Merge pull request #83 from unisoncomputing/cp/update-project-permissions

ChrisPenner · web-flow · commit 03c2f36ae8bb · 2025-05-28T14:10:02.000-07:00
Update all old project permissions filters
diff --git a/sql/2025-05-27_project-access.sql b/sql/2025-05-27_project-access.sql
@@ -0,0 +1,28 @@
+-- Function to check whether caller has access to a given project permission
+-- If the user_id is NULL, it returns TRUE for public projects
+CREATE FUNCTION user_has_project_permission(
+  user_id UUID,
+  project_id UUID,
+  permission permission
+) 
+RETURNS BOOLEAN
+STABLE
+PARALLEL SAFE
+AS $$
+  SELECT EXISTS (
+    SELECT
+    FROM user_resource_permissions urp
+    JOIN projects p ON urp.resource_id = p.resource_id
+    WHERE (urp.user_id IS NULL OR urp.user_id = $1)
+      AND p.id = $2
+      AND urp.permission = $3
+  );
+$$ LANGUAGE SQL;
+
+-- DEPLOY NEW APP CODE HERE
+
+-- Remove old project access management system
+-- We need to replace these with the new permissions system.
+DROP VIEW accessible_private_projects;
+DROP TABLE project_maintainers;
+
diff --git a/src/Share/Postgres/Causal/Queries.hs b/src/Share/Postgres/Causal/Queries.hs
@@ -56,6 +56,7 @@ import Share.Postgres.Serialization qualified as S
 import Share.Postgres.Sync.Conversions qualified as Cv
 import Share.Prelude
 import Share.Utils.Postgres (OrdBy, ordered)
+import Share.Web.Authorization.Types (RolePermission (..))
 import Share.Web.Errors (MissingExpectedEntity (MissingExpectedEntity))
 import U.Codebase.Branch hiding (NamespaceStats, nonEmptyChildren)
 import U.Codebase.Branch qualified as V2 hiding (NamespaceStats)
@@ -936,33 +937,20 @@ importAccessibleCausals causalHashes = do
               JOIN causals ON causal_hashes.hash = causals.hash
               -- Ignore any causals that the codebase owner already has.
               WHERE NOT EXISTS (SELECT FROM causal_ownership co WHERE co.causal_id = causals.id AND co.user_id = #{codebaseOwnerUserId})
-            ), all_accessible_projects(owner, project_id) AS (
-              (SELECT private_project.owner_user_id AS owner, private_project.project_id
-                FROM accessible_private_projects private_project
-                  WHERE private_project.user_id = #{codebaseOwnerUserId}
-              ) UNION ALL
-              (SELECT public_project.owner_user_id AS owner, public_project.id AS project_id
-                FROM projects public_project
-                  WHERE NOT public_project.private
-              )
             ), copyable_causals(causal_id, causal_hash, project_owner, created_at) AS (
-                 SELECT cti.causal_id AS causal_id, cti.hash, project.owner, release.created_at
+                 SELECT cti.causal_id AS causal_id, cti.hash, project.owner_user_id, release.created_at
                    FROM causals_to_import cti
                      JOIN project_releases release ON release.squashed_causal_id = cti.causal_id
-                     JOIN all_accessible_projects project ON project.project_id = release.project_id
-                     -- This extra guarantee is required by the codebase migration from sqlite
-                     -- to PG, but doesn't hurt to keep around.
-                     JOIN causal_ownership ownership ON ownership.causal_id = cti.causal_id
-                     WHERE ownership.user_id = project.owner
+                     JOIN projects project ON project.id = release.project_id
+                   -- The caller must have permission to the view the project containing the causal
+                   WHERE user_has_project_permission(#{codebaseOwnerUserId}, release.project_id, #{ProjectView})
                UNION ALL
-                 SELECT cti.causal_id AS causal_id, cti.hash, project.owner, branch.created_at
+                 SELECT cti.causal_id AS causal_id, cti.hash, project.owner_user_id, branch.created_at
                    FROM causals_to_import cti
                      JOIN project_branches branch ON branch.causal_id = cti.causal_id
-                     JOIN all_accessible_projects project ON project.project_id = branch.project_id
-                     -- This extra guarantee is required by the codebase migration from sqlite
-                     -- to PG, but doesn't hurt to keep around.
