devtron-labs
diff --git a/‎api/user/UserRestHandler.go‎
Lines changed: 7 additions & 6 deletions b/‎api/user/UserRestHandler.go‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎pkg/user/UserService.go‎
Lines changed: 36 additions & 28 deletions b/‎pkg/user/UserService.go‎
Lines changed: 36 additions & 28 deletions
@@ -165,7 +165,7 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	res, err := handler.userService.CreateUser(&userInfo, token, handler.checkManagerAuth)
+	res, err := handler.userService.CreateUser(&userInfo, token, handler.CheckManagerAuth)
 	if err != nil {
 		handler.logger.Errorw("service err, CreateUser", "err", err, "payload", userInfo)
 		if _, ok := err.(*util.ApiError); ok {
@@ -214,7 +214,7 @@ func (handler UserRestHandlerImpl) UpdateUser(w http.ResponseWriter, r *http.Req
 		userInfo.EmailId = "admin"
 	}
 
-	res, rolesChanged, restrictedGroups, err := handler.userService.UpdateUser(&userInfo, token, handler.checkManagerAuth)
+	res, rolesChanged, groupsModified, restrictedGroups, err := handler.userService.UpdateUser(&userInfo, token, handler.CheckManagerAuth)
 
 	if err != nil {
 		handler.logger.Errorw("service err, UpdateUser", "err", err, "payload", userInfo)
@@ -227,9 +227,9 @@ func (handler UserRestHandlerImpl) UpdateUser(w http.ResponseWriter, r *http.Req
 	} else {
 		groups := strings.Join(restrictedGroups, ", ")
 
-		if len(restrictedGroups) == len(userInfo.Groups) {
+		if len(restrictedGroups) >= len(userInfo.Groups) {
 
-			if rolesChanged {
+			if rolesChanged || groupsModified {
 				// warning
 				message := fmt.Errorf("User permissions updated partially. " + groups + " could not be modified. You do not have manager permission for some or all projects in these groups.")
 				common.WriteJsonResp(w, message, nil, http.StatusExpectationFailed)
@@ -568,7 +568,7 @@ func (handler UserRestHandlerImpl) UpdateRoleGroup(w http.ResponseWriter, r *htt
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
-	res, err := handler.roleGroupService.UpdateRoleGroup(&request, token, handler.checkManagerAuth)
+	res, err := handler.roleGroupService.UpdateRoleGroup(&request, token, handler.CheckManagerAuth)
 	if err != nil {
 		handler.logger.Errorw("service err, UpdateRoleGroup", "err", err, "payload", request)
 		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
@@ -806,9 +806,10 @@ func (handler UserRestHandlerImpl) InvalidateRoleCache(w http.ResponseWriter, r
 
 }
 
-func (handler UserRestHandlerImpl) checkManagerAuth(token string, object string) bool {
+func (handler UserRestHandlerImpl) CheckManagerAuth(token string, object string) bool {
 	if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionUpdate, strings.ToLower(object)); !ok {
 		return false
 	}
 	return true
+
 }
@@ -38,7 +38,7 @@ import (
 type UserService interface {
 	CreateUser(userInfo *bean.UserInfo, token string, managerAuth func(token string, object string) bool) ([]*bean.UserInfo, error)
 	SelfRegisterUserIfNotExists(userInfo *bean.UserInfo) ([]*bean.UserInfo, error)
-	UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(token string, object string) bool) (*bean.UserInfo, bool, []string, error)
+	UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(token string, object string) bool) (*bean.UserInfo, bool, bool, []string, error)
 	GetById(id int32) (*bean.UserInfo, error)
 	GetAll() ([]bean.UserInfo, error)
 	GetAllDetailedUsers() ([]bean.UserInfo, error)
@@ -268,7 +268,7 @@ func (impl UserServiceImpl) updateUserIfExists(userInfo *bean.UserInfo, dbUser *
 	updateUserInfo.Groups = impl.mergeGroups(updateUserInfo.Groups, userInfo.Groups)
 	updateUserInfo.UserId = userInfo.UserId
 	updateUserInfo.EmailId = emailId // override case sensitivity
-	updateUserInfo, _, _, err = impl.UpdateUser(updateUserInfo, token, managerAuth)
+	updateUserInfo, _, _, _, err = impl.UpdateUser(updateUserInfo, token, managerAuth)
 	if err != nil {
 		impl.logger.Errorw("error while update user", "error", err)
 		return nil, err
@@ -499,49 +499,50 @@ func (impl UserServiceImpl) mergeGroups(oldGroups []string, newGroups []string)
 	return groups
 }
 
