Add support for custom roles and role permissions management in pgAdmin. #7310

Author: adityatoshniwal

docs/en_US/images/add_role.png

@@ -12,7 +12,7 @@ When you authenticate with pgAdmin, the server definitions associated with that
 login role are made available in the tree control.
 
 Users Tab
-*******************
+*********
 An administrative user can use the *Users* tab to:
 
 * manage pgAdmin users
@@ -21,7 +21,7 @@ An administrative user can use the *Users* tab to:
 * deactivate user
 * unlock a locked user
 
-.. image:: images/user.png
+.. image:: images/users.png
     :alt: pgAdmin user management window
     :align: center
 
@@ -78,6 +78,60 @@ users, but otherwise have the same capabilities as those with the *User* role.
 * Click the *Help* button (?) to access online help.
 
 
+Roles Tab
+*********
+An administrative user can use the *Roles* tab to:
+
+* manage pgAdmin roles
+* delete roles
+
+.. image:: images/roles.png
+  :alt: pgAdmin roles management window
+  :align: center
+
+Use the *Search* field to specify criteria and review a list of roles
+that match the specified criteria. You can enter a value that matches
+the following criteria types: *Role Name* or *Description*.
+
+To add a role, click the Add (+) button at the top left corner. It will open a
+dialog where you can fill in details for the new role.
+
+.. image:: images/add_role.png
+  :alt: pgAdmin roles management window add new role
+  :align: center
+
+Provide information about the new pgAdmin role in the row:
+
+* Use the *Name* field to specify a unique name for the role.
+* Use the *Description* field to provide a brief description of the role.
+
+To delete a role, click the trash icon to the left of the row and confirm deletion
+in the *Delete role?* dialog. If the role is associated with any users or resources,
+you may need to reassign those associations before deletion.
+
+Roles allow administrators to group privileges and assign them to users more efficiently.
+This helps in managing permissions and access control within the pgAdmin client.
+
+* Click the *Refresh* button to get the latest roles list.
+* Click the *Help* button (?) to access online help.
+
+
+Permissions Tab
+***************
+An administrative user can use the *Permissions* tab to manage pgAdmin permissions for 
+a role.
+
+.. image:: images/permissions.png
+  :alt: pgAdmin permissions management window
+  :align: center
+
+* Filter permissions using the *Search* field by entering names that match the list.
+* Administrators can select permissions from the list of available permissions, and
+  choose to grant or revoke these permissions for specific roles.
+* The permissions are applied to the selected role immediately.
+
+
+
 Using 'setup.py' command line script
 ####################################
 
@@ -108,10 +162,11 @@ email and password. role and active will be optional fields.
 
     /path/to/python /path/to/setup.py add-user user1@gmail.com password
 
-    # to specify a role, admin and non-admin users:
+    # to specify a role, either you can use --admin for Administrator role or provide the
+    # role using --role. If both are provided --admin will be used:
 
     /path/to/python /path/to/setup.py add-user user1@gmail.com password --admin
-    /path/to/python /path/to/setup.py add-user user1@gmail.com password --nonadmin
+    /path/to/python /path/to/setup.py add-user user1@gmail.com password --role Users
 
     # to specify user's status
 
@@ -132,10 +187,11 @@ followed by email, password and authentication source. email, role and status wi
 
     /path/to/python /path/to/setup.py add-external-user ldapuser ldap --email user1@gmail.com
 
-    # to specify a role, admin and non-admin user:
+    # to specify a role, either you can use --admin for Administrator role or provide the
+    # role using --role. If both are provided --admin will be used:
 
     /path/to/python /path/to/setup.py add-external-user ldapuser ldap  --admin
-    /path/to/python /path/to/setup.py add-external-user ldapuser ldap  --nonadmin
+    /path/to/python /path/to/setup.py add-external-user ldapuser ldap  --role Users
 
     # to specify user's status
 
@@ -152,10 +208,11 @@ email address. password, role and active are updatable fields.
 
     /path/to/python /path/to/setup.py update-user user1@gmail.com --password new-password
 
-    # to specify a role, admin and non-admin user:
+    # to specify a role, either you can use --admin for Administrator role or provide the
+    # role using --role. If both are provided --admin will be used:
 
-    /path/to/python /path/to/setup.py update-user user1@gmail.com password --role --admin
-    /path/to/python /path/to/setup.py update-user user1@gmail.com password --role --nonadmin
+    /path/to/python /path/to/setup.py update-user user1@gmail.com password --admin
+    /path/to/python /path/to/setup.py update-user user1@gmail.com password --role Users
 
     # to specify user's status
 
@@ -172,17 +229,18 @@ followed by username and auth source. email, password, role and active are updat
 
