Revert "CV2-6604: Remove global keys permission (#2379)"

This reverts commit 43fe1ce.

Author: melsawy

app/controllers/api/v1/admin_controller.rb

@@ -6,6 +6,7 @@ def slack_user
     user = User.find_with_omniauth(params[:uid].to_s, 'slack')
     slack_account = user.accounts.where(provider: 'slack').first unless user.nil?
     user = { token: slack_account.token } unless slack_account.nil?
+    user = nil unless @key.bot_user.nil? # Allow global API keys only
     render_user user, 'slack_uid'
   end
 

app/controllers/api/v1/base_api_controller.rb

@@ -86,7 +86,7 @@ def render_user(user = nil, source = nil)
       def authenticate_from_token!
         header = CheckConfig.get('authorization_header', 'X-Token')
         token = request.headers[header]
-        @key = ApiKey.where(access_token: token).where('expire_at > ?', Time.now).first
+        @key = ApiKey.where(access_token: token).where('expire_at > ?', Time.now).last
         (render_unauthorized and return false) if @key.nil?
       end
 
@@ -102,7 +102,7 @@ def authenticate_user
       def identify_user(mandatory)
         header = CheckConfig.get('authorization_header', 'X-Token')
         token = request.headers[header].to_s
-        key = ApiKey.where(access_token: token).where('expire_at > ?', Time.now).first
+        key = ApiKey.where(access_token: token).where('expire_at > ?', Time.now).last
         if key.nil?
           ApiKey.current = nil
           user = User.find_with_token(token)

app/controllers/test_controller.rb

@@ -28,8 +28,9 @@ def install_bot
     team = Team.where(slug: params[:slug]).last
     login = params[:bot]
     settings = begin JSON.parse(params[:settings]) rescue params[:settings].to_h end
-    bot = BotUser.find_by_login(login) || BotUser.create!(team_author_id: team.id, login: login, name: login.capitalize, settings: { approved: true })
-    team_user = bot.team_users.first
+    bot = BotUser.find_by_login(login) || BotUser.create!(login: login, name: login.capitalize, settings: { approved: true })
+    team_user = bot.install_to!(team)
+    team_user = TeamUser.find(team_user.id)
     team_user.settings = team_user.settings.merge(settings)
     team_user.save!
     render_success 'team', team.reload

app/graph/types/query_type.rb

@@ -159,16 +159,32 @@ def search(query:)
     CheckSearch.new(query, context[:file], team&.id)
   end
 
-  field :dynamic_annotation_field, DynamicAnnotationFieldType, null: true, deprecation_reason: "The field is deprecated" do
+  field :dynamic_annotation_field, DynamicAnnotationFieldType, null: true do
     argument :query, GraphQL::Types::String, required: true
     argument :only_cache, GraphQL::Types::Boolean, required: false, camelize: false
   end
 
   def dynamic_annotation_field(query:, only_cache: nil)
-    # This field was previously used to query DynamicAnnotation::Field for the Check Slack Bot integration.
-    # It was not used by Check itself and required global permissions to read the field across all teams.
-    # So, I removed the global permission and updated the callback to return nil to avoid breaking the Check Slack Bot integration.
-    nil
+    ability = context[:ability] || Ability.new
+    if ability.can?(:find_by_json_fields, DynamicAnnotation::Field.new)
+      cache_key =
+        "dynamic-annotation-field-" + Digest::MD5.hexdigest(query)
+      obj = nil
+      if Rails.cache.read(cache_key) || only_cache
+        obj =
+          DynamicAnnotation::Field.where(
+            id: Rails.cache.read(cache_key).to_i
+          ).last
+      else
+        query = JSON.parse(query)
+        json = query.delete("json")
+        obj = DynamicAnnotation::Field.where(query)
+        obj = obj.find_in_json(json) unless json.blank?
+        obj = obj.last
+        Rails.cache.write(cache_key, obj&.id)
+      end
+      obj
+    end
   end
 
   field :feed_invitation, FeedInvitationType, description: 'Information about a feed invitation, given its database ID or feed database ID (and then the current user email is used)', null: true do

