rocket-admin · Artuomka · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/backend/src/entities/cedar-authorization/cedar-action-map.ts b/backend/src/entities/cedar-authorization/cedar-action-map.ts
@@ -1,6 +1,7 @@
 export enum CedarAction {
 	ConnectionRead = 'connection:read',
 	ConnectionEdit = 'connection:edit',
+	ConnectionDiagram = 'connection:diagram',
 	GroupRead = 'group:read',
 	GroupEdit = 'group:edit',
 	TableRead = 'table:read',

diff --git a/backend/src/entities/cedar-authorization/cedar-policy-generator.ts b/backend/src/entities/cedar-authorization/cedar-policy-generator.ts
@@ -23,6 +23,9 @@ export function generateCedarPolicyForGroup(
 		policies.push(
 			`permit(\n  principal,\n  action == RocketAdmin::Action::"connection:edit",\n  resource == ${connectionRef}\n);`,
 		);
+		policies.push(
+			`permit(\n  principal,\n  action == RocketAdmin::Action::"connection:diagram",\n  resource == ${connectionRef}\n);`,
+		);
 	} else if (connAccess === AccessLevelEnum.readonly) {
 		policies.push(
 			`permit(\n  principal,\n  action == RocketAdmin::Action::"connection:read",\n  resource == ${connectionRef}\n);`,

diff --git a/backend/src/entities/cedar-authorization/cedar-policy-parser.ts b/backend/src/entities/cedar-authorization/cedar-policy-parser.ts
@@ -50,6 +50,11 @@ export function parseCedarPolicyToClassicalPermissions(
 			case 'connection:edit':
 				result.connection.accessLevel = AccessLevelEnum.edit;
 				break;
+			case 'connection:diagram':
+				if (result.connection.accessLevel === AccessLevelEnum.none) {
+					result.connection.accessLevel = AccessLevelEnum.readonly;
+				}
+				break;
 			case 'group:read':
 				if (result.group.accessLevel === AccessLevelEnum.none) {
 					result.group.accessLevel = AccessLevelEnum.readonly;

diff --git a/backend/src/entities/cedar-authorization/cedar-schema.json b/backend/src/entities/cedar-authorization/cedar-schema.json
@@ -59,6 +59,12 @@
 					"resourceTypes": ["Connection"]
 				}
 			},
+			"connection:diagram": {
+				"appliesTo": {
+					"principalTypes": ["User"],
+					"resourceTypes": ["Connection"]
+				}
+			},
 			"group:read": {
 				"appliesTo": {
 					"principalTypes": ["User"],

diff --git a/backend/src/entities/cedar-authorization/cedar-schema.ts b/backend/src/entities/cedar-authorization/cedar-schema.ts
@@ -68,6 +68,12 @@ export const CEDAR_SCHEMA = {
 					resourceTypes: ['Connection'],
 				},
 			},
+			'connection:diagram': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Connection'],
+				},
+			},
 			'group:read': {
 				appliesTo: {
 					principalTypes: ['User'],

diff --git a/backend/src/entities/connection/connection.controller.ts b/backend/src/entities/connection/connection.controller.ts
@@ -27,6 +27,7 @@ import { AmplitudeEventTypeEnum } from '../../enums/amplitude-event-type.enum.js
 import { InTransactionEnum } from '../../enums/in-transaction.enum.js';
 import { Messages } from '../../exceptions/text/messages.js';
 import { processExceptionMessage } from '../../exceptions/utils/process-exception-message.js';
+import { ConnectionDiagramGuard } from '../../guards/connection-diagram.guard.js';
 import { ConnectionEditGuard } from '../../guards/connection-edit.guard.js';
 import { ConnectionReadGuard } from '../../guards/connection-read.guard.js';
 import { isConnectionTypeAgent } from '../../helpers/is-connection-entity-agent.js';
@@ -735,7 +736,7 @@ export class ConnectionController {
 		status: 200,
 		type: ConnectionDiagramResponseDTO,
 	})
-	@UseGuards(ConnectionEditGuard)
+	@UseGuards(ConnectionDiagramGuard)
 	@Get('/connection/diagram/:connectionId')
 	async getConnectionDiagram(
 		@SlugUuid('connectionId') connectionId: string,

