From 77d0ccfb9acda4caec463c277d3a30416a0b4026 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Tue, 18 Jun 2024 09:52:20 +1000 Subject: [PATCH 1/2] fix: remove usergroup injection from org project groups to prevent duplicates --- .../src/resources/organization/resolvers.ts | 53 ++----------------- 1 file changed, 5 insertions(+), 48 deletions(-) diff --git a/services/api/src/resources/organization/resolvers.ts b/services/api/src/resources/organization/resolvers.ts index eda185c391..6e8ab8e478 100644 --- a/services/api/src/resources/organization/resolvers.ts +++ b/services/api/src/resources/organization/resolvers.ts @@ -509,56 +509,13 @@ export const getGroupCountByOrganizationProject: ResolverFn = async ( export const getGroupsByOrganizationsProject: ResolverFn = async ( { id: pid }, _input, - { sqlClientPool, models, keycloakGrant, keycloakUsersGroups, adminScopes } + { sqlClientPool, models } ) => { + // rather than make this more complicated than it needs to be, just return all the groups attached to a project, even those that aren't in the organization + // this way the organization owner can make the decision to remove the group from the project + // this isn't an impossibile situation, but is unlikely, due to the historical nature of lagoons group attachment process const orgProjectGroups = await groupHelpers(sqlClientPool).selectGroupsByProjectId(models, pid) - if (adminScopes.projectViewAll) { - // if platform owner, this will show ALL groups on a project (those that aren't in the organization too, yes its possible with outside intervention :| ) - return orgProjectGroups; - } - - const user = await models.UserModel.loadUserById( - keycloakGrant.access_token.content.sub - ); - // if this user is an owner of an organization, then also display org based groups to this user - // when listing project groups - const userGroups = keycloakUsersGroups; - const usersOrgs = R.defaultTo('', R.prop('lagoon-organizations', user.attributes)).toString() - const usersOrgsViewer = R.defaultTo('', R.prop('lagoon-organizations-viewer', user.attributes)).toString() - - if (usersOrgs != "" ) { - const usersOrgsArr = usersOrgs.split(','); - for (const userOrg of usersOrgsArr) { - const project = await projectHelpers(sqlClientPool).getProjectById(pid); - if (project.organization == userOrg) { - const orgGroups = await groupHelpers(sqlClientPool).selectGroupsByOrganizationId(models, project.organization) - for (const pGroup of orgGroups) { - userGroups.push(pGroup) - } - } - } - } - if (usersOrgsViewer != "" ) { - const usersOrgsArr = usersOrgsViewer.split(','); - for (const userOrg of usersOrgsArr) { - const project = await projectHelpers(sqlClientPool).getProjectById(pid); - if (project.organization == userOrg) { - const orgGroups = await groupHelpers(sqlClientPool).selectGroupsByOrganizationId(models, project.organization) - for (const pGroup of orgGroups) { - userGroups.push(pGroup) - } - } - } - } - let userProjectGroups = [] - for (const ug of userGroups) { - const pg = orgProjectGroups.find(i => i.id === ug.id) - if (pg) { - userProjectGroups.push(pg) - } - } - - return userProjectGroups; + return orgProjectGroups; }; // check an existing project and the associated groups can be added to an organization From 6fb681265a8dded27f62742f7fd8091b650068c4 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Tue, 18 Jun 2024 12:46:57 +1000 Subject: [PATCH 2/2] fix: reject group addition if group is not in organization --- services/api/src/resources/group/resolvers.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/api/src/resources/group/resolvers.ts b/services/api/src/resources/group/resolvers.ts index 86580acfbb..0c96d710d4 100644 --- a/services/api/src/resources/group/resolvers.ts +++ b/services/api/src/resources/group/resolvers.ts @@ -654,6 +654,9 @@ export const addGroupsToProject: ResolverFn = async ( for (const groupInput of groupsInput) { const group = await models.GroupModel.loadGroupByIdOrName(groupInput); + if (R.prop('lagoon-organization', group.attributes) === undefined && project.organization != null) { + throw new Error('Group must be in same organization as the project'); + } if (R.prop('lagoon-organization', group.attributes) && project.organization != null) { if (project.organization == R.prop('lagoon-organization', group.attributes)) { // if this is a group in an organization, check that the user removing members from the group in this org is in the org @@ -661,7 +664,7 @@ export const addGroupsToProject: ResolverFn = async ( organization: R.prop('lagoon-organization', group.attributes) }); } else { - throw new Error('Project must be in same organization as groups'); + throw new Error('Group must be in same organization as the project'); } } await models.GroupModel.addProjectToGroup(project.id, group);