feat(core): Implement project:viewer role (#9611)

2025-12-17 18:12:04 +00:00 · 2024-06-06 11:55:48 +02:00
parent e9e3b254fe
commit 6187cc5762
10 changed files with 933 additions and 745 deletions
--- a/packages/cli/src/credentials/credentials.service.ts
+++ b/packages/cli/src/credentials/credentials.service.ts
@@ -275,7 +275,7 @@ export class CredentialsService {

 			if (typeof projectId === 'string' && project === null) {
 				throw new BadRequestError(
-					"You don't have the permissions to save the workflow in this project.",
+					"You don't have the permissions to save the credential in this project.",
 				);
 			}

--- a/packages/cli/src/databases/entities/ProjectRelation.ts
+++ b/packages/cli/src/databases/entities/ProjectRelation.ts
@@ -4,7 +4,11 @@ import { WithTimestamps } from './AbstractEntity';
 import { Project } from './Project';

 // personalOwner is only used for personal projects
-export type ProjectRole = 'project:personalOwner' | 'project:admin' | 'project:editor';
+export type ProjectRole =
+	| 'project:personalOwner'
+	| 'project:admin'
+	| 'project:editor'
+	| 'project:viewer';

@Entity()
 export class ProjectRelation extends WithTimestamps {
--- a/packages/cli/src/permissions/project-roles.ts
+++ b/packages/cli/src/permissions/project-roles.ts
@@ -61,3 +61,12 @@ export const PROJECT_EDITOR_SCOPES: Scope[] = [
 	'project:list',
 	'project:read',
 ];
+
+export const PROJECT_VIEWER_SCOPES: Scope[] = [
+	'credential:list',
+	'credential:read',
+	'project:list',
+	'project:read',
+	'workflow:list',
+	'workflow:read',
+];
--- a/packages/cli/src/services/role.service.ts
+++ b/packages/cli/src/services/role.service.ts
@@ -13,6 +13,7 @@ import {
 import {
 	PERSONAL_PROJECT_OWNER_SCOPES,
 	PROJECT_EDITOR_SCOPES,
+	PROJECT_VIEWER_SCOPES,
 	REGULAR_PROJECT_ADMIN_SCOPES,
 } from '@/permissions/project-roles';
 import {
@@ -39,6 +40,7 @@ const PROJECT_SCOPE_MAP: Record<ProjectRole, Scope[]> = {
 	'project:admin': REGULAR_PROJECT_ADMIN_SCOPES,
 	'project:personalOwner': PERSONAL_PROJECT_OWNER_SCOPES,
 	'project:editor': PROJECT_EDITOR_SCOPES,
+	'project:viewer': PROJECT_VIEWER_SCOPES,
 };

 const CREDENTIALS_SHARING_SCOPE_MAP: Record<CredentialSharingRole, Scope[]> = {
@@ -87,6 +89,7 @@ const ROLE_NAMES: Record<
 	'project:personalOwner': 'Project Owner',
 	'project:admin': 'Project Admin',
 	'project:editor': 'Project Editor',
+	'project:viewer': 'Project Viewer',
 	'credential:user': 'Credential User',
 	'credential:owner': 'Credential Owner',
 	'workflow:owner': 'Workflow Owner',
@@ -230,6 +233,8 @@ export class RoleService {
 				return this.license.isProjectRoleAdminLicensed();
 			case 'project:editor':
 				return this.license.isProjectRoleEditorLicensed();
+			case 'project:viewer':
+				return this.license.isProjectRoleViewerLicensed();
 			case 'global:admin':
 				return this.license.isAdvancedPermissionsLicensed();
 			default:
--- a/packages/cli/test/integration/credentials/credentials.api.ee.test.ts
+++ b/packages/cli/test/integration/credentials/credentials.api.ee.test.ts
@@ -29,7 +29,6 @@ import {
 } from '../shared/db/users';
 import type { SuperAgentTest } from '../shared/types';
 import { mockInstance } from '../../shared/mocking';
-
 import { createTeamProject, linkUserToProject } from '../shared/db/projects';

 const testServer = utils.setupTestServer({
@@ -82,6 +81,23 @@ afterEach(() => {
 	jest.clearAllMocks();
 });