     # to change email address:
 
-    /path/to/python /path/to/setup.py update-external-user ldap ldapuser --email newemail@gmail.com
+    /path/to/python /path/to/setup.py update-external-user ldapuser --auth-source ldap --email newemail@gmail.com
 
-    # to specify a role, admin and non-admin user:
+    # to specify a role, either you can use --admin for Administrator role or provide the
+    # role using --role. If both are provided --admin will be used:
 
-    /path/to/python /path/to/setup.py update-user user1@gmail.com password --role --admin
-    /path/to/python /path/to/setup.py update-user user1@gmail.com password --role --nonadmin
+    /path/to/python /path/to/setup.py update-external-user user1@gmail.com password --role --admin
+    /path/to/python /path/to/setup.py update-external-user user1@gmail.com password --role --role Users
 
     # to change user's status
 
-   /path/to/python /path/to/setup.py update-user ldap ldapuser --active
-   /path/to/python /path/to/setup.py update-user ldap ldapuser --inactive
+   /path/to/python /path/to/setup.py update-user ldapuser --auth-source ldap --active
+   /path/to/python /path/to/setup.py update-user ldapuser --auth-source ldap --inactive
 
 Delete User
 ***********

docs/en_US/images/permissions.png

@@ -30,6 +30,20 @@ def upgrade():
                   sa.Column('db_res_type', sa.String(length=32),
                             server_default=RESTRICTION_TYPE_DATABASES))
 
+    # For adding custom role permissions
+    op.add_column('role', sa.Column('permissions', sa.Text()))
+
+    # get metadata from current connection
+    meta = sa.MetaData()
+    # define table representation
+    meta.reflect(op.get_bind(), only=('role',))
+    role_table = sa.Table('role', meta)
+
+    from pgadmin.tools.user_management.PgAdminPermissions import AllPermissionTypes
+    op.execute(
+        role_table.update().where(role_table.c.name == 'User')
+        .values(permissions=",".join(AllPermissionTypes.list())))
+
 
 def downgrade():
     # pgAdmin only upgrades, downgrade not implemented.

docs/en_US/images/roles.png

@@ -349,6 +349,8 @@ def get_locale():
         app.config['SECURITY_MSG_INVALID_PASSWORD'] = \
         (gettext("Incorrect username or password."), "error")
     app.config['SECURITY_PASSWORD_LENGTH_MIN'] = config.PASSWORD_LENGTH_MIN
+    app.config['SECURITY_MSG_UNAUTHORIZED'] = \
+        (gettext("Unauthorised access, permission denied."), "error")
 
     # Create database connection object and mailer
     db.init_app(app)

docs/en_US/images/user.png

@@ -13,7 +13,7 @@
 from flask import render_template, request, make_response, jsonify, \
     current_app, url_for, session
 from flask_babel import gettext
-from flask_security import current_user
+from flask_security import current_user, permissions_required
 from pgadmin.user_login_check import pga_login_required
 from psycopg.conninfo import make_conninfo, conninfo_to_dict
 
@@ -24,6 +24,7 @@
 from pgadmin.utils.crypto import encrypt, decrypt, pqencryptpassword
 from pgadmin.utils.menu import MenuItem
 from pgadmin.tools.sqleditor.utils.query_history import QueryHistory
+from pgadmin.tools.user_management.PgAdminPermissions import AllPermissionTypes
 
 import config
 from config import PG_DEFAULT_DRIVER
@@ -1081,6 +1082,7 @@ def update_connection_string(manager, server):
         display_conn_string = make_conninfo(**con_info_ord)
         return display_conn_string
 
+    @permissions_required(AllPermissionTypes.object_register_server)
     @pga_login_required
     def create(self, gid):
         """Add a server node to the settings database"""

docs/en_US/images/users.png

@@ -10,6 +10,7 @@
 import PGSchema from './schema.ui';
 import { getNodePrivilegeRoleSchema } from '../../../../static/js/privilege.ui';
 import { getNodeListByName } from '../../../../../../static/js/node_ajax';
+import { AllPermissionTypes } from '../../../../../../static/js/constants';
 
 define('pgadmin.node.schema', [
   'sources/gettext', 'sources/url_for',
@@ -64,7 +65,8 @@ define('pgadmin.node.schema', [
         },{
           name: 'generate_erd', node: 'schema', module: this,
           applies: ['object', 'context'], callback: 'generate_erd',
-          priority: 5, label: gettext('ERD For Schema')
+          priority: 5, label: gettext('ERD For Schema'),
+          permission: AllPermissionTypes.TOOLS_ERD_TOOL,
         }]);
       },
       can_create_schema: function(node) {