Fix merge conflicts between stable and develop

Author: ogenstad

CHANGELOG.md

@@ -11,6 +11,28 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang
 
 <!-- towncrier release notes start -->
 
+## [Infrahub - v1.1.7](https://github.com/opsmill/infrahub/tree/infrahub-v1.1.7) - 2025-02-18
+
+### Added
+
+- Data diffs are loaded in sequential batches for faster performance with large changes.
+- The diff tree and diff list can now be scrolled independently.
+
+### Changed
+
+- Modified node mutation events to not send metadata properties as part of the mutation payload. The reason is that the property lookup was time consuming. This information will return again in Infrahub 1.2 with a completely updated format. ([#5664](https://github.com/opsmill/infrahub/issues/5664))
+
+### Fixed
+
+- Fix nodes remaining in the database after a create mutation fails when using pools. ([#4303](https://github.com/opsmill/infrahub/issues/4303))
+- Modify the query for the current tasks, ensuring the correct determination of the merge button state. ([#5565](https://github.com/opsmill/infrahub/issues/5565))
+- Fix Docker `task-manager-db` PostgreSQL health check test by adding database and user parameters. ([#5739](https://github.com/opsmill/infrahub/issues/5739))
+- Fixed issue causing a gap in menu sidebar when text is too long.
+- Prevent avatar from being cut off in menu sidebar.
+- Enforce permission checks when using relationship add or delete mutation.
+- Enhance the data integrity checks UI to enable navigation from the check to the diff view.
+- Improved performance when updating an existing diff.
+
 ## [Infrahub - v1.1.6](https://github.com/opsmill/infrahub/tree/infrahub-v1.1.6) - 2025-01-30
 
 ### Artifact improvements

backend/infrahub/graphql/mutations/relationship.py

@@ -7,8 +7,15 @@
 from infrahub_sdk.utils import compare_lists
 
 from infrahub import config
+from infrahub.core.account import GlobalPermission, ObjectPermission
 from infrahub.core.changelog.models import NodeChangelog
-from infrahub.core.constants import InfrahubKind, MutationAction, RelationshipCardinality
+from infrahub.core.constants import (
+    InfrahubKind,
+    MutationAction,
+    PermissionAction,
+    PermissionDecision,
+    RelationshipCardinality,
+)
 from infrahub.core.manager import NodeManager
 from infrahub.core.query.node import NodeGetKindQuery
 from infrahub.core.query.relationship import (
@@ -21,6 +28,7 @@
 from infrahub.events.group_action import GroupMemberAddedEvent, GroupMemberRemovedEvent
 from infrahub.events.models import EventNode
 from infrahub.exceptions import NodeNotFoundError, ValidationError
+from infrahub.permissions import get_global_permission_for_kind
 
 from ..types import RelatedNodeInput
 
@@ -51,7 +59,7 @@ class RelationshipNodesInput(InputObjectType):
 
 class RelationshipMixin:
     @classmethod
-    async def mutate(  # noqa: PLR0915
+    async def mutate(  # noqa: PLR0915, C901
         cls,
         root: dict,  # noqa: ARG003
         info: GraphQLResolveInfo,
@@ -98,6 +106,32 @@ async def mutate(  # noqa: PLR0915
             db=graphql_context.db, ids=node_ids, fields={"display_label": None}, branch=graphql_context.branch
         )
 
+        if graphql_context.account_session:
+            impacted_schemas = {node.get_schema() for node in [source] + list(nodes.values())}
+            required_permissions: list[GlobalPermission | ObjectPermission] = []
+            decision = (
+                PermissionDecision.ALLOW_DEFAULT.value
+                if graphql_context.branch.is_default
+                else PermissionDecision.ALLOW_OTHER.value
+            )
+
+            for impacted_schema in impacted_schemas:
+                global_action = get_global_permission_for_kind(schema=impacted_schema)
+
+                if global_action:
+                    required_permissions.append(GlobalPermission(action=global_action, decision=decision))
+                else:
+                    required_permissions.append(
+                        ObjectPermission(
+                            namespace=impacted_schema.namespace,
+                            name=impacted_schema.name,
+                            action=PermissionAction.UPDATE.value,
+                            decision=decision,
+                        )
+                    )
+
+            graphql_context.active_permissions.raise_for_permissions(permissions=required_permissions)
+
         _, _, in_list2 = compare_lists(list1=list(nodes.keys()), list2=node_ids)
         if in_list2:
             for node_id in in_list2:

backend/infrahub/permissions/__init__.py

@@ -2,12 +2,13 @@
 from infrahub.permissions.local_backend import LocalPermissionBackend
 from infrahub.permissions.manager import PermissionManager
 from infrahub.permissions.report import report_schema_permissions
-from infrahub.permissions.types import AssignedPermissions
+from infrahub.permissions.types import AssignedPermissions, get_global_permission_for_kind
 
