54b 100644 --- a/spec/services/namespaces/projects/flows/create_service_spec.rb +++ b/spec/services/namespaces/projects/flows/create_service_spec.rb @@ -47,7 +47,7 @@ let(:current_user) { create(:user) } before do - stub_allowed_ability(NamespaceProjectPolicy, :create_flows, user: current_user, subject: namespace_project) + stub_allowed_ability(NamespaceProjectPolicy, :create_flow, user: current_user, subject: namespace_project) end it { is_expected.to be_success } diff --git a/spec/services/namespaces/projects/flows/delete_service_spec.rb b/spec/services/namespaces/projects/flows/delete_service_spec.rb index a8ba4d16..abaf6f17 100644 --- a/spec/services/namespaces/projects/flows/delete_service_spec.rb +++ b/spec/services/namespaces/projects/flows/delete_service_spec.rb @@ -36,7 +36,7 @@ let(:current_user) { create(:user) } before do - stub_allowed_ability(NamespaceProjectPolicy, :delete_flows, user: current_user, subject: namespace_project) + stub_allowed_ability(NamespaceProjectPolicy, :delete_flow, user: current_user, subject: namespace_project) end it { is_expected.to be_success }