Add support for custom roles and role permissions management in pgAdmin. #7310

Author: adityatoshniwal

docs/en_US/images/add_role.png

@@ -12,7 +12,7 @@ When you authenticate with pgAdmin, the server definitions associated with that
 login role are made available in the tree control.
 
 Users Tab
-*******************
+*********
 An administrative user can use the *Users* tab to:
 
 * manage pgAdmin users
@@ -21,7 +21,7 @@ An administrative user can use the *Users* tab to:
 * deactivate user
 * unlock a locked user
 
-.. image:: images/user.png
+.. image:: images/users.png
     :alt: pgAdmin user management window
     :align: center
 
@@ -78,6 +78,60 @@ users, but otherwise have the same capabilities as those with the *User* role.
 * Click the *Help* button (?) to access online help.
 
 
+Roles Tab
+*********
+An administrative user can use the *Roles* tab to:
+
+* manage pgAdmin roles
+* delete roles
+
+.. image:: images/roles.png
+  :alt: pgAdmin roles management window
+  :align: center
+
+Use the *Search* field to specify criteria and review a list of roles
+that match the specified criteria. You can enter a value that matches
+the following criteria types: *Role Name* or *Description*.
+
+To add a role, click the Add (+) button at the top left corner. It will open a
+dialog where you can fill in details for the new role.
+
+.. image:: images/add_role.png
+  :alt: pgAdmin roles management window add new role
+  :align: center
+
+Provide information about the new pgAdmin role in the row:
+
+* Use the *Role Name* field to specify a unique name for the role.
+* Use the *Description* field to provide a brief description of the role.
+
+To delete a role, click the trash icon to the left of the row and confirm deletion
+in the *Delete role?* dialog. If the role is associated with any users or resources,
+you may need to reassign those associations before deletion.
+
+Roles allow administrators to group privileges and assign them to users more efficiently.
+This helps in managing permissions and access control within the pgAdmin client.
+
+* Click the *Refresh* button to get the latest roles list.
+* Click the *Help* button (?) to access online help.
+
+
+Permissions Tab
+***************
+An administrative user can use the *Permissions* tab to manage pgAdmin permissions for 
+a role.
+
+.. image:: images/permissions.png
+  :alt: pgAdmin permissions management window
+  :align: center
+
+* Filter permissions using the *Search* field by entering names that match the list.
+* Administrators can select permissions from the list of available permissions, and
+  choose to grant or revoke these permissions for specific roles.
+* The permissions are applied to the selected role immediately.
+
+
+
 Using 'setup.py' command line script
 ####################################
 

docs/en_US/images/permissions.png

@@ -0,0 +1,36 @@
+
+"""empty message
+
+Revision ID: 89b20ef0d04d
+Revises: e982c040d9b5
+Create Date: 2025-03-21 13:55:44.614151
+
+"""
+import sqlalchemy as sa
+from alembic import op
+from pgadmin.tools.user_management.PgPermissions import AllPermissionTypes
+# revision identifiers, used by Alembic.
+revision = '89b20ef0d04d'
+down_revision = 'e982c040d9b5'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.add_column('role', sa.Column('permissions', sa.Text()))
+
+    # get metadata from current connection
+    meta = sa.MetaData()
+    # define table representation
+    meta.reflect(op.get_bind(), only=('role',))
+    role_table = sa.Table('role', meta)
+
+    from pgadmin.tools.user_management.PgPermissions import AllPermissionTypes
+    op.execute(
+        role_table.update().where(role_table.c.name == 'User')
+        .values(permissions=",".join(AllPermissionTypes.__dict__.keys())))
+
+
+def downgrade():
+    # pgAdmin only upgrades, downgrade not implemented.
+    pass

docs/en_US/images/roles.png

@@ -349,6 +349,8 @@ def get_locale():
         app.config['SECURITY_MSG_INVALID_PASSWORD'] = \
         (gettext("Incorrect username or password."), "error")
     app.config['SECURITY_PASSWORD_LENGTH_MIN'] = config.PASSWORD_LENGTH_MIN
+    app.config['SECURITY_MSG_UNAUTHORIZED'] = \
+        (gettext("You do not have permission to this resource."), "error")
 
     # Create database connection object and mailer
     db.init_app(app)

docs/en_US/images/user.png

@@ -13,7 +13,7 @@
 from flask import render_template, request, make_response, jsonify, \
     current_app, url_for, session
 from flask_babel import gettext
-from flask_security import current_user
+from flask_security import current_user, permissions_required
 from pgadmin.user_login_check import pga_login_required
 from psycopg.conninfo import make_conninfo, conninfo_to_dict
 
@@ -24,6 +24,7 @@
 from pgadmin.utils.crypto import encrypt, decrypt, pqencryptpassword
 from pgadmin.utils.menu import MenuItem
 from pgadmin.tools.sqleditor.utils.query_history import QueryHistory
+from pgadmin.tools.user_management.PgPermissions import AllPermissionTypes
 
 import config
 from config import PG_DEFAULT_DRIVER
@@ -1080,6 +1081,7 @@ def update_connection_string(manager, server):
         display_conn_string = make_conninfo(**con_info_ord)
         return display_conn_string
 
+    @permissions_required(AllPermissionTypes.object_register_server)
     @pga_login_required
     def create(self, gid):
         """Add a server node to the settings database"""

docs/en_US/images/users.png

@@ -81,7 +81,7 @@ define('pgadmin.node.server', [
           name: 'create_server_on_sg', node: 'server_group', module: this,
           applies: ['object', 'context'], callback: 'show_obj_properties',
           category: 'register', priority: 1, label: gettext('Server...'),
-          data: {action: 'create'}, enable: 'canCreate',
+          data: {action: 'create'}, enable: 'canCreate', permission: 'object_register_server'
         },{
           name: 'disconnect_all_servers', node: 'server_group', module: this,
           applies: ['object','context'], callback: 'disconnect_all_servers',
@@ -91,7 +91,7 @@ define('pgadmin.node.server', [
           name: 'create_server', node: 'server', module: this,
           applies: ['object', 'context'], callback: 'show_obj_properties',
           category: 'register', priority: 3, label: gettext('Server...'),
-          data: {action: 'create'}, enable: 'canCreate',
+          data: {action: 'create'}, enable: 'canCreate', permission: 'object_register_server'
         },{
           name: 'connect_server', node: 'server', module: this,
           applies: ['object', 'context'], callback: 'connect_server',