-                     JOIN causal_ownership ownership ON ownership.causal_id = cti.causal_id
-                     WHERE ownership.user_id = project.owner
+                     JOIN projects project ON project.id = branch.project_id
+                   -- The caller must have permission to the view the project containing the causal
+                   WHERE user_has_project_permission(#{codebaseOwnerUserId}, branch.project_id, #{ProjectView})
             )
             -- Get only the first release (by created at) for each causal
             SELECT DISTINCT ON (copyable.causal_id) copyable.causal_id, copyable.project_owner
diff --git a/src/Share/Postgres/Contributions/Queries.hs b/src/Share/Postgres/Contributions/Queries.hs
@@ -37,6 +37,7 @@ import Share.Postgres.Comments.Queries (commentsByTicketOrContribution)
 import Share.Postgres.IDs
 import Share.Prelude
 import Share.Utils.API
+import Share.Web.Authorization.Types (RolePermission (..))
 import Share.Web.Errors
 import Share.Web.Share.Contributions.API (ContributionTimelineCursor, ListContributionsCursor)
 import Share.Web.Share.Contributions.Types
@@ -304,13 +305,7 @@ listContributionsByUserId callerUserId userId limit mayCursor mayStatusFilter ma
         JOIN projects AS project ON project.id = contribution.project_id
       WHERE
         contribution.author_id = #{userId}
-        AND NOT project.private
-          OR EXISTS (
-            SELECT FROM accessible_private_projects ap
-            WHERE
-              ap.user_id = #{callerUserId}
-              AND ap.project_id = project.id
-          )
+        AND user_has_project_permission(#{callerUserId}, project.id, #{ProjectView})
         AND (#{mayStatusFilter} IS NULL OR contribution.status = #{mayStatusFilter})
         AND ^{cursorFilter}
         AND ^{kindFilter}
diff --git a/src/Share/Postgres/Queries.hs b/src/Share/Postgres/Queries.hs
@@ -33,6 +33,7 @@ import Share.Ticket (TicketStatus)
 import Share.Ticket qualified as Ticket
 import Share.User
 import Share.Utils.API
+import Share.Web.Authorization.Types (RolePermission (..))
 import Share.Web.Errors (EntityMissing (EntityMissing), ErrorID (..))
 import Share.Web.Share.Branches.Types (BranchKindFilter (..))
 import Share.Web.Share.Projects.Types (ContributionStats (..), DownloadStats (..), FavData, ProjectOwner, TicketStats (..))
@@ -150,7 +151,7 @@ searchProjects caller (Just userId) (Query "") limit = do
       FROM projects p
         JOIN users owner ON p.owner_user_id = owner.id
       WHERE p.owner_user_id = #{userId}
-        AND ((NOT p.private) OR (#{caller} IS NOT NULL AND EXISTS (SELECT FROM accessible_private_projects WHERE user_id = #{caller} AND project_id = p.id)))
+        AND user_has_project_permission(#{caller}, p.id, #{ProjectView})
       ORDER BY p.created_at DESC
       LIMIT #{limit}
       |]
@@ -171,8 +172,8 @@ searchProjects caller userIdFilter (Query query) limit = do
       FROM to_tsquery('english', #{queryToken}) AS tokenquery, projects AS p
         JOIN users AS owner ON p.owner_user_id = owner.id
       WHERE (tokenquery @@ p.project_text_document OR p.slug ILIKE ('%' || like_escape(#{query}) || '%'))
-      AND (NOT p.private OR (#{caller} IS NOT NULL AND EXISTS (SELECT FROM accessible_private_projects WHERE user_id = #{caller} AND project_id = p.id)))
       AND (#{userIdFilter} IS NULL OR p.owner_user_id = #{userIdFilter})
+      AND user_has_project_permission(#{caller}, p.id, #{ProjectView})
       ORDER BY
         p.slug = #{query} DESC,
         -- Prefer prefix matches
@@ -278,12 +279,7 @@ listProjectsByUserWithMetadata callerUserId projectOwnerUserId = do
         FROM projects p
           JOIN users owner ON owner.id = p.owner_user_id
         WHERE p.owner_user_id = #{projectOwnerUserId}
-          AND (EXISTS (SELECT FROM accessible_private_projects accessible
-                      WHERE accessible.user_id = #{callerUserId}
-                        AND accessible.project_id = p.id
-                     )
-                OR NOT p.private
-              )
+          AND user_has_project_permission(#{callerUserId}, p.id, #{ProjectView})
         ORDER BY p.created_at DESC
       |]
   where
@@ -881,23 +877,6 @@ listContributorBranchesOfUserAccessibleToCaller contributorUserId mayCallerUserI
   let projectFilter = case mayProjectId of
         Nothing -> mempty
         Just projId -> [PG.sql| AND b.project_id = #{projId} |]
-  let callerFilter = case mayCallerUserId of
-        Just callerUserId ->
-          -- See any projects that are public or that the caller has access to.
