Move adminGroups to category level for better access control

mattburchett · mattburchett · commit 4898062c3faa · 2025-12-27T07:00:40.000Z
- adminGroups now defined at category level instead of per-app
- Users in adminGroups see ALL apps in that category
- Simplifies configuration and makes admin override more intuitive
- Update TypeScript interfaces and validation schema
- Update README with corrected examples
diff --git a/README.md b/README.md
@@ -331,31 +331,32 @@ docker-compose -f docker-compose.prod.yml up -d
 
 **Restricted Apps (Groups Specified)**
 ```yaml
-- id: "sonarr"
-  name: "Sonarr"
-  url: "https://sonarr.example.com"
-  icon: "fa-satellite-dish"
-  groups: ["media-power-users"]  # Only these users see it
+- id: "grafana"
+  name: "Grafana"
+  url: "https://grafana.example.com"
+  icon: "fa-chart-bar"
+  groups: ["/monitoring-viewers"]  # Only these users see it
 ```
 
 **Admin Override**
 
-Define `adminGroups` to give users access to ALL apps in a category:
+Define `adminGroups` at the category level to give users access to ALL apps in that category:
 
 ```yaml
 categories:
-  media:
+  monitoring:
+    name: "Monitoring"
+    adminGroups:
+      - "/monitoring-admins"  # Users in this group see ALL Monitoring apps
     apps:
-      - id: "plex"
-        groups: ["media-users"]
-        adminGroups: ["media-admins"]  # Admins see ALL Media apps
+      - id: "grafana"
+        groups: ["/monitoring-viewers"]
 
-      - id: "sonarr"
-        groups: ["media-power-users"]
-        adminGroups: ["media-admins"]  # Same admin group = sees everything
+      - id: "prometheus"
+        groups: ["/monitoring-power-users"]
 ```
 
-If a user is in `media-admins`, they see Plex, Sonarr, and ALL other apps in the Media category, regardless of individual `groups` settings.
+If a user is in `/monitoring-admins`, they see Grafana, Prometheus, and ALL other apps in the Monitoring category, regardless of individual app `groups` settings.
 
 ### Category Visibility
 
diff --git a/backend/src/services/apps.service.ts b/backend/src/services/apps.service.ts
@@ -5,9 +5,9 @@ import logger from '../utils/logger';
 export class AppsService {
   /**
    * Get all apps accessible to a user based on their groups
-   * - If app has NO groups/adminGroups: accessible to everyone (public)
+   * - If app has NO groups: accessible to everyone (public)
    * - If app has groups: user must be in one of those groups
-   * - If user is admin for ANY app in category: sees ALL apps in that category
+   * - If user is admin of category: sees ALL apps in that category
    */
   getAppsForUser(userGroups: string[]): CategoryWithApps[] {
     logger.debug('Filtering apps for user', {
@@ -26,7 +26,7 @@ export class AppsService {
       }
 
       const isAdminOfCategory = this.isUserAdminOfCategory(
-        categoryData.apps,
+        categoryData.adminGroups,
         userGroups
       );
 
@@ -66,20 +66,16 @@ export class AppsService {
   }
 
   /**
-   * Check if user is admin for ANY app in the given category
+   * Check if user is admin of the given category
    */
   private isUserAdminOfCategory(
-    apps: Application[],
+    adminGroups: string[] | undefined,
     userGroups: string[]
   ): boolean {
-    return apps.some((app) => {
-      if (!app.adminGroups || app.adminGroups.length === 0) {
-        return false;
-      }
-      return app.adminGroups.some((adminGroup) =>
-        userGroups.includes(adminGroup)
-      );
-    });
+    if (!adminGroups || adminGroups.length === 0) {
+      return false;
+    }
+    return adminGroups.some((adminGroup) => userGroups.includes(adminGroup));
   }
 
