matthias/dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rights system

Browse Source
This commit is contained in:
Matthias Hochmeister
2026-03-23 11:48:00 +01:00
parent 515f14956e
commit d173c8235e
5 changed files with 139 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
backend/src/controllers/permission.controller.ts
View File

@@ -76,6 +76,35 @@ class PermissionController {
}
}
/**
* PUT /api/admin/permissions/bulk
* Bulk-update permissions for multiple groups in one request.
* Body: { updates: [{ group: string, permissions: string[] }] }
*/
async setBulkPermissions(req: Request, res: Response): Promise<void> {
try {
const { updates } = req.body;
if (!Array.isArray(updates)) {
res.status(400).json({ success: false, message: 'updates must be an array' });
return;
}
for (const u of updates) {
if (typeof u.group !== 'string' || !Array.isArray(u.permissions)) {
res.status(400).json({ success: false, message: 'Each update must have group (string) and permissions (array)' });
return;
}
}
await permissionService.setMultipleGroupPermissions(updates, req.user!.id);
res.json({ success: true, message: 'Berechtigungen aktualisiert' });
} catch (error) {
logger.error('Failed to set bulk permissions', { error });
res.status(500).json({ success: false, message: 'Fehler beim Speichern der Berechtigungen' });
}
}
/**
* GET /api/admin/permissions/groups
* Returns all known Authentik groups from the permission table.

1
backend/src/routes/permission.routes.ts
View File

@@ -13,6 +13,7 @@ router.get('/admin/matrix', authenticate, requirePermission('admin:view'), permi
router.get('/admin/groups', authenticate, requirePermission('admin:view'), permissionController.getGroups.bind(permissionController));
router.get('/admin/unknown-groups', authenticate, requirePermission('admin:view'), permissionController.getUnknownGroups.bind(permissionController));
router.put('/admin/group/:groupName', authenticate, requirePermission('admin:write'), permissionController.setGroupPermissions.bind(permissionController));
router.put('/admin/bulk', authenticate, requirePermission('admin:write'), permissionController.setBulkPermissions.bind(permissionController));
router.put('/admin/maintenance/:featureGroupId', authenticate, requirePermission('admin:write'), permissionController.setMaintenanceFlag.bind(permissionController));
export default router;

87
backend/src/services/permission.service.ts
View File

@@ -148,21 +148,100 @@ class PermissionService {
const client = await pool.connect();
try {
await client.query('BEGIN');
// Validate permission IDs exist (filter out stale/invalid ones)
let validPermIds = permIds;
if (permIds.length > 0) {
const validResult = await client.query(
'SELECT id FROM permissions WHERE id = ANY($1)',
[permIds]
);
const validSet = new Set(validResult.rows.map((r: any) => r.id));
validPermIds = permIds.filter(p => validSet.has(p));
}
// Remove all existing permissions for this group
await client.query('DELETE FROM group_permissions WHERE authentik_group = $1', [group]);
// Insert new permissions
for (const permId of permIds) {
if (validPermIds.length > 0) {
const values = validPermIds.map((_p, i) =>
`($1, $${i + 2}, $${validPermIds.length + 2})`
).join(', ');
await client.query(
'INSERT INTO group_permissions (authentik_group, permission_id, granted_by) VALUES ($1, $2, $3) ON CONFLICT DO NOTHING',
[group, permId, grantedBy]
`INSERT INTO group_permissions (authentik_group, permission_id, granted_by)
VALUES ${values}
ON CONFLICT DO NOTHING`,
[group, ...validPermIds, grantedBy]
);
}
await client.query('COMMIT');
// Reload cache
await this.loadCache();
logger.info('Group permissions updated', { group, permissionCount: permIds.length, grantedBy });
logger.info('Group permissions updated', { group, permissionCount: validPermIds.length, grantedBy });
} catch (error) {
await client.query('ROLLBACK');
throw error;
} finally {
client.release();
}
}
/**
* Bulk-update permissions for multiple groups in a single transaction.
* Reloads cache once at the end.
*/
async setMultipleGroupPermissions(
updates: { group: string; permissions: string[] }[],
grantedBy: string,
): Promise<void> {
const client = await pool.connect();
try {
await client.query('BEGIN');
// Collect all referenced permission IDs to validate in one query
const allPermIds = new Set<string>();
for (const u of updates) {
for (const p of u.permissions) allPermIds.add(p);
}
let validSet = new Set<string>();
if (allPermIds.size > 0) {
const validResult = await client.query(
'SELECT id FROM permissions WHERE id = ANY($1)',
[Array.from(allPermIds)]
);
validSet = new Set(validResult.rows.map((r: any) => r.id));
}
for (const { group, permissions } of updates) {
const validPermIds = permissions.filter(p => validSet.has(p));
await client.query('DELETE FROM group_permissions WHERE authentik_group = $1', [group]);
if (validPermIds.length > 0) {
const values = validPermIds.map((_p, i) =>
`($1, $${i + 2}, $${validPermIds.length + 2})`
).join(', ');
await client.query(
`INSERT INTO group_permissions (authentik_group, permission_id, granted_by)
VALUES ${values}
ON CONFLICT DO NOTHING`,
[group, ...validPermIds, grantedBy]
);
}
}
await client.query('COMMIT');
await this.loadCache();
logger.info('Bulk group permissions updated', {
groupCount: updates.length,
grantedBy,
});
} catch (error) {
await client.query('ROLLBACK');
throw error;