+describe('POST /credentials', () => {
+	test('project viewers cannot create credentials', async () => {
+		const teamProject = await createTeamProject();
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const response = await testServer
+			.authAgentFor(member)
+			.post('/credentials')
+			.send({ ...randomCredentialPayload(), projectId: teamProject.id });
+
+		expect(response.statusCode).toBe(400);
+		expect(response.body.message).toBe(
+			"You don't have the permissions to save the credential in this project.",
+		);
+	});
+});
+
 // ----------------------------------------
 // GET /credentials - fetch all credentials
 // ----------------------------------------
@@ -231,6 +247,31 @@ describe('GET /credentials', () => {
 // GET /credentials/:id - fetch a certain credential
 // ----------------------------------------
 describe('GET /credentials/:id', () => {
+	test('project viewers can view credentials', async () => {
+		const teamProject = await createTeamProject();
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const savedCredential = await saveCredential(randomCredentialPayload(), {
+			project: teamProject,
+		});
+
+		const response = await testServer
+			.authAgentFor(member)
+			.get(`/credentials/${savedCredential.id}`);
+
+		expect(response.statusCode).toBe(200);
+		expect(response.body.data).toMatchObject({
+			id: savedCredential.id,
+			shared: [{ projectId: teamProject.id, role: 'credential:owner' }],
+			homeProject: {
+				id: teamProject.id,
+			},
+			sharedWithProjects: [],
+			scopes: ['credential:read'],
+		});
+		expect(response.body.data.data).toBeUndefined();
+	});
+
 	test('should retrieve owned cred for owner', async () => {
 		const savedCredential = await saveCredential(randomCredentialPayload(), { user: owner });

@@ -387,6 +428,35 @@ describe('GET /credentials/:id', () => {
 	});
 });

+describe('PATCH /credentials/:id', () => {
+	test('project viewer cannot update credentials', async () => {
+		//
+		// ARRANGE
+		//
+		const teamProject = await createTeamProject('', member);
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const savedCredential = await saveCredential(randomCredentialPayload(), {
+			project: teamProject,
+		});
+
+		//
+		// ACT
+		//
+		const response = await testServer
+			.authAgentFor(member)
+			.patch(`/credentials/${savedCredential.id}`)
+			.send({ ...randomCredentialPayload() });
+
+		//
+		// ASSERT
+		//
+
+		expect(response.statusCode).toBe(403);
+		expect(response.body.message).toBe('User is missing a scope required to perform this action');
+	});
+});
+
 // ----------------------------------------
 // idempotent share/unshare
 // ----------------------------------------
--- a/packages/cli/test/integration/credentials/credentials.api.test.ts
+++ b/packages/cli/test/integration/credentials/credentials.api.test.ts
@@ -685,7 +685,7 @@ describe('POST /credentials', () => {
 			//
 			.expect(400, {
 				code: 400,
-				message: "You don't have the permissions to save the workflow in this project.",
+				message: "You don't have the permissions to save the credential in this project.",
 			});
 	});
 });
--- a/packages/cli/test/integration/executions.controller.test.ts
+++ b/packages/cli/test/integration/executions.controller.test.ts
@@ -7,6 +7,7 @@ import * as testDb from './shared/testDb';
 import { setupTestServer } from './shared/utils';
 import { mockInstance } from '../shared/mocking';
 import { WaitTracker } from '@/WaitTracker';
+import { createTeamProject, linkUserToProject } from './shared/db/projects';

 const testServer = setupTestServer({ endpointGroups: ['executions'] });

@@ -45,6 +46,23 @@ describe('GET /executions', () => {
 });

 describe('GET /executions/:id', () => {
+	test('project viewers can view executions for workflows in the project', async () => {
+		// if sharing is not enabled, we're only returning the executions of
+		// personal workflows
+		testServer.license.enable('feat:sharing');
+
+		const teamProject = await createTeamProject();
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const workflow = await createWorkflow({}, teamProject);
+		const execution = await createSuccessfulExecution(workflow);
+
+		const response = await testServer.authAgentFor(member).get(`/executions/${execution.id}`);
+
+		expect(response.statusCode).toBe(200);
+		expect(response.body.data).toBeDefined();
+	});
+
 	test('only returns executions of shared workflows if sharing is enabled', async () => {
 		const workflow = await createWorkflow({}, owner);
 		await shareWorkflowWithUsers(workflow, [member]);
--- a/packages/cli/test/integration/project.api.test.ts
+++ b/packages/cli/test/integration/project.api.test.ts
@@ -479,9 +479,8 @@ describe('PATCH /projects/:projectId', () => {
 		const updatedProject = await findProject(personalProject.id);
 		expect(updatedProject.name).not.toEqual('New Name');
 	});
-});

