From e6ddf67d95b7ae7c2548da0fd06bed38b3aa7a90 Mon Sep 17 00:00:00 2001 From: Matthias Hochmeister Date: Tue, 24 Mar 2026 17:20:31 +0100 Subject: [PATCH] fix permissions --- backend/src/controllers/issue.controller.ts | 6 +++--- .../migrations/056_issues_widget_permission.sql | 10 ++++++---- backend/src/services/permission.service.ts | 5 +++++ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/backend/src/controllers/issue.controller.ts b/backend/src/controllers/issue.controller.ts index ab0622a..2f53e67 100644 --- a/backend/src/controllers/issue.controller.ts +++ b/backend/src/controllers/issue.controller.ts @@ -10,7 +10,7 @@ class IssueController { try { const userId = req.user!.id; const groups: string[] = (req.user as any).groups || []; - const canViewAll = groups.includes('dashboard_admin') || permissionService.hasPermission(groups, 'issues:view_all'); + const canViewAll = permissionService.hasPermission(groups, 'issues:view_all'); // Parse filter query params const filters: { @@ -60,7 +60,7 @@ class IssueController { } const userId = req.user!.id; const groups: string[] = (req.user as any).groups || []; - const canViewAll = groups.includes('dashboard_admin') || permissionService.hasPermission(groups, 'issues:view_all'); + const canViewAll = permissionService.hasPermission(groups, 'issues:view_all'); if (!canViewAll && issue.erstellt_von !== userId && issue.zugewiesen_an !== userId) { res.status(403).json({ success: false, message: 'Kein Zugriff' }); return; @@ -227,7 +227,7 @@ class IssueController { } const userId = req.user!.id; const groups: string[] = (req.user as any).groups || []; - const canViewAll = groups.includes('dashboard_admin') || permissionService.hasPermission(groups, 'issues:view_all'); + const canViewAll = permissionService.hasPermission(groups, 'issues:view_all'); if (!canViewAll && issue.erstellt_von !== userId && issue.zugewiesen_an !== userId) { res.status(403).json({ success: false, message: 'Kein Zugriff' }); return; diff --git a/backend/src/database/migrations/056_issues_widget_permission.sql b/backend/src/database/migrations/056_issues_widget_permission.sql index 3b7538c..92e6203 100644 --- a/backend/src/database/migrations/056_issues_widget_permission.sql +++ b/backend/src/database/migrations/056_issues_widget_permission.sql @@ -1,13 +1,15 @@ -- Migration 056: Add issues:widget permission --- Gated permission for the Issue Quick Add dashboard widget. --- Granted to all groups that currently have issues:create. +-- +-- Adds the widget permission for the Issue Quick Add dashboard widget. +-- dashboard_admin gets it automatically via the permission cache (loadCache +-- populates it with every permission in the system). --- 1. Insert the new permission +-- 1. Insert the new widget permission INSERT INTO permissions (id, feature_group_id, label, description, sort_order) VALUES ('issues:widget', 'issues', 'Widget', 'Issue-Schnelleingabe auf dem Dashboard', 8) ON CONFLICT (id) DO NOTHING; --- 2. Grant to every group that already has issues:create +-- 2. Grant issues:widget to every group that already has issues:create INSERT INTO group_permissions (authentik_group, permission_id) SELECT authentik_group, 'issues:widget' FROM group_permissions diff --git a/backend/src/services/permission.service.ts b/backend/src/services/permission.service.ts index 2b3a6e1..fa910c8 100644 --- a/backend/src/services/permission.service.ts +++ b/backend/src/services/permission.service.ts @@ -87,6 +87,11 @@ class PermissionService { } newMap.get(row.authentik_group)!.add(row.permission_id); } + + // dashboard_admin always holds every permission in the system + const allPermsResult = await pool.query('SELECT id FROM permissions'); + newMap.set('dashboard_admin', new Set(allPermsResult.rows.map((r: any) => r.id))); + this.groupPermissions = newMap; // Load maintenance flags