fix(storage): merge authenticated and group permissions in resolveLocationsForCurrentSession

[osama-rizk]

Description of changes

Fixes the permission resolution in resolveLocationsForCurrentSession (consumed by StorageBrowser's listPaths) so that allow.authenticated and allow.groups(...) access rules are treated as additive rather than mutually exclusive, matching how IAM evaluates the generated policies.

Root cause. In packages/storage/src/internals/apis/listPaths/resolveLocationsForCurrentSession.ts, the resolvePermissions helper, when the current user was in a Cognito
group, returned:

• only the matched groups permissions, dropping authenticated entirely, or
• undefined if the path had no matching groups rule — which removed the location from the returned list completely.

This produced two user-visible bugs in StorageBrowser (Amplify Gen 2):

1. Folders reachable only via allow.authenticated.to(['list']) disappeared as soon as the user belonged to any group — UI showed "No folders or files."
2. On paths combining allow.authenticated.to(['list']) with allow.groups(['Admins']).to(['read','write','delete']), the permissions column showed "Read" only and the actions menu was disabled, even though IAM (and direct uploadData / remove calls) allowed write/delete.

Fix. Return the deduped union of authenticated and matching groups permissions when the user is in a group, so the two rule types are additive. The existing group-key lookup (access.includes(groups)) is preserved to minimize behavioral risk.

No public API changes; behavior change is confined to how per-location permissions are derived for authenticated users in a Cognito group.

Issue #, if available

Fixes aws-amplify/amplify-ui#6930

Description of how you validated changes

• Updated the two existing tests in resolveLocationsForCurrentSession.test.ts whose assertions encoded the old (buggy) override behavior:
• 'should generate locations correctly when tokens are true & userGroup' now also expects path1/* (from authenticated) alongside path2/* (from groupsadmin), proving
  Issue 2's union semantics.
• 'should return empty locations when tokens are true & bad userGroup' now expects path1/* to remain visible via authenticated, proving Issue 1 is fixed (folders no
  longer vanish when a group is set but no group rule matches).
• Added one regression test: authenticated + group permissions merge as a deduped union on the same path.
• Ran the affected suites locally:

npx jest --rootDir packages/storage \
  __tests__/internals/apis/listPaths/resolveLocationsForCurrentSession.test.ts \
  __tests__/internals/apis/listPaths/listPaths.test.ts
# Test Suites: 2 passed, 2 total
# Tests:       10 passed, 10 total

• listPaths.test.ts mocks resolveLocationsForCurrentSession, so its contract is unaffected — confirmed passing.

• Pre-commit eslint --fix on both changed files passed with no modifications.

  Checklist

• PR description included

• yarn test passes (ran Jest for the affected packages/storage suites; 10/10 passing)

• Unit Tests are changed or added (2 existing assertions corrected + 1 new regression test)

• Relevant documentation is changed or added (and PR referenced) — N/A: internal helper behavior fix, no public API or documented behavior change

  Checklist for repo maintainers

• Verify E2E tests for existing workflows are working as expected or add E2E tests for newly added workflows

• New source file paths included in this PR have been added to CODEOWNERS, if appropriate — no new source file paths added

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[changeset-bot]

🦋 Changeset detected

Latest commit: 871af03

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@aws-amplify/storage	Patch
@aws-amplify/predictions	Patch
aws-amplify	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR