[SM-670] Add permission context to project lists. (#2822)

* Attach permission context to project lists. * restrict service-account actions * Fix project permission details * Add getters and setters * dotnet format * Fix admin create unassigned secret (#2872)
2026-02-24 08:33:06 +00:00 · 2023-04-26 13:09:25 -05:00
parent 9cbd0ac799
commit 20d3b4b4e8
30 changed files with 183 additions and 183 deletions
--- a/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
+++ b/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
@@ -249,14 +249,8 @@ public class AccessPoliciesController : Controller
        }

        var (accessClient, userId) = await GetAccessClientTypeAsync(project.OrganizationId);
-        var hasAccess = accessClient switch
-        {
-            AccessClientType.NoAccessCheck => true,
-            AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
-            _ => false,
-        };
-
-        if (!hasAccess)
+        var access = await _projectRepository.AccessToProjectAsync(project.Id, userId, accessClient);
+        if (!access.Write || accessClient == AccessClientType.ServiceAccount)
        {
            throw new NotFoundException();
        }
--- a/src/Api/SecretsManager/Controllers/ProjectsController.cs
+++ b/src/Api/SecretsManager/Controllers/ProjectsController.cs
@@ -67,7 +67,9 @@ public class ProjectsController : Controller

        var userId = _userService.GetProperUserId(User).Value;
        var result = await _createProjectCommand.CreateAsync(createRequest.ToProject(organizationId), userId);
-        return new ProjectResponseModel(result);
+
+        // Creating a project means you have read & write permission.
+        return new ProjectResponseModel(result, true, true);
    }

    [HttpPut("projects/{id}")]
@@ -76,11 +78,13 @@ public class ProjectsController : Controller
        var userId = _userService.GetProperUserId(User).Value;

        var result = await _updateProjectCommand.UpdateAsync(updateRequest.ToProject(id), userId);
-        return new ProjectResponseModel(result);
+
+        // Updating a project means you have read & write permission.
+        return new ProjectResponseModel(result, true, true);
    }

    [HttpGet("projects/{id}")]
-    public async Task<ProjectPermissionDetailsResponseModel> GetAsync([FromRoute] Guid id)
+    public async Task<ProjectResponseModel> GetAsync([FromRoute] Guid id)
    {
        var project = await _projectRepository.GetByIdAsync(id);
        if (project == null)
@@ -104,7 +108,7 @@ public class ProjectsController : Controller
            throw new NotFoundException();
        }

-        return new ProjectPermissionDetailsResponseModel(project, access.Read, access.Write);
+        return new ProjectResponseModel(project, access.Read, access.Write);
    }

    [HttpPost("projects/delete")]
--- a/src/Api/SecretsManager/Controllers/SecretsManagerPortingController.cs
+++ b/src/Api/SecretsManager/Controllers/SecretsManagerPortingController.cs
@@ -47,7 +47,7 @@ public class SecretsManagerPortingController : Controller
            throw new NotFoundException();
        }

-        return new SMExportResponseModel(projects, secrets.Select(s => s.Secret));
+        return new SMExportResponseModel(projects.Select(p => p.Project), secrets.Select(s => s.Secret));
    }

    [HttpPost("sm/{organizationId}/import")]