paulononato/backstage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

search: check for non-resource permissions when authorizing results

Browse Source 
Now that we can differentiate between ResourcePermissions and other
kinds of permissions, we can skip authorizing result-by-result
when the permission for a given document type is not a
ResourcePermission.

Signed-off-by: Mike Lewis <mtlewis@users.noreply.github.com>
This commit is contained in:
Mike Lewis
2022-03-08 09:48:18 +00:00
committed by Joe Porpeglia
parent 1e0dbd4fb5
commit 30f9884359
3 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.changeset/big-mayflies-sin.md
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-search-backend': patch
---
Check for non-resource permissions when authorizing result-by-result in AuthorizedSearchEngine.
plugins/search-backend/src/service/AuthorizedSearchEngine.test.ts
+4
View File
@@ -82,24 +82,28 @@ describe('AuthorizedSearchEngine', () => {
visibilityPermission: createPermission({
name: 'search.users.read',
attributes: { action: 'read' },
resourceType: 'test-user',
}),
},
[typeTemplates]: {
visibilityPermission: createPermission({
name: 'search.templates.read',
attributes: { action: 'read' },
resourceType: 'test-template',
}),
},
[typeServices]: {
visibilityPermission: createPermission({
name: 'search.services.read',
attributes: { action: 'read' },
resourceType: 'test-service',
}),
},
[typeGroups]: {
visibilityPermission: createPermission({
name: 'search.groups.read',
attributes: { action: 'read' },
resourceType: 'test-group',
}),
},
};
plugins/search-backend/src/service/AuthorizedSearchEngine.ts
+6 -1
View File
@@ -21,6 +21,7 @@ import {
AuthorizeDecision,
AuthorizeQuery,
AuthorizeResult,
isResourcePermission,
PermissionAuthorizer,
} from '@backstage/plugin-permission-common';
import {
@@ -197,7 +198,11 @@ export class AuthorizedSearchEngine implements SearchEngine {
const permission = this.types[result.type]?.visibilityPermission;
const resourceRef = result.document.authorization?.resourceRef;
if (!permission || !resourceRef) {
if (
!permission ||
!isResourcePermission(permission) ||
!resourceRef
) {
return result;
}