-describe('PATCH /projects/:projectId', () => {
+	describe('member management', () => {
 		test('should add or remove users from a project', async () => {
 			const [ownerUser, testUser1, testUser2, testUser3] = await Promise.all([
 				createOwner(),
@@ -552,92 +551,96 @@ describe('PATCH /projects/:projectId', () => {
 			expect(tp2Relations.find((p) => p.userId === ownerUser.id)?.role).toBe('project:editor');
 		});

-	test('should not add or remove users from a project if lacking permissions', async () => {
-		const [ownerUser, testUser1, testUser2, testUser3] = await Promise.all([
-			createOwner(),
+		test.each([['project:viewer'], ['project:editor']] as const)(
+			'`%s`s should not be able to add, update or remove users from a project',
+			async (role) => {
+				//
+				// ARRANGE
+				//
+				const [actor, projectEditor, userToBeInvited] = await Promise.all([
 					createUser(),
 					createUser(),
 					createUser(),
 				]);
-		const [teamProject1, teamProject2] = await Promise.all([
-			createTeamProject(undefined, testUser2),
-			createTeamProject(),
-		]);
+				const teamProject1 = await createTeamProject();

-		await linkUserToProject(testUser1, teamProject1, 'project:viewer');
-		await linkUserToProject(ownerUser, teamProject2, 'project:editor');
-		await linkUserToProject(testUser2, teamProject2, 'project:editor');
+				await linkUserToProject(actor, teamProject1, role);
+				await linkUserToProject(projectEditor, teamProject1, 'project:editor');

-		const memberAgent = testServer.authAgentFor(testUser1);
-
-		const resp = await memberAgent.patch(`/projects/${teamProject1.id}`).send({
+				//
+				// ACT
+				//
+				const response = await testServer
+					.authAgentFor(actor)
+					.patch(`/projects/${teamProject1.id}`)
+					.send({
 						name: teamProject1.name,
 						relations: [
-				{ userId: testUser1.id, role: 'project:admin' },
-				{ userId: testUser3.id, role: 'project:editor' },
-				{ userId: ownerUser.id, role: 'project:viewer' },
+							// update the viewer to be the project admin
+							{ userId: actor.id, role: 'project:admin' },
+							// add a user to the project
+							{ userId: userToBeInvited.id, role: 'project:editor' },
+							// implicitly remove the project editor
 						] as Array<{
 							userId: string;
 							role: ProjectRole;
 						}>,
 					});
-		expect(resp.status).toBe(403);
+				//.expect(403);

-		const [tp1Relations, tp2Relations] = await Promise.all([
-			getProjectRelations({ projectId: teamProject1.id }),
-			getProjectRelations({ projectId: teamProject2.id }),
-		]);
+				//
+				// ASSERT
+				//
+				expect(response.status).toBe(403);
+				expect(response.body).toMatchObject({
+					message: 'User is missing a scope required to perform this action',
+				});
+				const tp1Relations = await getProjectRelations({ projectId: teamProject1.id });

 				expect(tp1Relations.length).toBe(2);
-		expect(tp2Relations.length).toBe(2);
+				expect(tp1Relations).toMatchObject(
+					expect.arrayContaining([
+						expect.objectContaining({ userId: actor.id, role }),
+						expect.objectContaining({ userId: projectEditor.id, role: 'project:editor' }),
+					]),
+				);
+			},
+		);

-		expect(tp1Relations.find((p) => p.userId === testUser1.id)).not.toBeUndefined();
-		expect(tp1Relations.find((p) => p.userId === testUser2.id)).not.toBeUndefined();
-		expect(tp1Relations.find((p) => p.userId === testUser1.id)?.role).toBe('project:viewer');
-		expect(tp1Relations.find((p) => p.userId === testUser2.id)?.role).toBe('project:admin');
-		expect(tp1Relations.find((p) => p.userId === testUser3.id)).toBeUndefined();
+		test.each([
+			['project:viewer', 'feat:projectRole:viewer'],
+			['project:editor', 'feat:projectRole:editor'],
+		] as const)(
+			"should not be able to add a user with the role %s if it's not licensed",
+			async (role, feature) => {
+				testServer.license.disable(feature);
+				const [projectAdmin, userToBeInvited] = await Promise.all([createUser(), createUser()]);
+				const teamProject = await createTeamProject('Team Project', projectAdmin);