-func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(token string, object string) bool) (*bean.UserInfo, bool, []string, error) {
+func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, managerAuth func(token string, object string) bool) (*bean.UserInfo, bool, bool, []string, error) {
 	//validating if action user is not admin and trying to update user who has super admin polices, return 403
 	isUserSuperAdmin, err := impl.IsSuperAdmin(int(userInfo.Id))
 	if err != nil {
-		return nil, false, nil, err
+		return nil, false, false, nil, err
 	}
 	isActionPerformingUserSuperAdmin, err := impl.IsSuperAdmin(int(userInfo.UserId))
 	if err != nil {
-		return nil, false, nil, err
+		return nil, false, false, nil, err
 	}
 	//if request comes to make user as a super admin or user already a super admin (who'is going to be updated), action performing user should have super admin access
 	if userInfo.SuperAdmin || isUserSuperAdmin {
 		if !isActionPerformingUserSuperAdmin {
 			err = &util.ApiError{HttpStatusCode: http.StatusForbidden, UserMessage: "Invalid request, not allow to update super admin type user"}
-			return nil, false, nil, err
+			return nil, false, false, nil, err
 		}
 	}
 
 	dbConnection := impl.userRepository.GetConnection()
 	tx, err := dbConnection.Begin()
 	if err != nil {
-		return nil, false, nil, err
+		return nil, false, false, nil, err
 	}
 	// Rollback tx on error.
 	defer tx.Rollback()
 
 	model, err := impl.userRepository.GetByIdIncludeDeleted(userInfo.Id)
 	if err != nil {
 		impl.logger.Errorw("error while fetching user from db", "error", err)
-		return nil, false, nil, err
+		return nil, false, false, nil, err
 	}
 
 	var addedPolicies []casbin2.Policy
 	var eliminatedPolicies []casbin2.Policy
 
 	restrictedGroups := []string{}
 	rolesChanged := false
+	groupsModified := false
 
 	if userInfo.SuperAdmin == false {
 		//Starts Role and Mapping
 		userRoleModels, err := impl.userAuthRepository.GetUserRoleMappingByUserId(model.Id)
 		if err != nil {
-			return nil, false, nil, err
+			return nil, false, false, nil, err
 		}
 		existingRoleIds := make(map[int]repository2.UserRoleModel)
 		eliminatedRoleIds := make(map[int]*repository2.UserRoleModel)
@@ -554,13 +555,13 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 		_, err = impl.validateUserRequest(userInfo)
 		if err != nil {
 			err = &util.ApiError{HttpStatusCode: http.StatusBadRequest, UserMessage: "Invalid request, please provide role filters"}
-			return nil, false, nil, err
+			return nil, false, false, nil, err
 		}
 
 		// DELETE Removed Items
 		items, err := impl.userCommonService.RemoveRolesAndReturnEliminatedPolicies(userInfo, existingRoleIds, eliminatedRoleIds, tx, token, managerAuth)
 		if err != nil {
-			return nil, false, nil, err
+			return nil, false, false, nil, err
 		}
 		eliminatedPolicies = append(eliminatedPolicies, items...)
 		if len(eliminatedPolicies) > 0 {
@@ -597,7 +598,7 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 					roleModel, err := impl.userAuthRepository.GetRoleByFilter(roleFilter.Entity, roleFilter.Team, entityName, environment, roleFilter.Action, roleFilter.AccessType)
 					if err != nil {
 						impl.logger.Errorw("Error in fetching role by filter", "user", userInfo)
-						return nil, false, nil, err
+						return nil, false, false, nil, err
 					}
 					if roleModel.Id == 0 {
 						impl.logger.Debugw("no role found for given filter", "filter", roleFilter)
@@ -607,18 +608,18 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 							if roleFilter.AccessType == bean.APP_ACCESS_TYPE_HELM {
 								flag, err := impl.userAuthRepository.CreateDefaultHelmPolicies(roleFilter.Team, entityName, environment, tx)
 								if err != nil || flag == false {
-									return nil, false, nil, err
+									return nil, false, false, nil, err
 								}
 							} else {
 								flag, err := impl.userAuthRepository.CreateDefaultPolicies(roleFilter.Team, entityName, environment, tx)
 								if err != nil || flag == false {
-									return nil, false, nil, err
+									return nil, false, false, nil, err
 								}
 							}
 							roleModel, err = impl.userAuthRepository.GetRoleByFilter(roleFilter.Entity, roleFilter.Team, entityName, environment, roleFilter.Action, roleFilter.AccessType)
 							if err != nil {
 								impl.logger.Errorw("Error in fetching role by filter", "user", userInfo)
-								return nil, false, nil, err
+								return nil, false, false, nil, err
 							}
 							if roleModel.Id == 0 {
 								impl.logger.Debugw("no role found for given filter", "filter", roleFilter)
@@ -628,12 +629,12 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 						} else if len(roleFilter.Entity) > 0 {
 							flag, err := impl.userAuthRepository.CreateDefaultPoliciesForGlobalEntity(roleFilter.Entity, entityName, roleFilter.Action, tx)
 							if err != nil || flag == false {
-								return nil, false, nil, err
+								return nil, false, false, nil, err
 							}
 							roleModel, err = impl.userAuthRepository.GetRoleByFilter(roleFilter.Entity, roleFilter.Team, entityName, environment, roleFilter.Action, roleFilter.AccessType)
 							if err != nil {
 								impl.logger.Errorw("Error in fetching role by filter", "user", userInfo)
-								return nil, false, nil, err
+								return nil, false, false, nil, err
 							}
 							if roleModel.Id == 0 {
 								impl.logger.Debugw("no role found for given filter", "filter", roleFilter)
@@ -657,7 +658,7 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 							userRoleModel.UpdatedOn = time.Now()
 							userRoleModel, err = impl.userAuthRepository.CreateUserRoleMapping(userRoleModel, tx)
 							if err != nil {
-								return nil, false, nil, err
+								return nil, false, false, nil, err
 							}
 							addedPolicies = append(addedPolicies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(model.EmailId), Obj: casbin2.Object(roleModel.Role)})
 						}
@@ -672,7 +673,7 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 		userCasbinRoles, err := impl.CheckUserRoles(userInfo.Id)
 