app/models/ability.rb

@@ -12,6 +12,9 @@ def initialize(user = nil, team = nil)
       global_admin_perms
     else
       extra_perms_for_all_users
+      if !@api_key.nil? && !@user.id
+        global_api_key_perms
+      end
       if @user.id
         authenticated_perms
       end
@@ -24,7 +27,7 @@ def initialize(user = nil, team = nil)
       if @user.role?(:admin, @context_team)
         admin_perms
       end
-      unless @api_key.nil? || @api_key.team_id.nil?
+      unless @api_key.nil?
         api_key_perms
       end
       Workflow::Workflow.workflows.each do |w|
@@ -40,14 +43,14 @@ def api_key_perms
     cannot [:create, :destroy], Team
     cannot :cud, User
     cannot :cud, TeamUser
-    can :read, [FactCheck, ClaimDescription] do |obj|
-      obj.team.present? && obj.team == @api_key.team
-    end
     can :update, User, :id => @user.id
     can :update, BotUser, :id => @user.id
-    can :update, [Dynamic, DynamicAnnotation::Field], ['annotation_type = ?', 'smooch_user'] do |obj|
-      obj.team.present? && obj.team == @api_key.team
-    end
+  end
+
+  def global_api_key_perms
+    can :read, :all
+    can :find_by_json_fields, DynamicAnnotation::Field
+    can :update, [Dynamic, DynamicAnnotation::Field], annotation_type: 'smooch_user'
   end
 
   def admin_perms

app/models/api_key.rb

@@ -2,19 +2,17 @@ class Check::TooManyRequestsError < StandardError
 end
 
 class ApiKey < ApplicationRecord
-  attr_accessor :skip_create_bot_user
-
   belongs_to :team, optional: true
   belongs_to :user, optional: true
 
-  validates_presence_of :access_token, :expire_at, :team
+  validates_presence_of :access_token, :expire_at
   validates_uniqueness_of :access_token
   validates :title, uniqueness: { scope: :team }
 
   before_validation :generate_access_token, on: :create
   before_validation :calculate_expiration_date, on: :create
   before_validation :set_user_and_team
-  after_create :create_bot_user, unless: proc { |key| key.skip_create_bot_user }
+  after_create :create_bot_user
 
   validate :validate_team_api_keys_limit, on: :create
 
@@ -65,8 +63,8 @@ def delete_bot_user
   end
 
   def set_user_and_team
-    self.user ||= User.current
-    self.team ||= Team.current
+    self.user = User.current unless User.current.nil?
+    self.team = Team.current unless Team.current.nil?
   end
 
   def calculate_expiration_date

app/models/bot_user.rb

@@ -439,12 +439,10 @@ def set_default_identifier
   def create_api_key
     if self.api_key_id.blank?
       api_key = ApiKey.new(bot_user: self)
-      api_key.team_id = self.team_author_id
       api_key.skip_check_ability = true
       api_key.title = self.name
       api_key.save!
       api_key.expire_at = api_key.expire_at.since(100.years)
-      api_key.skip_create_bot_user = true
       api_key.save!
       self.api_key_id = api_key.id
     end
@@ -472,7 +470,7 @@ def set_default_version
   end
 
   def set_default_team_author_id
-    self.team_author_id ||= Team.current&.id
+    self.team_author_id = Team.current&.id if self.team_author_id.blank?
   end
 
   def self.get_user(login)

db/migrate/20251215082146_add_not_null_constraint_to_api_keys_team_id.rb

@@ -195,7 +195,7 @@
     t.string "access_token", default: "", null: false
     t.string "title"
     t.integer "user_id"
-    t.integer "team_id", null: false
+    t.integer "team_id"
     t.datetime "expire_at"
     t.jsonb "rate_limits", default: {}
     t.string "application"

db/schema.rb

@@ -11501,7 +11501,7 @@ type Query {
   Information about the bot_user with given id
   """
   bot_user(id: ID!): BotUser
-  dynamic_annotation_field(only_cache: Boolean, query: String!): DynamicAnnotationField @deprecated(reason: "The field is deprecated")
+  dynamic_annotation_field(only_cache: Boolean, query: String!): DynamicAnnotationField
 
   """
   Information about the explainer with given id