RubyGems - forest_admin_agent - Versions diffs - 1.8.8 → 1.8.9 - Mend

forest_admin_agent 1.8.8 → 1.8.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/forest_admin_agent/services/permissions.rb +152 -10
data/lib/forest_admin_agent/utils/schema/schema_emitter.rb +1 -1
data/lib/forest_admin_agent/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2aae6ff9fe9cca589c65b4fc6c66d5636a4fcce6221381c7cf1db88a5bc6c0f
-  data.tar.gz: 1181798a55291fb7178b86e398e3bf9571b2f299bd3678d02ea561d2b746b80c
+  metadata.gz: 7b0dea02691148f9328f2e8544a53ac5bbaba9c88b5c5d88548cd232f60d7914
+  data.tar.gz: bb591c88ef30c293d9d38df74ee2a035f2c887608573a84bf64445ade3de73c1
 SHA512:
-  metadata.gz: 7feddf88c198be073a0a2abda768ed59eefee58cbc6e388798bb19915f6219ba73950d1fa77baeb8e56f9c7b89c6951c7d85906801c7cdb7c1e4c0dde1a80e2e
-  data.tar.gz: caa912666955fe5f18c056584da01fd7ba824f6d19fbe4144574269305c8343e09b79ca8e8bd90ca78cc0974051798722d3376149656ac0efcb964229605d308
+  metadata.gz: 9d8fc038e89c10096471e3978ad9dc51f3433d3f0c82bb766548bd9ad44aa99fca2d393647f5814501f1768b32e4146c952e3cb5ca49ef63315ee74ff161c90b
+  data.tar.gz: 661d0efdaedc34899c77b9e703e36bf1eb884b79931ae8ecdb53d4bc10dc6f94c48f4cc3910ce0d78da93e485ce4027d85a1f2836bc7ac6dd7ace434bc886457