 __all__ = [
     "AssignedPermissions",
     "LocalPermissionBackend",
     "PermissionBackend",
     "PermissionManager",
+    "get_global_permission_for_kind",
     "report_schema_permissions",
 ]

backend/infrahub/permissions/types.py

@@ -2,8 +2,12 @@
 
 from typing import TYPE_CHECKING, TypedDict
 
+from infrahub.core.constants import GlobalPermissions, InfrahubKind
+from infrahub.core.schema import NodeSchema
+
 if TYPE_CHECKING:
     from infrahub.core.account import GlobalPermission, ObjectPermission
+    from infrahub.core.schema import MainSchemaTypes
     from infrahub.permissions.constants import BranchRelativePermissionDecision
 
 
@@ -18,3 +22,25 @@ class KindPermissions(TypedDict):
     delete: BranchRelativePermissionDecision
     update: BranchRelativePermissionDecision
     view: BranchRelativePermissionDecision
+
+
+def get_global_permission_for_kind(schema: MainSchemaTypes) -> GlobalPermissions | None:
+    kind_permission_map = {
+        InfrahubKind.GENERICACCOUNT: GlobalPermissions.MANAGE_ACCOUNTS,
+        InfrahubKind.ACCOUNTGROUP: GlobalPermissions.MANAGE_ACCOUNTS,
+        InfrahubKind.ACCOUNTROLE: GlobalPermissions.MANAGE_ACCOUNTS,
+        InfrahubKind.BASEPERMISSION: GlobalPermissions.MANAGE_PERMISSIONS,
+        InfrahubKind.GENERICREPOSITORY: GlobalPermissions.MANAGE_REPOSITORIES,
+    }
+
+    if schema.kind in kind_permission_map:
+        return kind_permission_map[schema.kind]
+
+    if isinstance(schema, NodeSchema):
+        for base in schema.inherit_from:
+            try:
+                return kind_permission_map[base]
+            except KeyError:
+                continue
+
+    return None

backend/tests/unit/graphql/test_mutation_relationship.py

@@ -1,20 +1,33 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from uuid import uuid4
+
 from infrahub_sdk.uuidt import UUIDT
 
-from infrahub.auth import AccountSession
+from infrahub.auth import AccountSession, AuthType
+from infrahub.core import registry
+from infrahub.core.account import ObjectPermission
 from infrahub.core.branch import Branch
 from infrahub.core.changelog.models import RelationshipCardinalityManyChangelog
-from infrahub.core.constants import InfrahubKind
+from infrahub.core.constants import InfrahubKind, PermissionAction, PermissionDecision
 from infrahub.core.manager import NodeManager
 from infrahub.core.node import Node
 from infrahub.core.utils import count_relationships
 from infrahub.database import InfrahubDatabase
 from infrahub.events.group_action import GroupMemberAddedEvent, GroupMemberRemovedEvent
 from infrahub.events.node_action import NodeMutatedEvent
 from infrahub.graphql.initialization import prepare_graphql_params
+from infrahub.permissions import LocalPermissionBackend
 from infrahub.services import InfrahubServices
 from tests.adapters.event import MemoryInfrahubEvent
 from tests.helpers.graphql import graphql
 
+if TYPE_CHECKING:
+    from infrahub.core.branch import Branch
+    from infrahub.core.protocols import CoreAccount
+    from infrahub.database import InfrahubDatabase
+
 
