From 6802ddcd933b90a77c0861ff7e607e22c7821472 Mon Sep 17 00:00:00 2001 From: Kraiem Taha Yassine Date: Fri, 25 Oct 2024 16:35:12 +0200 Subject: [PATCH] fix(chalice): fixed permissions for EE SA (#2685) --- ee/api/routers/core_dynamic.py | 8 +++++--- ee/api/schemas/schemas_ee.py | 1 + .../schema/db/init_dbs/postgresql/1.19.0/1.19.0.sql | 2 +- .../schema/db/init_dbs/postgresql/1.20.0/1.20.0.sql | 4 ++++ 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ee/api/routers/core_dynamic.py b/ee/api/routers/core_dynamic.py index 13b0bbe8c..f0ee9bd9c 100644 --- a/ee/api/routers/core_dynamic.py +++ b/ee/api/routers/core_dynamic.py @@ -346,7 +346,8 @@ def get_error_trace(projectId: int, sessionId: int, errorId: str, } -@app.get('/{projectId}/errors/{errorId}', tags=['errors'], dependencies=[OR_scope(Permissions.DEV_TOOLS)]) +@app.get('/{projectId}/errors/{errorId}', tags=['errors'], + dependencies=[OR_scope(Permissions.DEV_TOOLS, ServicePermissions.DEV_TOOLS)]) def errors_get_details(projectId: int, errorId: str, background_tasks: BackgroundTasks, density24: int = 24, density30: int = 30, context: schemas.CurrentContext = Depends(OR_context)): data = errors.get_details(project_id=projectId, user_id=context.user_id, error_id=errorId, @@ -357,7 +358,8 @@ def errors_get_details(projectId: int, errorId: str, background_tasks: Backgroun return data -@app.get('/{projectId}/errors/{errorId}/sourcemaps', tags=['errors'], dependencies=[OR_scope(Permissions.DEV_TOOLS)]) +@app.get('/{projectId}/errors/{errorId}/sourcemaps', tags=['errors'], + dependencies=[OR_scope(Permissions.DEV_TOOLS, ServicePermissions.DEV_TOOLS)]) def errors_get_details_sourcemaps(projectId: int, errorId: str, context: schemas.CurrentContext = Depends(OR_context)): data = errors.get_trace(project_id=projectId, error_id=errorId) @@ -523,7 +525,7 @@ def create_note(projectId: int, sessionId: int, data: schemas.SessionNoteSchema @app.get('/{projectId}/sessions/{sessionId}/notes', tags=["sessions", "notes"], - dependencies=[OR_scope(Permissions.SESSION_REPLAY)]) + dependencies=[OR_scope(Permissions.SESSION_REPLAY, ServicePermissions.READ_NOTES)]) def get_session_notes(projectId: int, sessionId: int, context: schemas.CurrentContext = Depends(OR_context)): data = sessions_notes.get_session_notes(tenant_id=context.tenant_id, project_id=projectId, session_id=sessionId, user_id=context.user_id) diff --git a/ee/api/schemas/schemas_ee.py b/ee/api/schemas/schemas_ee.py index 9b465c5b4..1d2197895 100644 --- a/ee/api/schemas/schemas_ee.py +++ b/ee/api/schemas/schemas_ee.py @@ -25,6 +25,7 @@ class ServicePermissions(str, Enum): DEV_TOOLS = "SERVICE_DEV_TOOLS" ASSIST_LIVE = "SERVICE_ASSIST_LIVE" ASSIST_CALL = "SERVICE_ASSIST_CALL" + READ_NOTES = "SERVICE_READ_NOTES" class CurrentContext(schemas.CurrentContext): diff --git a/ee/scripts/schema/db/init_dbs/postgresql/1.19.0/1.19.0.sql b/ee/scripts/schema/db/init_dbs/postgresql/1.19.0/1.19.0.sql index a03628954..41193ca27 100644 --- a/ee/scripts/schema/db/init_dbs/postgresql/1.19.0/1.19.0.sql +++ b/ee/scripts/schema/db/init_dbs/postgresql/1.19.0/1.19.0.sql @@ -50,7 +50,7 @@ SET metric_type='heatMap', WHERE metric_type = 'clickMap'; UPDATE public.roles -SET permissions='{SERVICE_SESSION_REPLAY,SERVICE_DEV_TOOLS,SERVICE_ASSIST_LIVE,SERVICE_ASSIST_CALL}' +SET permissions='{SERVICE_SESSION_REPLAY,SERVICE_DEV_TOOLS,SERVICE_ASSIST_LIVE,SERVICE_ASSIST_CALL,SERVICE_READ_NOTES}' WHERE service_role; UPDATE public.users diff --git a/ee/scripts/schema/db/init_dbs/postgresql/1.20.0/1.20.0.sql b/ee/scripts/schema/db/init_dbs/postgresql/1.20.0/1.20.0.sql index dd22ea80e..a0db03d73 100644 --- a/ee/scripts/schema/db/init_dbs/postgresql/1.20.0/1.20.0.sql +++ b/ee/scripts/schema/db/init_dbs/postgresql/1.20.0/1.20.0.sql @@ -33,6 +33,10 @@ WHERE NOT permissions @> '{SPOT_PUBLIC}' AND NOT service_role; -- AND name ILIKE 'owner'; +UPDATE public.roles +SET permissions='{SERVICE_SESSION_REPLAY,SERVICE_DEV_TOOLS,SERVICE_ASSIST_LIVE,SERVICE_ASSIST_CALL,SERVICE_READ_NOTES}' +WHERE service_role; + ALTER TABLE IF EXISTS public.users ADD COLUMN IF NOT EXISTS spot_jwt_iat timestamp without time zone NULL DEFAULT NULL, ADD COLUMN IF NOT EXISTS spot_jwt_refresh_jti integer NULL DEFAULT NULL,