-          ( [PG.sql| AND (
-                NOT project.private
-                OR EXISTS (
-                  SELECT FROM accessible_private_projects ap
-                  WHERE
-                    ap.user_id = #{callerUserId}
-                    AND ap.project_id = project.id
-                  )
-                )
-          |]
-          )
-        Nothing ->
-          -- No caller auth means they only see public projects
-          [PG.sql| AND NOT project.private |]
   let sql =
         intercalateMap
           "\n"
@@ -930,11 +909,11 @@ listContributorBranchesOfUserAccessibleToCaller contributorUserId mayCallerUserI
         WHERE
           b.deleted_at IS NULL
           AND b.contributor_id = #{contributorUserId}
+          AND user_has_project_permission(#{mayCallerUserId}, b.project_id, #{ProjectView})
           |],
             branchNameFilter,
             cursorFilter,
             projectFilter,
-            callerFilter,
             [PG.sql|
         ORDER BY b.updated_at DESC, b.id DESC
         LIMIT #{limit}
diff --git a/src/Share/Postgres/Search/DefinitionSearch/Queries.hs b/src/Share/Postgres/Search/DefinitionSearch/Queries.hs
@@ -31,6 +31,7 @@ import Share.Postgres.Notifications qualified as Notif
 import Share.Prelude
 import Share.Utils.API (Limit, Query (Query))
 import Share.Utils.Logging qualified as Logging
+import Share.Web.Authorization.Types (RolePermission (..))
 import Share.Web.Errors qualified as Errors
 import Unison.DataDeclaration qualified as DD
 import Unison.Name (Name)
@@ -289,7 +290,8 @@ defNameCompletionSearch mayCaller mayFilter (Query query) limit = do
         WHERE
           -- Find names which contain the query
           doc.name ILIKE ('%.' || like_escape(#{query}) || '%')
-        AND (NOT p.private OR (#{mayCaller} IS NOT NULL AND EXISTS (SELECT FROM accessible_private_projects pp WHERE pp.user_id = #{mayCaller} AND pp.project_id = p.id)))
+
+        AND user_has_project_permission(#{mayCaller}, p.id, #{ProjectView})
           ^{filters}
       ) SELECT r.name, r.tag FROM results r
         -- Docs and tests to the bottom, then
@@ -359,7 +361,7 @@ definitionTokenSearch mayCaller mayFilter limit searchTokens preferredArity = do
         WHERE
           -- match on search tokens using GIN index.
           tsquery(#{tsQueryText}) @@ doc.search_tokens
-        AND (NOT p.private OR (#{mayCaller} IS NOT NULL AND EXISTS (SELECT FROM accessible_private_projects pp WHERE pp.user_id = #{mayCaller} AND pp.project_id = p.id)))
+        AND user_has_project_permission(#{mayCaller}, p.id, #{ProjectView})
         AND (#{preferredArity} IS NULL OR doc.arity >= #{preferredArity})
           ^{filters}
           ^{namesFilter}
@@ -397,7 +399,7 @@ definitionNameSearch mayCaller mayFilter limit (Query query) = do
         WHERE
           -- We may wish to adjust the similarity threshold before the query.
           #{query} <% doc.name
-        AND (NOT p.private OR (#{mayCaller} IS NOT NULL AND EXISTS (SELECT FROM accessible_private_projects pp WHERE pp.user_id = #{mayCaller} AND pp.project_id = p.id)))
+        AND user_has_project_permission(#{mayCaller}, p.id, #{ProjectView})
           ^{filters}
         -- Score matches by:
         -- - projects in the catalog
diff --git a/src/Share/Postgres/Tickets/Queries.hs b/src/Share/Postgres/Tickets/Queries.hs
@@ -26,6 +26,7 @@ import Share.Postgres qualified as PG
 import Share.Prelude
 import Share.Ticket (Ticket (..), TicketStatus)
 import Share.Utils.API
+import Share.Web.Authorization.Types (RolePermission (..))