-		// Check we haven't modified the other team project
-		expect(tp2Relations.find((p) => p.userId === testUser2.id)).not.toBeUndefined();
-		expect(tp2Relations.find((p) => p.userId === testUser1.id)).toBeUndefined();
-		expect(tp2Relations.find((p) => p.userId === testUser2.id)?.role).toBe('project:editor');
-		expect(tp2Relations.find((p) => p.userId === ownerUser.id)?.role).toBe('project:editor');
-	});
-
-	test('should not add from a project adding user with an unlicensed role', async () => {
-		testServer.license.disable('feat:projectRole:editor');
-		const [testUser1, testUser2, testUser3] = await Promise.all([
-			createUser(),
-			createUser(),
-			createUser(),
-		]);
-		const teamProject = await createTeamProject(undefined, testUser2);
-
-		await linkUserToProject(testUser1, teamProject, 'project:admin');
-
-		const memberAgent = testServer.authAgentFor(testUser2);
-
-		const resp = await memberAgent.patch(`/projects/${teamProject.id}`).send({
+				await testServer
+					.authAgentFor(projectAdmin)
+					.patch(`/projects/${teamProject.id}`)
+					.send({
 						name: teamProject.name,
 						relations: [
-				{ userId: testUser2.id, role: 'project:admin' },
-				{ userId: testUser1.id, role: 'project:editor' },
+							{ userId: projectAdmin.id, role: 'project:admin' },
+							{ userId: userToBeInvited.id, role },
 						] as Array<{
 							userId: string;
 							role: ProjectRole;
 						}>,
-		});
-		expect(resp.status).toBe(400);
+					})
+					.expect(400);

 				const tpRelations = await getProjectRelations({ projectId: teamProject.id });
-		expect(tpRelations.length).toBe(2);
-
-		expect(tpRelations.find((p) => p.userId === testUser1.id)).not.toBeUndefined();
-		expect(tpRelations.find((p) => p.userId === testUser2.id)).not.toBeUndefined();
-		expect(tpRelations.find((p) => p.userId === testUser1.id)?.role).toBe('project:admin');
-		expect(tpRelations.find((p) => p.userId === testUser2.id)?.role).toBe('project:admin');
-		expect(tpRelations.find((p) => p.userId === testUser3.id)).toBeUndefined();
-	});
+				expect(tpRelations.length).toBe(1);
+				expect(tpRelations).toMatchObject(
+					expect.arrayContaining([
+						expect.objectContaining({ userId: projectAdmin.id, role: 'project:admin' }),
+					]),
+				);
+			},
+		);

 		test("should not edit a relation of a project when changing a user's role to an unlicensed role", async () => {
 			testServer.license.disable('feat:projectRole:editor');
@@ -736,6 +739,7 @@ describe('PATCH /projects/:projectId', () => {
 			expect(p1Relations.length).toBe(1);
 		});
 	});
+});

 describe('GET /project/:projectId', () => {
 	test('should get project details and relations', async () => {
--- a/packages/cli/test/integration/workflows/workflows.controller.ee.test.ts
+++ b/packages/cli/test/integration/workflows/workflows.controller.ee.test.ts
@@ -321,6 +321,24 @@ describe('GET /workflows/:workflowId', () => {
 		expect(response.statusCode).toBe(404);
 	});

+	test('project viewers can view workflows', async () => {
+		const teamProject = await createTeamProject();
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const workflow = await createWorkflow({}, teamProject);
+
+		const response = await authMemberAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const responseWorkflow: WorkflowWithSharingsMetaDataAndCredentials = response.body.data;
+
+		expect(responseWorkflow.homeProject).toMatchObject({
+			id: teamProject.id,
+			name: teamProject.name,
+			type: 'team',
+		});
+
+		expect(responseWorkflow.sharedWithProjects).toHaveLength(0);
+	});
+
 	test('should return a workflow with owner', async () => {
 		const workflow = await createWorkflow({}, owner);

@@ -512,6 +530,20 @@ describe('GET /workflows/:workflowId', () => {
 });

 describe('POST /workflows', () => {
+	test('project viewers cannot create workflows', async () => {
+		const teamProject = await createTeamProject();
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const response = await authMemberAgent
+			.post('/workflows')
+			.send({ ...makeWorkflow(), projectId: teamProject.id });
+
+		expect(response.body).toMatchObject({
+			code: 400,
+			message: "You don't have the permissions to save the workflow in this project.",
+		});
+	});
+
 	it('Should create a workflow that uses no credential', async () => {
 		const workflow = makeWorkflow({ withPinData: false });

