IFC-1827 Add global permission to update display label and HFID (#7382)

gmazoyer · web-flow · commit b2ecd499ea75 · 2025-10-16T17:11:05.000+02:00
diff --git a/backend/infrahub/core/constants/__init__.py b/backend/infrahub/core/constants/__init__.py
@@ -99,6 +99,7 @@ class GlobalPermissions(InfrahubStringEnum):
     MANAGE_PERMISSIONS = "manage_permissions"
     MANAGE_REPOSITORIES = "manage_repositories"
     OVERRIDE_CONTEXT = "override_context"
+    UPDATE_OBJECT_HFID_DISPLAY_LABEL = "update_object_hfid_display_label"
 
 
 class PermissionAction(InfrahubStringEnum):
diff --git a/backend/infrahub/graphql/mutations/display_label.py b/backend/infrahub/graphql/mutations/display_label.py
@@ -5,7 +5,7 @@
 from graphene import Boolean, InputObjectType, Mutation, String
 
 from infrahub.core.account import ObjectPermission
-from infrahub.core.constants import PermissionAction, PermissionDecision
+from infrahub.core.constants import GlobalPermissions, PermissionAction, PermissionDecision
 from infrahub.core.manager import NodeManager
 from infrahub.core.registry import registry
 from infrahub.database import retry_db_transaction
@@ -15,6 +15,7 @@
 from infrahub.graphql.context import apply_external_context
 from infrahub.graphql.types.context import ContextInput
 from infrahub.log import get_log_data
+from infrahub.permissions import define_global_permission_from_branch
 from infrahub.worker import WORKER_IDENTITY
 
 if TYPE_CHECKING:
@@ -52,15 +53,21 @@ async def mutate(
         if not node_schema.display_label:
             raise ValidationError(input_value=f"{node_schema.kind}.display_label has not been defined for this kind.")
 
-        graphql_context.active_permissions.raise_for_permission(
-            permission=ObjectPermission(
-                namespace=node_schema.namespace,
-                name=node_schema.name,
-                action=PermissionAction.UPDATE.value,
-                decision=PermissionDecision.ALLOW_DEFAULT.value
-                if graphql_context.branch.name == registry.default_branch
-                else PermissionDecision.ALLOW_OTHER.value,
-            )
+        graphql_context.active_permissions.raise_for_permissions(
+            permissions=[
+                define_global_permission_from_branch(
+                    permission=GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL,
+                    branch_name=graphql_context.branch.name,
+                ),
+                ObjectPermission(
+                    namespace=node_schema.namespace,
+                    name=node_schema.name,
+                    action=PermissionAction.UPDATE.value,
+                    decision=PermissionDecision.ALLOW_DEFAULT.value
+                    if graphql_context.branch.name == registry.default_branch
+                    else PermissionDecision.ALLOW_OTHER.value,
+                ),
+            ]
         )
         await apply_external_context(graphql_context=graphql_context, context_input=context)
 
diff --git a/backend/infrahub/graphql/mutations/hfid.py b/backend/infrahub/graphql/mutations/hfid.py
@@ -5,7 +5,7 @@
 from graphene import Boolean, InputObjectType, List, Mutation, NonNull, String
 
 from infrahub.core.account import ObjectPermission
-from infrahub.core.constants import PermissionAction, PermissionDecision
+from infrahub.core.constants import GlobalPermissions, PermissionAction, PermissionDecision
 from infrahub.core.manager import NodeManager
 from infrahub.core.registry import registry
 from infrahub.database import retry_db_transaction
@@ -15,6 +15,7 @@
 from infrahub.graphql.context import apply_external_context
 from infrahub.graphql.types.context import ContextInput
 from infrahub.log import get_log_data
+from infrahub.permissions import define_global_permission_from_branch
 from infrahub.worker import WORKER_IDENTITY
 
 if TYPE_CHECKING:
@@ -61,15 +62,21 @@ async def mutate(
                 input_value=f"{node_schema.kind}.human_friendly_id requires {len(node_schema.human_friendly_id)} parts data has {len(updated_hfid)}"
             )
 
-        graphql_context.active_permissions.raise_for_permission(
-            permission=ObjectPermission(
-                namespace=node_schema.namespace,
-                name=node_schema.name,
-                action=PermissionAction.UPDATE.value,
-                decision=PermissionDecision.ALLOW_DEFAULT.value
-                if graphql_context.branch.name == registry.default_branch
-                else PermissionDecision.ALLOW_OTHER.value,
-            )
+        graphql_context.active_permissions.raise_for_permissions(
+            permissions=[
+                define_global_permission_from_branch(
+                    permission=GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL,
+                    branch_name=graphql_context.branch.name,
+                ),
+                ObjectPermission(
+                    namespace=node_schema.namespace,
+                    name=node_schema.name,
+                    action=PermissionAction.UPDATE.value,
+                    decision=PermissionDecision.ALLOW_DEFAULT.value
+                    if graphql_context.branch.name == registry.default_branch
+                    else PermissionDecision.ALLOW_OTHER.value,
+                ),
+            ]
         )
         await apply_external_context(graphql_context=graphql_context, context_input=context)
 