data/lib/forest_admin_agent/services/permissions.rb CHANGED Viewed

@@ -41,12 +41,13 @@ module ForestAdminAgent
         user_data = get_user_data(caller.id)
         collections_data = get_collections_permissions_data(force_fetch: allow_fetch)
-        is_allowed = collections_data.key?(collection.name.to_sym) && collections_data[collection.name.to_sym][action].include?(user_data[:roleId])
+        # First check
+        is_allowed = permission_allowed?(collections_data, collection, action, user_data)
-        # Refetch
+        # Refetch if not allowed
         unless is_allowed
           collections_data = get_collections_permissions_data(force_fetch: true)
-          is_allowed = collections_data[collection.name.to_sym][action].include?(user_data[:roleId])
+          is_allowed = permission_allowed?(collections_data, collection, action, user_data)
         end
         # still not allowed - throw forbidden message
@@ -111,10 +112,13 @@ module ForestAdminAgent
         user_data = get_user_data(caller.id)
         collections_data = get_collections_permissions_data(force_fetch: allow_fetch)
         action = find_action_from_endpoint(collection.name, request[:headers]['REQUEST_PATH'], request[:headers]['REQUEST_METHOD'])
+        collection_actions = validate_smart_action_permissions(collections_data, collection, action)
         smart_action_approval = SmartActionChecker.new(
           request[:params],
           collection,
-          collections_data[collection.name.to_sym][:actions][action['name'].to_sym],
+          collection_actions[action['name'].to_sym],
           caller,
           user_data[:roleId],
           filter
@@ -125,6 +129,8 @@ module ForestAdminAgent
           'Debug',
           "User #{user_data[:roleId]} is #{"not" unless is_allowed} allowed to perform #{action["name"]}"
         )
+        is_allowed
       end
       def get_scope(collection)
@@ -170,6 +176,18 @@ module ForestAdminAgent
       private
+      def permission_allowed?(collections_data, collection, action, user_data)
+        return false unless user_data_valid?(user_data)
+        collection_key = collection.name.to_sym
+        return false unless collection_exists?(collections_data, collection_key, collection.name, user_data)
+        role_ids = get_role_ids_for_action(collections_data, collection_key, action, collection.name, user_data)
+        return false unless role_ids
+        check_user_permission(role_ids, user_data, action, collection.name)
+      end
       def get_collections_permissions_data(force_fetch: false)
         self.class.invalidate_cache('forest.collections') if force_fetch == true
@@ -251,13 +269,37 @@ module ForestAdminAgent
       end
       def decode_crud_permissions(collection)
+        # Validate structure exists
+        unless collection.is_a?(Hash) && collection.key?(:collection)
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Error',
+            'Invalid permissions data structure: missing :collection key. ' \
+            "Available keys: #{collection.is_a?(Hash) ? collection.keys.join(", ") : "N/A (not a hash)"}. " \
+            'This indicates an API contract violation or data corruption.'
+          )
+          raise ForestException, 'Invalid permission data structure received from Forest Admin API'
+        end
+        collection_data = collection[:collection]
+        unless collection_data.is_a?(Hash)
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Error',
+            "Invalid permissions data: :collection is not a hash (got #{collection_data.class}). " \
+            'This indicates an API contract violation or data corruption.'
+          )
+          raise ForestException, 'Invalid permission data structure: :collection must be a hash'
+        end
+        # Use dig to safely extract roles, allowing for missing permissions
+        # Missing permissions will result in nil values which are handled by permission_allowed?
         {
-          browse: collection[:collection][:browseEnabled][:roles],
-          read: collection[:collection][:readEnabled][:roles],
-          edit: collection[:collection][:editEnabled][:roles],
-          add: collection[:collection][:addEnabled][:roles],
-          delete: collection[:collection][:deleteEnabled][:roles],
-          export: collection[:collection][:exportEnabled][:roles]
+          browse: collection_data.dig(:browseEnabled, :roles),
+          read: collection_data.dig(:readEnabled, :roles),
+          edit: collection_data.dig(:editEnabled, :roles),
+          add: collection_data.dig(:addEnabled, :roles),
+          delete: collection_data.dig(:deleteEnabled, :roles),
+          export: collection_data.dig(:exportEnabled, :roles)
         }
       end
@@ -315,6 +357,106 @@ module ForestAdminAgent
       rescue StandardError => e
         forest_api.handle_response_error(e)
       end
+      def user_data_valid?(user_data)
+        return true if user_data&.key?(:roleId)
+        ForestAdminAgent::Facades::Container.logger.log(
+          'Error',
+          "Invalid user data: user_data is #{user_data.nil? ? "nil" : "missing :roleId key"}. " \
+          'This indicates a session or authentication issue.'
+        )
+        false
+      end
+      def collection_exists?(collections_data, collection_key, collection_name, user_data)
+        return true if collections_data.key?(collection_key)
+        available = collections_data.keys.join(', ')
+        ForestAdminAgent::Facades::Container.logger.log(
+          'Warn',
+          "Collection '#{collection_name}' not found in permissions " \
+          "(user_id: #{user_data[:id]}, role_id: #{user_data[:roleId]}). " \
+          "Available: #{available.empty? ? "none" : available}. " \
+          'This may indicate a configuration mismatch or timing issue during permission refresh.'
+        )
+        false
+      end
+      def get_role_ids_for_action(collections_data, collection_key, action, collection_name, user_data)
+        collection_permissions = collections_data[collection_key]
+        role_ids = collection_permissions[action]
+        if role_ids.nil?
+          available = collection_permissions.compact.keys.join(', ')
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Warn',
+            "Action '#{action}' not found for collection '#{collection_name}' " \
+            "(user_id: #{user_data[:id]}, role_id: #{user_data[:roleId]}). " \
+            "Available actions: #{available.empty? ? "none" : available}. " \
+            'This may indicate a permission schema change or misconfiguration.'
+          )
+          return nil
+        end
+        unless role_ids.is_a?(Array)
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Error',
+            "Invalid permission data: roles for action '#{action}' in collection '#{collection_name}' " \
+            "is not an array (got #{role_ids.class}). This indicates data corruption."
+          )
+          return nil
+        end
+        role_ids
+      end
+      def check_user_permission(role_ids, user_data, action, collection_name)
+        has_permission = role_ids.include?(user_data[:roleId])
+        unless has_permission
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Debug',
+            "Permission denied: User #{user_data[:id]} (role #{user_data[:roleId]}) " \
+            "lacks permission to #{action} collection '#{collection_name}'. " \
+            "Required roles: #{role_ids.join(", ")}"
+          )
+        end
+        has_permission
+      end
+      def validate_smart_action_permissions(collections_data, collection, action)
+        collection_key = collection.name.to_sym
+        unless collections_data.key?(collection_key)
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Warn',
+            "Smart action check: Collection '#{collection.name}' not found in permissions"
+          )
+          raise ForbiddenError, "Collection '#{collection.name}' not found in permissions"
+        end
+        collection_actions = collections_data[collection_key][:actions]
+        if collection_actions.nil?
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Warn',
+            "Smart action check: No actions configured for collection '#{collection.name}'"
+          )
+          raise ForbiddenError, "No actions configured for collection '#{collection.name}'"
+        end
+        action_key = action['name'].to_sym
+        unless collection_actions.key?(action_key)
+          ForestAdminAgent::Facades::Container.logger.log(
+            'Warn',
+            "Smart action '#{action["name"]}' not found in permissions for collection '#{collection.name}'"
+          )
+          raise ForbiddenError, "Smart action '#{action["name"]}' is not configured"
+        end
+        collection_actions
+      end
     end
   end
 end

data/lib/forest_admin_agent/utils/schema/schema_emitter.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module ForestAdminAgent
     module Schema
       class SchemaEmitter
         LIANA_NAME = "agent-ruby"
-        LIANA_VERSION = "1.8.8"
+        LIANA_VERSION = "1.8.9"
         def self.generate(datasource)
           datasource.collections

data/lib/forest_admin_agent/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ForestAdminAgent
-  VERSION = "1.8.8"
+  VERSION = "1.8.9"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: forest_admin_agent
 version: !ruby/object:Gem::Version
-  version: 1.8.8
+  version: 1.8.9
 platform: ruby
 authors:
 - Matthieu