From ef8041d315a90f69cf6e547ad0c3e5eec5a07613 Mon Sep 17 00:00:00 2001
From: Fredrik Oseberg <fredrik.no@gmail.com>
Date: Fri, 7 Jan 2022 10:56:46 +0100
Subject: [PATCH] fix: setup permission for variant

---
 src/lib/routes/admin-api/project/variants.ts      |  9 ++++++---
 src/lib/types/permissions.ts                      |  1 +
 src/migrations/20211202120808-add-custom-roles.js | 10 +++++++---
 src/test/e2e/services/access-service.e2e.test.ts  |  8 ++++++++
 4 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/src/lib/routes/admin-api/project/variants.ts b/src/lib/routes/admin-api/project/variants.ts
index 415731f0c5..738f793407 100644
--- a/src/lib/routes/admin-api/project/variants.ts
+++ b/src/lib/routes/admin-api/project/variants.ts
@@ -5,7 +5,10 @@ import { IUnleashConfig } from '../../../types/option';
 import { IUnleashServices } from '../../../types';
 import { Request, Response } from 'express';
 import { Operation } from 'fast-json-patch';
-import { UPDATE_FEATURE } from '../../../types/permissions';
+import {
+    UPDATE_FEATURE,
+    UPDATE_FEATURE_VARIANTS,
+} from '../../../types/permissions';
 import { IVariant } from '../../../types/model';
 import { extractUsername } from '../../../util/extract-user';
 import { IAuthRequest } from '../../unleash-types';
@@ -35,8 +38,8 @@ export default class VariantsController extends Controller {
         this.logger = config.getLogger('admin-api/project/variants.ts');
         this.featureService = featureToggleService;
         this.get(PREFIX, this.getVariants);
-        this.patch(PREFIX, this.patchVariants, UPDATE_FEATURE);
-        this.put(PREFIX, this.overwriteVariants, UPDATE_FEATURE);
+        this.patch(PREFIX, this.patchVariants, UPDATE_FEATURE_VARIANTS);
+        this.put(PREFIX, this.overwriteVariants, UPDATE_FEATURE_VARIANTS);
     }
 
     async getVariants(
diff --git a/src/lib/types/permissions.ts b/src/lib/types/permissions.ts
index b8936fc149..713e220e9f 100644
--- a/src/lib/types/permissions.ts
+++ b/src/lib/types/permissions.ts
@@ -30,3 +30,4 @@ export const CREATE_API_TOKEN = 'CREATE_API_TOKEN';
 export const DELETE_API_TOKEN = 'DELETE_API_TOKEN';
 export const UPDATE_TAG_TYPE = 'UPDATE_TAG_TYPE';
 export const DELETE_TAG_TYPE = 'DELETE_TAG_TYPE';
+export const UPDATE_FEATURE_VARIANTS = 'UPDATE_FEATURE_VARIANTS';
diff --git a/src/migrations/20211202120808-add-custom-roles.js b/src/migrations/20211202120808-add-custom-roles.js
index af78c66f53..02f0284afb 100644
--- a/src/migrations/20211202120808-add-custom-roles.js
+++ b/src/migrations/20211202120808-add-custom-roles.js
@@ -38,6 +38,7 @@ exports.up = function (db, cb) {
         INSERT INTO permissions (permission, display_name, type) VALUES ('UPDATE_FEATURE_STRATEGY', 'Update Feature Strategies', 'environment');
         INSERT INTO permissions (permission, display_name, type) VALUES ('DELETE_FEATURE_STRATEGY', 'Delete Feature Strategies', 'environment');
         INSERT INTO permissions (permission, display_name, type) VALUES ('UPDATE_FEATURE_ENVIRONMENT', 'Enable/disable Toggles in Environment', 'environment');
+        INSERT INTO permissions (permission, display_name, type) VALUES ('UPDATE_FEATURE_VARIANTS', 'Create/Edit variants', 'project');
 
         ALTER TABLE role_user ADD COLUMN
         project        VARCHAR(255);
@@ -135,7 +136,8 @@ exports.up = function (db, cb) {
             'UPDATE_FEATURE',
             'DELETE_FEATURE',
             'UPDATE_TAG_TYPE',
-            'DELETE_TAG_TYPE');
+            'DELETE_TAG_TYPE',
+            'UPDATE_FEATURE_VARIANTS');
 
         INSERT INTO role_permission (role_id, permission_id, environment)
         SELECT
@@ -148,7 +150,8 @@ exports.up = function (db, cb) {
             'DELETE_PROJECT',
             'CREATE_FEATURE',
             'UPDATE_FEATURE',
-            'DELETE_FEATURE');
+            'DELETE_FEATURE',
+            'UPDATE_FEATURE_VARIANTS');
 
         INSERT INTO role_permission (role_id, permission_id, environment)
         SELECT
@@ -159,7 +162,8 @@ exports.up = function (db, cb) {
         WHERE p.permission IN
             ('CREATE_FEATURE',
             'UPDATE_FEATURE',
-            'DELETE_FEATURE');
+            'DELETE_FEATURE',
+            'UPDATE_FEATURE_VARIANTS');
 
         INSERT INTO role_permission (role_id, permission_id, environment)
         SELECT
diff --git a/src/test/e2e/services/access-service.e2e.test.ts b/src/test/e2e/services/access-service.e2e.test.ts
index aade13bc5b..9c21b47777 100644
--- a/src/test/e2e/services/access-service.e2e.test.ts
+++ b/src/test/e2e/services/access-service.e2e.test.ts
@@ -52,6 +52,7 @@ const hasCommonProjectAccess = async (user, projectName, condition) => {
         UPDATE_FEATURE_STRATEGY,
         DELETE_FEATURE_STRATEGY,
         UPDATE_FEATURE_ENVIRONMENT,
+        UPDATE_FEATURE_VARIANTS,
     } = permissions;
     expect(
         await accessService.hasPermission(user, CREATE_FEATURE, projectName),
@@ -62,6 +63,13 @@ const hasCommonProjectAccess = async (user, projectName, condition) => {
     expect(
         await accessService.hasPermission(user, DELETE_FEATURE, projectName),
     ).toBe(condition);
+    expect(
+        await accessService.hasPermission(
+            user,
+            UPDATE_FEATURE_VARIANTS,
+            projectName,
+        ),
+    ).toBe(condition);
     expect(
         await accessService.hasPermission(
             user,