@@ -665,7 +697,24 @@ describe('POST /workflows', () => {
 	});
 });

-describe('PATCH /workflows/:workflowId - validate credential permissions to user', () => {
+describe('PATCH /workflows/:workflowId', () => {
+	test('project viewers cannot update workflows', async () => {
+		const teamProject = await createTeamProject();
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const workflow = await createWorkflow({ name: 'WF Name' }, teamProject);
+
+		const response = await authMemberAgent
+			.patch(`/workflows/${workflow.id}`)
+			.send({ ...workflow, name: 'New Name' });
+
+		expect(response.status).toBe(403);
+		expect(response.body).toMatchObject({
+			message: 'User is missing a scope required to perform this action',
+		});
+	});
+
+	describe('validate credential permissions to user', () => {
 		it('Should succeed when saving unchanged workflow nodes', async () => {
 			const savedCredential = await saveCredential(randomCredentialPayload(), { user: owner });
 			const workflow = {
@@ -897,7 +946,7 @@ describe('PATCH /workflows/:workflowId - validate credential permissions to user
 		});
 	});

-describe('PATCH /workflows/:workflowId - validate interim updates', () => {
+	describe('validate interim updates', () => {
 		it('should block owner updating workflow nodes on interim update by member', async () => {
 			// owner creates and shares workflow

@@ -1086,7 +1135,7 @@ describe('PATCH /workflows/:workflowId - validate interim updates', () => {
 		});
 	});

-describe('PATCH /workflows/:workflowId - workflow history', () => {
+	describe('workflow history', () => {
 		test('Should create workflow history version when licensed', async () => {
 			license.enable('feat:workflowHistory');
 			const workflow = await createWorkflow({}, owner);
@@ -1196,7 +1245,7 @@ describe('PATCH /workflows/:workflowId - workflow history', () => {
 		});
 	});

-describe('PATCH /workflows/:workflowId - activate workflow', () => {
+	describe('activate workflow', () => {
 		test('should activate workflow without changing version ID', async () => {
 			license.disable('feat:workflowHistory');
 			const workflow = await createWorkflow({}, owner);
@@ -1242,6 +1291,7 @@ describe('PATCH /workflows/:workflowId - activate workflow', () => {
 			expect(active).toBe(false);
 		});
 	});
+});

 describe('PUT /:workflowId/transfer', () => {
 	test('cannot transfer into the same project', async () => {
@@ -1551,3 +1601,21 @@ describe('PUT /:workflowId/transfer', () => {
 			.expect(500);
 	});
 });
+
+describe('POST /workflows/:workflowId/run', () => {
+	test('project viewers cannot run workflows', async () => {
+		const teamProject = await createTeamProject();
+		await linkUserToProject(member, teamProject, 'project:viewer');
+
+		const workflow = await createWorkflow({}, teamProject);
+
+		const response = await authMemberAgent
+			.post(`/workflows/${workflow.id}/run`)
+			.send({ workflowData: workflow });
+
+		expect(response.status).toBe(403);
+		expect(response.body).toMatchObject({
+			message: 'User is missing a scope required to perform this action',
+		});
+	});
+});
--- a/packages/cli/test/unit/repositories/sharedCredentials.repository.test.ts
+++ b/packages/cli/test/unit/repositories/sharedCredentials.repository.test.ts
@@ -62,7 +62,12 @@ describe('SharedCredentialsRepository', () => {
 					role: In(['credential:owner', 'credential:user']),
 					project: {
 						projectRelations: {
-							role: In(['project:admin', 'project:personalOwner', 'project:editor']),
+							role: In([
+								'project:admin',
+								'project:personalOwner',
+								'project:editor',
+								'project:viewer',
+							]),
 							userId: member.id,
 						},
 					},
@@ -83,7 +88,12 @@ describe('SharedCredentialsRepository', () => {
 					role: In(['credential:owner', 'credential:user']),
 					project: {
 						projectRelations: {
-							role: In(['project:admin', 'project:personalOwner', 'project:editor']),
+							role: In([
+								'project:admin',
+								'project:personalOwner',
+								'project:editor',
+								'project:viewer',
+							]),
 							userId: member.id,
 						},
 					},