diff --git a/backend/infrahub/permissions/constants.py b/backend/infrahub/permissions/constants.py
@@ -30,6 +30,7 @@ class BranchRelativePermissionDecision(StrEnum):
     GlobalPermissions.MANAGE_ACCOUNTS.value: "You are not allowed to manage user accounts, groups or roles",
     GlobalPermissions.MANAGE_PERMISSIONS.value: "You are not allowed to manage permissions",
     GlobalPermissions.MANAGE_REPOSITORIES.value: "You are not allowed to manage repositories",
+    GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL.value: "You are not allowed to update human friendly IDs and display labels ad hoc",
 }
 
 GLOBAL_PERMISSION_DESCRIPTION = {
@@ -42,4 +43,5 @@ class BranchRelativePermissionDecision(StrEnum):
     GlobalPermissions.MANAGE_PERMISSIONS: "Allow a user to manage permissions",
     GlobalPermissions.MANAGE_REPOSITORIES: "Allow a user to manage repositories",
     GlobalPermissions.SUPER_ADMIN: "Allow a user to do anything",
+    GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL: "Allow a user to update objects' display labels and human friendly IDs ad hoc",
 }
diff --git a/backend/tests/unit/graphql/mutations/test_display_label.py b/backend/tests/unit/graphql/mutations/test_display_label.py
@@ -3,9 +3,9 @@
 from typing import TYPE_CHECKING, Any
 from uuid import uuid4
 
-from infrahub.core.account import ObjectPermission
+from infrahub.core.account import GlobalPermission, ObjectPermission
 from infrahub.core.branch.models import Branch
-from infrahub.core.constants import PermissionAction, PermissionDecision
+from infrahub.core.constants import GlobalPermissions, PermissionAction, PermissionDecision
 from infrahub.core.node import Node
 from infrahub.core.registry import registry
 from infrahub.core.schema import SchemaRoot
@@ -88,6 +88,12 @@ async def test_update_display_label_update(
     await define_permissions(
         account=first_account,
         db=db,
+        global_permissions=[
+            GlobalPermission(
+                action=GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL.value,
+                decision=PermissionDecision.ALLOW_ALL.value,
+            )
+        ],
         object_permissions=[
             ObjectPermission(
                 namespace=TSHIRT.namespace,
diff --git a/backend/tests/unit/graphql/mutations/test_hfid.py b/backend/tests/unit/graphql/mutations/test_hfid.py
@@ -3,9 +3,9 @@
 from typing import TYPE_CHECKING
 from uuid import uuid4
 
-from infrahub.core.account import ObjectPermission
+from infrahub.core.account import GlobalPermission, ObjectPermission
 from infrahub.core.branch.models import Branch
-from infrahub.core.constants import PermissionAction, PermissionDecision
+from infrahub.core.constants import GlobalPermissions, PermissionAction, PermissionDecision
 from infrahub.core.node import Node
 from infrahub.core.registry import registry
 from infrahub.core.schema import SchemaRoot
@@ -71,6 +71,12 @@ async def test_update_hfid_update(
     await define_permissions(
         account=first_account,
         db=db,
+        global_permissions=[
+            GlobalPermission(
+                action=GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL.value,
+                decision=PermissionDecision.ALLOW_ALL.value,
+            )
+        ],
         object_permissions=[
             ObjectPermission(
                 namespace=TSHIRT.namespace,

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ class BranchRelativePermissionDecision(StrEnum):`
`30`	`30`	`GlobalPermissions.MANAGE_ACCOUNTS.value: "You are not allowed to manage user accounts, groups or roles",`
`31`	`31`	`GlobalPermissions.MANAGE_PERMISSIONS.value: "You are not allowed to manage permissions",`
`32`	`32`	`GlobalPermissions.MANAGE_REPOSITORIES.value: "You are not allowed to manage repositories",`
	`33`	`+ GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL.value: "You are not allowed to update human friendly IDs and display labels ad hoc",`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`GLOBAL_PERMISSION_DESCRIPTION = {`
`@@ -42,4 +43,5 @@ class BranchRelativePermissionDecision(StrEnum):`
`42`	`43`	`GlobalPermissions.MANAGE_PERMISSIONS: "Allow a user to manage permissions",`
`43`	`44`	`GlobalPermissions.MANAGE_REPOSITORIES: "Allow a user to manage repositories",`
`44`	`45`	`GlobalPermissions.SUPER_ADMIN: "Allow a user to do anything",`
	`46`	`+ GlobalPermissions.UPDATE_OBJECT_HFID_DISPLAY_LABEL: "Allow a user to update objects' display labels and human friendly IDs ad hoc",`
`45`	`47`	`}`