 		if err != nil {
-			return nil, false, nil, err
+			return nil, false, false, nil, err
 		}
 		for _, oldItem := range userCasbinRoles {
 			oldGroupMap[oldItem] = oldItem
@@ -681,28 +682,35 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 		for _, item := range userInfo.Groups {
 			userGroup, err := impl.roleGroupRepository.GetRoleGroupByName(item)
 			if err != nil {
-				return nil, false, nil, err
+				return nil, false, false, nil, err
 			}
 			newGroupMap[userGroup.CasbinName] = userGroup.CasbinName
 			if _, ok := oldGroupMap[userGroup.CasbinName]; !ok {
 				//check permission for new group which is going to add
 				hasAccessToGroup := impl.checkGroupAuth(userGroup.CasbinName, token, managerAuth, isActionPerformingUserSuperAdmin)
 				if hasAccessToGroup {
+					groupsModified = true
 					addedPolicies = append(addedPolicies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(userInfo.EmailId), Obj: casbin2.Object(userGroup.CasbinName)})
 				} else {
-					restrictedGroups = append(restrictedGroups, item)
+					trimmedGroup := strings.TrimPrefix(item, "group:")
+					restrictedGroups = append(restrictedGroups, trimmedGroup)
 				}
 			}
 		}
+
 		for _, item := range userCasbinRoles {
 			if _, ok := newGroupMap[item]; !ok {
 				if item != bean.SUPERADMIN {
 					//check permission for group which is going to eliminate
 					hasAccessToGroup := impl.checkGroupAuth(item, token, managerAuth, isActionPerformingUserSuperAdmin)
 					if hasAccessToGroup {
+						if strings.HasPrefix(item, "group:") {
+							groupsModified = true
+						}
 						eliminatedPolicies = append(eliminatedPolicies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(userInfo.EmailId), Obj: casbin2.Object(item)})
 					} else {
-						restrictedGroups = append(restrictedGroups, item)
+						trimmedGroup := strings.TrimPrefix(item, "group:")
+						restrictedGroups = append(restrictedGroups, trimmedGroup)
 					}
 				}
 			}
@@ -712,18 +720,18 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 	} else if userInfo.SuperAdmin == true {
 		flag, err := impl.userAuthRepository.CreateRoleForSuperAdminIfNotExists(tx)
 		if err != nil || flag == false {
-			return nil, false, nil, err
+			return nil, false, false, nil, err
 		}
 		roleModel, err := impl.userAuthRepository.GetRoleByFilter("", "", "", "", "super-admin", "")
 		if err != nil {
 			impl.logger.Errorw("Error in fetching role by filter", "user", userInfo)
-			return nil, false, nil, err
+			return nil, false, false, nil, err
 		}
 		if roleModel.Id > 0 {
 			userRoleModel := &repository2.UserRoleModel{UserId: model.Id, RoleId: roleModel.Id}
 			userRoleModel, err = impl.userAuthRepository.CreateUserRoleMapping(userRoleModel, tx)
 			if err != nil {
-				return nil, false, nil, err
+				return nil, false, false, nil, err
 			}
 			addedPolicies = append(addedPolicies, casbin2.Policy{Type: "g", Sub: casbin2.Subject(model.EmailId), Obj: casbin2.Object(roleModel.Role)})
 		}
@@ -747,14 +755,14 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 	model, err = impl.userRepository.UpdateUser(model, tx)
 	if err != nil {
 		impl.logger.Errorw("error while fetching user from db", "error", err)
-		return nil, false, nil, err
+		return nil, false, false, nil, err
 	}
 	err = tx.Commit()
 	if err != nil {
-		return nil, false, nil, err
+		return nil, false, false, nil, err
 	}
 
-	return userInfo, rolesChanged, restrictedGroups, nil
+	return userInfo, rolesChanged, groupsModified, restrictedGroups, nil
 }
 
 func (impl UserServiceImpl) GetById(id int32) (*bean.UserInfo, error) {