Add UPDATE and DELETE TAG_TYPE permissions (#951)

src/lib/middleware/rbac-middleware.test.ts

@@ -309,3 +309,49 @@ test('Does not double check permission if not changing project when updating tog
         oldProjectId,
     );
 });
+
+test('UPDATE_TAG_TYPE does not need projectId', async () => {
+    const accessService = {
+        hasPermission: jest.fn().mockReturnValue(true),
+    };
+
+    const func = rbacMiddleware(config, { featureToggleStore }, accessService);
+    const cb = jest.fn();
+    const req: any = {
+        user: new User({ username: 'user', id: 1 }),
+        params: {},
+        body: { name: 'new-tag-type', description: 'New tag type for testing' },
+    };
+    func(req, undefined, cb);
+
+    await req.checkRbac(perms.UPDATE_TAG_TYPE);
+    expect(accessService.hasPermission).toHaveBeenCalledTimes(1);
+    expect(accessService.hasPermission).toHaveBeenCalledWith(
+        req.user,
+        perms.UPDATE_TAG_TYPE,
+        undefined,
+    );
+});
+
+test('DELETE_TAG_TYPE does not need projectId', async () => {
+    const accessService = {
+        hasPermission: jest.fn().mockReturnValue(true),
+    };
+
+    const func = rbacMiddleware(config, { featureToggleStore }, accessService);
+    const cb = jest.fn();
+    const req: any = {
+        user: new User({ username: 'user', id: 1 }),
+        params: {},
+        body: { name: 'new-tag-type', description: 'New tag type for testing' },
+    };
+    func(req, undefined, cb);
+
+    await req.checkRbac(perms.DELETE_TAG_TYPE);
+    expect(accessService.hasPermission).toHaveBeenCalledTimes(1);
+    expect(accessService.hasPermission).toHaveBeenCalledWith(
+        req.user,
+        perms.DELETE_TAG_TYPE,
+        undefined,
+    );
+});

src/lib/routes/admin-api/tag-type.ts

@@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import Controller from '../controller';
 
-import { UPDATE_FEATURE } from '../../types/permissions';
+import { DELETE_TAG_TYPE, UPDATE_TAG_TYPE } from '../../types/permissions';
 import { extractUsername } from '../../util/extract-user';
 import { IUnleashConfig } from '../../types/option';
 import { IUnleashServices } from '../../types/services';
@@ -24,11 +24,11 @@ class TagTypeController extends Controller {
         this.logger = config.getLogger('/admin-api/tag-type.js');
         this.tagTypeService = tagTypeService;
         this.get('/', this.getTagTypes);
-        this.post('/', this.createTagType, UPDATE_FEATURE);
+        this.post('/', this.createTagType, UPDATE_TAG_TYPE);
         this.post('/validate', this.validate);
         this.get('/:name', this.getTagType);
-        this.put('/:name', this.updateTagType, UPDATE_FEATURE);
-        this.delete('/:name', this.deleteTagType, UPDATE_FEATURE);
+        this.put('/:name', this.updateTagType, UPDATE_TAG_TYPE);
+        this.delete('/:name', this.deleteTagType, DELETE_TAG_TYPE);
     }
 
     async getTagTypes(req: Request, res: Response): Promise<void> {

src/lib/types/permissions.ts

@@ -21,3 +21,5 @@ export const UPDATE_ROLE = 'UPDATE_ROLE';
 export const UPDATE_API_TOKEN = 'UPDATE_API_TOKEN';
 export const CREATE_API_TOKEN = 'CREATE_API_TOKEN';
 export const DELETE_API_TOKEN = 'DELETE_API_TOKEN';
+export const UPDATE_TAG_TYPE = 'UPDATE_TAG_TYPE';
+export const DELETE_TAG_TYPE = 'DELETE_TAG_TYPE';

src/migrations/20210922120521-add-tag-type-permission.js

@@ -0,0 +1,26 @@
+'use strict';
+
+exports.up = function (db, cb) {
+    db.runSql(
+        `
+        INSERT INTO role_permission(role_id, permission)
+        VALUES (2, 'UPDATE_TAG_TYPE'),
+               (2, 'DELETE_TAG_TYPE');
+        INSERT INTO role_permission(role_id, permission, project)
+        VALUES (2, 'UPDATE_TAG_TYPE', 'default'),
+               (2, 'DELETE_TAG_TYPE', 'default');
+    `,
+        cb,
+    );
+};
+
+exports.down = function (db, cb) {
+    db.runSql(
+        `
+        DELETE
+        FROM role_permission
+        WHERE permission IN ('UPDATE_TAG_TYPE', 'DELETE_TAG_TYPE');
+    `,
+        cb,
+    );
+};