diff --git a/backend/src/guards/connection-diagram.guard.ts b/backend/src/guards/connection-diagram.guard.ts
@@ -0,0 +1,43 @@
+import { BadRequestException, CanActivate, ExecutionContext, ForbiddenException, Injectable } from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { IRequestWithCognitoInfo } from '../authorization/cognito-decoded.interface.js';
+import { CedarAction } from '../entities/cedar-authorization/cedar-action-map.js';
+import { CedarAuthorizationService } from '../entities/cedar-authorization/cedar-authorization.service.js';
+import { Messages } from '../exceptions/text/messages.js';
+import { ValidationHelper } from '../helpers/validators/validation-helper.js';
+import { validateUuidByRegex } from './utils/validate-uuid-by-regex.js';
+
+@Injectable()
+export class ConnectionDiagramGuard implements CanActivate {
+	constructor(private readonly cedarAuthService: CedarAuthorizationService) {}
+
+	canActivate(context: ExecutionContext): boolean | Promise<boolean> | Observable<boolean> {
+		return new Promise(async (resolve, reject) => {
+			const request: IRequestWithCognitoInfo = context.switchToHttp().getRequest();
+			const cognitoUserName = request.decoded.sub;
+			let connectionId: string = request.query.connectionId;
+			if (!connectionId || (!validateUuidByRegex(connectionId) && !ValidationHelper.isValidNanoId(connectionId))) {
+				connectionId = request.params?.slug || request.params?.connectionId;
+			}
+			if (!connectionId || (!validateUuidByRegex(connectionId) && !ValidationHelper.isValidNanoId(connectionId))) {
+				reject(new BadRequestException(Messages.CONNECTION_ID_MISSING));
+				return;
+			}
+
+			try {
+				const allowed = await this.cedarAuthService.validate({
+					userId: cognitoUserName,
+					action: CedarAction.ConnectionDiagram,
+					connectionId,
+				});
+				if (allowed) {
+					resolve(true);
+					return;
+				}
+				reject(new ForbiddenException(Messages.DONT_HAVE_PERMISSIONS));
+			} catch (e) {
+				reject(e);
+			}
+		});
+	}
+}
diff --git a/backend/test/ava-tests/non-saas-tests/non-saas-cedar-policy-generator.test.ts b/backend/test/ava-tests/non-saas-tests/non-saas-cedar-policy-generator.test.ts
@@ -25,7 +25,7 @@ test('isMain=true generates a single wildcard permit', (t) => {
 	t.is(permits.length, 1);
 });
 
-test('connection:edit generates ONLY connection:read + connection:edit (not wildcard)', (t) => {
+test('connection:edit generates ONLY connection:read + connection:edit + connection:diagram (not wildcard)', (t) => {
 	const result = generateCedarPolicyForGroup(
 		connectionId,
 		false,
@@ -35,6 +35,7 @@ test('connection:edit generates ONLY connection:read + connection:edit (not wild
 	);
 	t.true(result.includes('action == RocketAdmin::Action::"connection:read"'));
 	t.true(result.includes('action == RocketAdmin::Action::"connection:edit"'));
+	t.true(result.includes('action == RocketAdmin::Action::"connection:diagram"'));
 	// Must NOT contain wildcard `action,` on its own line (which would grant table access)
 	t.false(result.includes('action,\n  resource\n'));
 	// Must NOT contain table actions
@@ -43,7 +44,7 @@ test('connection:edit generates ONLY connection:read + connection:edit (not wild
 	t.false(result.includes('table:edit'));
 	t.false(result.includes('table:delete'));
 	const permits = result.match(/permit\(/g);
-	t.is(permits.length, 2);
+	t.is(permits.length, 3);
 });
 
 test('connection:readonly generates only connection:read', (t) => {