feat: Enhance people picker access control to include roles permissions

2025-12-22 19:30:15 +01:00 · 2025-08-04 12:51:27 -04:00 · 2025-08-04 12:51:27 -04:00 · 8e003083dc
commit 8e003083dc
parent 4736a60c47
7 changed files with 457 additions and 22 deletions
--- a/api/server/middleware/checkPeoplePickerAccess.js
+++ b/api/server/middleware/checkPeoplePickerAccess.js
@ -7,7 +7,8 @@ const { logger } = require('~/config');
 * Checks specific permission based on the 'type' query parameter:
 * - type=user: requires VIEW_USERS permission
 * - type=group: requires VIEW_GROUPS permission
- * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS
+ * - type=role: requires VIEW_ROLES permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS OR VIEW_ROLES
 */
 const checkPeoplePickerAccess = async (req, res, next) => {
  try {
@ -31,29 +32,38 @@ const checkPeoplePickerAccess = async (req, res, next) => {
    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+    const canViewRoles = peoplePickerPerms[Permissions.VIEW_ROLES] === true;

-    if (type === PrincipalType.USER) {
-      if (!canViewUsers) {
-        return res.status(403).json({
-          error: 'Forbidden',
-          message: 'Insufficient permissions to search for users',
-        });
-      }
-    } else if (type === PrincipalType.GROUP) {
-      if (!canViewGroups) {
-        return res.status(403).json({
-          error: 'Forbidden',
-          message: 'Insufficient permissions to search for groups',
-        });
-      }
-    } else {
-      if (!canViewUsers || !canViewGroups) {
-        return res.status(403).json({
-          error: 'Forbidden',
-          message: 'Insufficient permissions to search for both users and groups',
-        });
-      }
+    const permissionChecks = {
+      [PrincipalType.USER]: {
+        hasPermission: canViewUsers,
+        message: 'Insufficient permissions to search for users',
+      },
+      [PrincipalType.GROUP]: {
+        hasPermission: canViewGroups,
+        message: 'Insufficient permissions to search for groups',
+      },
+      [PrincipalType.ROLE]: {
+        hasPermission: canViewRoles,
+        message: 'Insufficient permissions to search for roles',
+      },
+    };
+
+    const check = permissionChecks[type];
+    if (check && !check.hasPermission) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: check.message,
+      });
    }
+
+    if (!type && !canViewUsers && !canViewGroups && !canViewRoles) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'Insufficient permissions to search for users, groups, or roles',
+      });
+    }
+
    next();
  } catch (error) {
    logger.error(