fix: keys delete permission on import (#2339)

backend/api/src/main/kotlin/io/tolgee/api/v2/controllers/dataImport/SingleStepImportController.kt

@@ -17,6 +17,7 @@ import io.tolgee.security.authentication.AllowApiAccess
 import io.tolgee.security.authentication.AuthenticationFacade
 import io.tolgee.security.authorization.RequiresProjectPermissions
 import io.tolgee.service.dataImport.ImportService
+import io.tolgee.service.security.SecurityService
 import io.tolgee.util.Logging
 import io.tolgee.util.filterFiles
 import jakarta.validation.Valid
@@ -37,6 +38,7 @@ class SingleStepImportController(
   private val importService: ImportService,
   private val authenticationFacade: AuthenticationFacade,
   private val projectHolder: ProjectHolder,
+  private val securityService: SecurityService,
 ) : Logging {
   @PostMapping("", consumes = [MediaType.MULTIPART_FORM_DATA_VALUE])
   @Operation(
@@ -71,6 +73,10 @@ class SingleStepImportController(
         ImportFileDto(it.originalFilename ?: "", it.inputStream.readAllBytes())
       }
 
+    if (params.removeOtherKeys == true) {
+      securityService.checkProjectPermission(projectHolder.project.id, Scope.KEYS_DELETE)
+    }
+
     importService.singleStepImport(
       files = fileDtos,
       project = projectHolder.projectEntity,

backend/app/src/test/kotlin/io/tolgee/api/v2/controllers/v2ImportController/SingleStepImportControllerTest.kt

@@ -5,7 +5,9 @@ import io.tolgee.constants.Message
 import io.tolgee.development.testDataBuilder.data.SingleStepImportTestData
 import io.tolgee.fixtures.andHasErrorMessage
 import io.tolgee.fixtures.andIsBadRequest
+import io.tolgee.fixtures.andIsForbidden
 import io.tolgee.fixtures.andIsOk
+import io.tolgee.model.enums.Scope
 import io.tolgee.testing.annotations.ProjectJWTAuthTestMethod
 import io.tolgee.testing.assert
 import io.tolgee.util.performSingleStepImport
@@ -246,6 +248,24 @@ class SingleStepImportControllerTest : ProjectAuthControllerTest("/v2/projects/"
     }
   }
 
+  @Test
+  @ProjectJWTAuthTestMethod
+  fun `doesn't allow deletion when no permission to do so`() {
+    testData.addConflictTranslation()
+    testData.setUserScopes(arrayOf(Scope.TRANSLATIONS_VIEW, Scope.KEYS_CREATE, Scope.KEYS_VIEW))
+    saveAndPrepare()
+    val params = getFileMappings(jsonFileName)
+    params["removeOtherKeys"] = true
+
+    executeInNewTransaction {
+      performImport(
+        projectId = testData.project.id,
+        files = listOf(Pair(jsonFileName, newJson)),
+        params,
+      ).andIsForbidden
+    }
+  }
+
   private fun assertXliffDataImported() {
     getTestKeyTranslations().find { it.language.tag == "de" }!!.text.assert.isEqualTo("Test cs")
     getTestKeyTranslations().find { it.language.tag == "en" }!!.text.assert.isEqualTo("Test en")

backend/data/src/main/kotlin/io/tolgee/development/testDataBuilder/data/SingleStepImportTestData.kt

@@ -1,5 +1,8 @@
 package io.tolgee.development.testDataBuilder.data
 
+import io.tolgee.model.enums.OrganizationRoleType
+import io.tolgee.model.enums.Scope
+
 class SingleStepImportTestData : BaseTestData() {
   val germanLanguage = projectBuilder.addGerman()
 
@@ -14,4 +17,9 @@ class SingleStepImportTestData : BaseTestData() {
       this.language = englishLanguage
     }
   }
+
+  fun setUserScopes(scopes: Array<Scope>) {
+    userAccountBuilder.defaultOrganizationBuilder.data.roles.first().self.type = OrganizationRoleType.MEMBER
+    projectBuilder.data.permissions.first().self.scopes = scopes
+  }
 }

backend/data/src/main/kotlin/io/tolgee/service/dataImport/StoredDataImporter.kt

@@ -150,7 +150,9 @@ class StoredDataImporter(
       val existingKeys = importDataManager.existingKeys.entries
       val importedKeys = importDataManager.storedKeys.entries.map { (pair) -> Pair(pair.first.namespace, pair.second) }
       val otherKeys = existingKeys.filter { existing -> !importedKeys.contains(existing.key) }
-      keyService.deleteMultiple(otherKeys.map { it.value.id })
+      if (otherKeys.isNotEmpty()) {
+        keyService.deleteMultiple(otherKeys.map { it.value.id })
+      }
     }
   }