   /**
diff --git a/backend/src/services/config.service.ts b/backend/src/services/config.service.ts
@@ -15,6 +15,7 @@ const configSchema = Joi.object({
         icon: Joi.string().required(),
         order: Joi.number().required(),
         description: Joi.string(),
+        adminGroups: Joi.array().items(Joi.string()),
         apps: Joi.array()
           .items(
             Joi.object({
@@ -24,7 +25,6 @@ const configSchema = Joi.object({
               url: Joi.string().uri().required(),
               icon: Joi.string().required(),
               groups: Joi.array().items(Joi.string()),
-              adminGroups: Joi.array().items(Joi.string()),
               external: Joi.boolean(),
             })
           )
diff --git a/backend/src/types/config.types.ts b/backend/src/types/config.types.ts
@@ -5,7 +5,6 @@ export interface Application {
   url: string;
   icon: string;
   groups?: string[];
-  adminGroups?: string[];
   external?: boolean;
 }
 
@@ -14,6 +13,7 @@ export interface CategoryData {
   icon: string;
   order: number;
   description?: string;
+  adminGroups?: string[];
   apps: Application[];
 }
 
diff --git a/config/apps.yaml.example b/config/apps.yaml.example
@@ -1,14 +1,17 @@
 # Application Directory Configuration
 # Hierarchical category-based application structure
-# If groups/adminGroups are not specified, the app is accessible to all authenticated users
+# If groups are not specified on an app, it is accessible to all authenticated users
 # Keycloak groups have a leading slash (e.g., /grafana-admin)
+# adminGroups at category level grant access to ALL apps in that category
 
 categories:
   media:
     name: "Media & Entertainment"
     icon: "fa-film"
     order: 1
     description: "Streaming and media management"
+    adminGroups:
+      - "/media-admin"
     apps:
       - id: "plex"
         name: "Plex"
@@ -24,14 +27,14 @@ categories:
         icon: "fa-tv"
         groups:
           - "/media-users"
-        adminGroups:
-          - "/media-admin"
 
   productivity:
     name: "Productivity"
     icon: "fa-briefcase"
     order: 2
     description: "Productivity and collaboration tools"
+    adminGroups:
+      - "/productivity-admin"
     apps:
       - id: "nextcloud"
         name: "Nextcloud"
@@ -40,14 +43,14 @@ categories:
         icon: "fa-cloud"
         groups:
           - "/nextcloud-users"
-        adminGroups:
-          - "/nextcloud-admin"
 
   monitoring:
     name: "Monitoring"
     icon: "fa-chart-line"
     order: 3
     description: "Monitoring and observability"
+    adminGroups:
+      - "/grafana-admin"
     apps:
       - id: "grafana"
         name: "Grafana"
@@ -57,8 +60,6 @@ categories:
         groups:
           - "/grafana-viewer"
           - "/grafana-editor"
-        adminGroups:
-          - "/grafana-admin"
 
   development:
     name: "Development"
@@ -91,6 +92,8 @@ categories:
     icon: "fa-screwdriver-wrench"
     order: 6
     description: "Administrative tools"
+    adminGroups:
+      - "/sysadmins"
     apps:
       - id: "portainer"
         name: "Portainer"
@@ -99,5 +102,3 @@ categories:
         icon: "fa-docker"
         groups:
           - "/sysadmins"
-        adminGroups:
-          - "/sysadmins"

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@ export interface Application {`
`5`	`5`	`url: string;`
`6`	`6`	`icon: string;`
`7`	`7`	`groups?: string[];`
`8`		`- adminGroups?: string[];`
`9`	`8`	`external?: boolean;`
`10`	`9`	`}`
`11`	`10`
`@@ -14,6 +13,7 @@ export interface CategoryData {`
`14`	`13`	`icon: string;`
`15`	`14`	`order: number;`
`16`	`15`	`description?: string;`
	`16`	`+ adminGroups?: string[];`
`17`	`17`	`apps: Application[];`
`18`	`18`	`}`
`19`	`19`