32
frontend/src/components/admin/PermissionMatrixTab.tsx
View File

@@ -188,10 +188,10 @@ function PermissionMatrixTab() {
onError: () => showError('Fehler beim Aktualisieren des Wartungsmodus'),
});
// ── Permission save (saves full group permissions) ──
// ── Permission save (bulk — single request for all affected groups) ──
const permissionMutation = useMutation({
mutationFn: (updates: { group: string; permissions: string[] }[]) =>
Promise.all(updates.map(u => permissionsApi.setGroupPermissions(u.group, u.permissions))),
permissionsApi.setBulkPermissions(updates),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ['admin-permission-matrix'] });
queryClient.invalidateQueries({ queryKey: ['my-permissions'] });
@@ -576,16 +576,28 @@ function PermissionMatrixTab() {
</TableCell>
{nonAdminGroups.map(g => {
const isGranted = (grants[g] || []).includes(perm.id);
// Check if this perm is required by another granted perm (dependency lock)
const groupGrants = grants[g] || [];
const dependents = REVERSE_DEPS[perm.id] || [];
const isRequiredByOther = isGranted && dependents.some(d => groupGrants.includes(d));
return (
<TableCell key={g} align="center" sx={{ minWidth: 120 }}>
<Checkbox
checked={isGranted}
onChange={() =>
handlePermissionToggle(g, perm.id, grants, groups)
}
disabled={permissionMutation.isPending}
size="small"
/>
<Tooltip
title={isRequiredByOther ? 'Wird von anderen Berechtigungen benötigt' : ''}
placement="top"
>
<span>
<Checkbox
checked={isGranted}
onChange={() =>
handlePermissionToggle(g, perm.id, grants, groups)
}
disabled={permissionMutation.isPending}
size="small"
sx={isRequiredByOther ? { color: 'warning.main', '&.Mui-checked': { color: 'warning.main' } } : undefined}
/>
</span>
</Tooltip>
</TableCell>
);
})}

4
frontend/src/services/permissions.ts
View File

@@ -21,6 +21,10 @@ export const permissionsApi = {
await api.put(`/api/permissions/admin/group/${encodeURIComponent(group)}`, { permissions });
},
setBulkPermissions: async (updates: { group: string; permissions: string[] }[]): Promise<void> => {
await api.put('/api/permissions/admin/bulk', { updates });
},
setMaintenanceFlag: async (featureGroup: string, active: boolean): Promise<void> => {
await api.put(`/api/permissions/admin/maintenance/${encodeURIComponent(featureGroup)}`, { active });
},