 import Share.Web.Errors
 import Share.Web.Share.Comments
 import Share.Web.Share.Tickets.API
@@ -313,13 +314,7 @@ listTicketsByUserId callerUserId userId limit mayCursor mayStatusFilter = do
         JOIN projects AS project ON project.id = ticket.project_id
       WHERE
         ticket.author_id = #{userId}
-        AND NOT project.private
-          OR EXISTS (
-            SELECT FROM accessible_private_projects ap
-            WHERE
-              ap.user_id = #{callerUserId}
-              AND ap.project_id = project.id
-          )
+        AND user_has_project_permission(#{callerUserId}, project.id, #{ProjectView})
         AND (#{mayStatusFilter} IS NULL OR ticket.status = #{mayStatusFilter}::ticket_status)
         AND ^{cursorFilter}
       ORDER BY ticket.updated_at DESC, ticket.id DESC
diff --git a/transcripts/share-apis/project-maintainers/read-maintainer-project-list-after.json b/transcripts/share-apis/project-maintainers/read-maintainer-project-list-after.json
@@ -0,0 +1,39 @@
+{
+  "body": [
+    {
+      "createdAt": "<TIMESTAMP>",
+      "isFaved": false,
+      "numFavs": 1,
+      "owner": {
+        "handle": "@test",
+        "name": null,
+        "type": "user"
+      },
+      "slug": "publictestproject",
+      "summary": "test project summary",
+      "tags": [],
+      "updatedAt": "<TIMESTAMP>",
+      "visibility": "public"
+    },
+    {
+      "createdAt": "<TIMESTAMP>",
+      "isFaved": false,
+      "numFavs": 0,
+      "owner": {
+        "handle": "@test",
+        "name": null,
+        "type": "user"
+      },
+      "slug": "privatetestproject",
+      "summary": "private summary",
+      "tags": [],
+      "updatedAt": "<TIMESTAMP>",
+      "visibility": "private"
+    }
+  ],
+  "status": [
+    {
+      "status_code": 200
+    }
+  ]
+}
diff --git a/transcripts/share-apis/project-maintainers/read-maintainer-project-list-before.json b/transcripts/share-apis/project-maintainers/read-maintainer-project-list-before.json
@@ -0,0 +1,24 @@
+{
+  "body": [
+    {
+      "createdAt": "<TIMESTAMP>",
+      "isFaved": false,
+      "numFavs": 1,
+      "owner": {
+        "handle": "@test",
+        "name": null,
+        "type": "user"
+      },
+      "slug": "publictestproject",
+      "summary": "test project summary",
+      "tags": [],
+      "updatedAt": "<TIMESTAMP>",
+      "visibility": "public"
+    }
+  ],
+  "status": [
+    {
+      "status_code": 200
+    }
+  ]
+}
diff --git a/transcripts/share-apis/project-maintainers/read-maintainer-project-search-after.json b/transcripts/share-apis/project-maintainers/read-maintainer-project-search-after.json
@@ -0,0 +1,15 @@
+{
+  "body": [
+    {
+      "projectRef": "@test/privatetestproject",
+      "summary": "private summary",
+      "tag": "project",
+      "visibility": "private"
+    }
+  ],
+  "status": [
+    {
+      "status_code": 200
+    }
+  ]
+}
diff --git a/transcripts/share-apis/project-maintainers/read-maintainer-project-search-before.json b/transcripts/share-apis/project-maintainers/read-maintainer-project-search-before.json
@@ -0,0 +1,8 @@
+{
+  "body": [],
+  "status": [
+    {
+      "status_code": 200
+    }
+  ]
+}
diff --git a/transcripts/share-apis/project-maintainers/run.zsh b/transcripts/share-apis/project-maintainers/run.zsh
@@ -15,6 +15,11 @@ fetch "$unauthorized_user" PATCH non-maintainer-private-project-update '/users/t
     "summary": "update"
 }'
 
+
+# Before adding permissions Project viewer should NOT see the private project in the owner's project list and search
+fetch "$read_user" GET read-maintainer-project-list-before '/users/test/projects'
+fetch "$read_user" GET read-maintainer-project-search-before '/search?query=%40private'
+
 fetch "$test_user" POST add-roles '/users/test/projects/privatetestproject/roles' "
 {
     \"role_assignments\": 
@@ -55,6 +60,10 @@ fetch "$test_user" POST owner-ticket-create '/users/test/projects/privatetestpro
 # Project viewer can view the project
 fetch "$read_user" GET read-maintainer-project-view '/users/test/projects/privatetestproject'
 
+# Project viewer should see the private project in the owner's project list and search
+fetch "$read_user" GET read-maintainer-project-list-after '/users/test/projects'
+fetch "$read_user" GET read-maintainer-project-search-after '/search?query=%40private'
+
 # Contributor user should be able to create tickets
 fetch "$contributor_user" POST contributor-maintainer-ticket-create '/users/test/projects/privatetestproject/tickets' '{
     "title": "Ticket 2",