 async def test_relationship_add(
     db: InfrahubDatabase,
@@ -855,3 +868,121 @@ async def test_add_generic_related_node_with_hfid(
     assert result.errors is None
     assert result.data
     assert result.data["TestPersonUpdate"]["object"]["car"]["node"]["name"]["value"] == "testing-car"
+
+
+async def test_with_permissions(
+    db: InfrahubDatabase,
+    register_core_models_schema: None,
+    default_branch: Branch,
+    first_account: CoreAccount,
+    person_jack_main: Node,
+    tag_blue_main: Node,
+):
+    registry.permission_backends = [LocalPermissionBackend()]
+
+    permissions = []
+    for object_permission in [
+        ObjectPermission(
+            namespace="Builtin",
+            name="Tag",
+            action=PermissionAction.UPDATE.value,
+            decision=PermissionDecision.ALLOW_ALL.value,
+        ),
+        ObjectPermission(
+            namespace="Test",
+            name="Person",
+            action=PermissionAction.UPDATE.value,
+            decision=PermissionDecision.ALLOW_ALL.value,
+        ),
+    ]:
+        obj = await Node.init(db=db, schema=InfrahubKind.OBJECTPERMISSION)
+        await obj.new(
+            db=db,
+            namespace=object_permission.namespace,
+            name=object_permission.name,
+            action=object_permission.action,
+            decision=object_permission.decision,
+        )
+        await obj.save(db=db)
+        permissions.append(obj)
+
+    role = await Node.init(db=db, schema=InfrahubKind.ACCOUNTROLE)
+    await role.new(db=db, name="chief-people-officer", permissions=permissions)
+    await role.save(db=db)
+
+    group = await Node.init(db=db, schema=InfrahubKind.ACCOUNTGROUP)
+    await group.new(db=db, name="hr", roles=[role])
+    await group.save(db=db)
+
+    await group.members.add(db=db, data={"id": first_account.id})
+    await group.members.save(db=db)
+
+    first_session = AccountSession(
+        authenticated=True, account_id=first_account.id, session_id=str(uuid4()), auth_type=AuthType.JWT
+    )
+
+    query = """
+    mutation {
+        RelationshipAdd(data: {
+            id: "%s",
+            name: "tags",
+            nodes: [{id: "%s"}],
+        }) {
+            ok
+        }
+    }
+    """
+
+    gql_params = await prepare_graphql_params(
+        db=db, include_subscription=False, branch=default_branch, account_session=first_session
+    )
+    result = await graphql(
+        schema=gql_params.schema,
+        source=query % (person_jack_main.id, tag_blue_main.id),
+        context_value=gql_params.context,
+        root_value=None,
+        variable_values={},
+    )
+
+    assert result.errors is None
+
+
+async def test_without_permissions(
+    db: InfrahubDatabase,
+    register_core_models_schema: None,
+    default_branch: Branch,
+    first_account: CoreAccount,
+    person_jack_main: Node,
+    tag_red_main: Node,
+):
+    registry.permission_backends = [LocalPermissionBackend()]
+
+    first_session = AccountSession(
+        authenticated=True, account_id=first_account.id, session_id=str(uuid4()), auth_type=AuthType.JWT
+    )
+
+    query = """
+    mutation {
+        RelationshipAdd(data: {
+            id: "%s",
+            name: "tags",
+            nodes: [{id: "%s"}],
+        }) {
+            ok
+        }
+    }
+    """
+
+    gql_params = await prepare_graphql_params(
+        db=db, include_subscription=False, branch=default_branch, account_session=first_session
+    )
+    result = await graphql(
+        schema=gql_params.schema,
+        source=query % (person_jack_main.id, tag_red_main.id),
+        context_value=gql_params.context,
+        root_value=None,
+        variable_values={},
+    )
+
+    assert result.errors
+    assert "You do not have one of the following permissions" in result.errors[0].message

backend/tests/unit/permissions/test_types.py

@@ -0,0 +1,25 @@
+import pytest
+
+from infrahub.core import registry
+from infrahub.core.constants import GlobalPermissions, InfrahubKind
+from infrahub.permissions import get_global_permission_for_kind
+
+
+@pytest.mark.parametrize(
+    "kinds,permission",
+    [
+        (
+            [InfrahubKind.ACCOUNT, InfrahubKind.ACCOUNTGROUP, InfrahubKind.ACCOUNTROLE],
+            GlobalPermissions.MANAGE_ACCOUNTS,
+        ),
+        ([InfrahubKind.GLOBALPERMISSION, InfrahubKind.OBJECTPERMISSION], GlobalPermissions.MANAGE_PERMISSIONS),
+        ([InfrahubKind.REPOSITORY, InfrahubKind.READONLYREPOSITORY], GlobalPermissions.MANAGE_REPOSITORIES),
+        ([InfrahubKind.TAG], None),
+    ],
+)
+def test_get_global_permission_for_kind(
+    register_core_models_schema: None, kinds: list[str], permission: GlobalPermissions
+):
+    for kind in kinds:
+        schema = registry.schema.get(name=kind)
+        assert get_global_permission_for_kind(schema=schema) == permission