Fix conflicting permissions resolver.

Author: ogenstad

backend/infrahub/graphql/manager.py

@@ -48,6 +48,7 @@
     default_resolver,
     descendants_resolver,
     many_relationship_resolver,
+    parent_field_name_resolver,
     single_relationship_resolver,
 )
 from .schema import InfrahubBaseMutation, InfrahubBaseQuery
@@ -886,7 +887,9 @@ def generate_graphql_paginated_object(
         }
 
         if isinstance(schema, (NodeSchema, GenericSchema)):
-            main_attrs["permissions"] = graphene.Field(PaginatedObjectPermission, required=True)
+            main_attrs["permissions"] = graphene.Field(
+                PaginatedObjectPermission, required=True, resolver=parent_field_name_resolver
+            )
 
         graphql_paginated_object = type(object_name, (InfrahubObject,), main_attrs)
 

backend/infrahub/graphql/resolver.py

@@ -118,6 +118,15 @@ async def default_resolver(*args: Any, **kwargs) -> dict | list[dict] | None:
         return await objs[0].to_graphql(db=db, fields=fields, related_node_ids=context.related_node_ids)
 
 
+async def parent_field_name_resolver(parent: dict[str, dict], info: GraphQLResolveInfo) -> dict:
+    """This resolver gets used when we know that the parent resolver has already gathered the required information.
+
+    An example of this is the permissions field at the top level within default_paginated_list_resolver()
+    """
+
+    return parent[info.field_name]
+
+
 async def default_paginated_list_resolver(
     root: dict,  # pylint: disable=unused-argument
     info: GraphQLResolveInfo,

backend/tests/unit/graphql/queries/test_list_permissions.py

@@ -63,6 +63,31 @@
 """
 
 
+QUERY_ACCOUNT_ROLE = """
+query {
+  CoreAccountRole {
+    edges {
+        node {
+            display_label
+        }
+    }
+    permissions {
+        count
+        edges {
+            node {
+                kind
+                create
+                update
+                delete
+                view
+            }
+        }
+    }
+  }
+}
+"""
+
+
 class TestObjectPermissions:
     async def test_setup(
         self,
@@ -231,6 +256,33 @@ async def test_first_account_list_permissions_for_generics(
             }
         } in result.data["CoreGenericRepository"]["permissions"]["edges"]
 
+    async def test_first_account_account_role(
+        self, db: InfrahubDatabase, permissions_helper: PermissionsHelper
+    ) -> None:
+        """In the main branch the first account doesn't have the permission to make changes, but it has in the other branches"""
+        session = AccountSession(
+            authenticated=True, account_id=permissions_helper.first.id, session_id=str(uuid4()), auth_type=AuthType.JWT
+        )
+        gql_params = prepare_graphql_params(
+            db=db, include_mutation=True, branch=permissions_helper.default_branch, account_session=session
+        )
+
+        result = await graphql(schema=gql_params.schema, source=QUERY_ACCOUNT_ROLE, context_value=gql_params.context)
+
+        assert not result.errors
+        assert result.data
+        assert result.data["CoreAccountRole"]["permissions"]["count"] == 1
+        assert result.data["CoreAccountRole"]["permissions"]["edges"][0] == {
+            "node": {
+                "kind": "CoreAccountRole",
+                "create": PermissionDecision.ALLOW_OTHER.name,
+                "update": PermissionDecision.ALLOW_OTHER.name,
+                "delete": PermissionDecision.ALLOW_OTHER.name,
+                "view": PermissionDecision.ALLOW_ALL.name,
+            }
+        }
+        assert result.data["CoreAccountRole"]["edges"][0]["node"]["display_label"] == "admin"
+
 
 QUERY_TAGS_ATTR = """
 query {