Merge pull request #5786 from opsmill/pog-stable-to-develop-20250219

Merge stable into develop with resolved conflicts and updated tests.

Author: ogenstad

CHANGELOG.md

@@ -11,6 +11,28 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang
 
 <!-- towncrier release notes start -->
 
+## [Infrahub - v1.1.7](https://github.com/opsmill/infrahub/tree/infrahub-v1.1.7) - 2025-02-18
+
+### Added
+
+- Data diffs are loaded in sequential batches for faster performance with large changes.
+- The diff tree and diff list can now be scrolled independently.
+
+### Changed
+
+- Modified node mutation events to not send metadata properties as part of the mutation payload. The reason is that the property lookup was time consuming. This information will return again in Infrahub 1.2 with a completely updated format. ([#5664](https://github.com/opsmill/infrahub/issues/5664))
+
+### Fixed
+
+- Fix nodes remaining in the database after a create mutation fails when using pools. ([#4303](https://github.com/opsmill/infrahub/issues/4303))
+- Modify the query for the current tasks, ensuring the correct determination of the merge button state. ([#5565](https://github.com/opsmill/infrahub/issues/5565))
+- Fix Docker `task-manager-db` PostgreSQL health check test by adding database and user parameters. ([#5739](https://github.com/opsmill/infrahub/issues/5739))
+- Fixed issue causing a gap in menu sidebar when text is too long.
+- Prevent avatar from being cut off in menu sidebar.
+- Enforce permission checks when using relationship add or delete mutation.
+- Enhance the data integrity checks UI to enable navigation from the check to the diff view.
+- Improved performance when updating an existing diff.
+
 ## [Infrahub - v1.1.6](https://github.com/opsmill/infrahub/tree/infrahub-v1.1.6) - 2025-01-30
 
 ### Artifact improvements

backend/infrahub/graphql/mutations/relationship.py

@@ -7,8 +7,15 @@
 from infrahub_sdk.utils import compare_lists
 
 from infrahub import config
+from infrahub.core.account import GlobalPermission, ObjectPermission
 from infrahub.core.changelog.models import NodeChangelog
-from infrahub.core.constants import InfrahubKind, MutationAction, RelationshipCardinality
+from infrahub.core.constants import (
+    InfrahubKind,
+    MutationAction,
+    PermissionAction,
+    PermissionDecision,
+    RelationshipCardinality,
+)
 from infrahub.core.manager import NodeManager
 from infrahub.core.query.node import NodeGetKindQuery
 from infrahub.core.query.relationship import (
@@ -21,6 +28,7 @@
 from infrahub.events.group_action import GroupMemberAddedEvent, GroupMemberRemovedEvent
 from infrahub.events.models import EventNode
 from infrahub.exceptions import NodeNotFoundError, ValidationError
+from infrahub.permissions import get_global_permission_for_kind
 
 from ..types import RelatedNodeInput
 
@@ -51,7 +59,7 @@ class RelationshipNodesInput(InputObjectType):
 
 class RelationshipMixin:
     @classmethod
-    async def mutate(  # noqa: PLR0915
+    async def mutate(  # noqa: PLR0915, C901
         cls,
         root: dict,  # noqa: ARG003
         info: GraphQLResolveInfo,
@@ -98,6 +106,32 @@ async def mutate(  # noqa: PLR0915
             db=graphql_context.db, ids=node_ids, fields={"display_label": None}, branch=graphql_context.branch
         )
 
+        if graphql_context.account_session:
+            impacted_schemas = {node.get_schema() for node in [source] + list(nodes.values())}
+            required_permissions: list[GlobalPermission | ObjectPermission] = []
+            decision = (
+                PermissionDecision.ALLOW_DEFAULT.value
+                if graphql_context.branch.is_default
+                else PermissionDecision.ALLOW_OTHER.value
+            )
+
+            for impacted_schema in impacted_schemas:
+                global_action = get_global_permission_for_kind(schema=impacted_schema)
+
+                if global_action:
+                    required_permissions.append(GlobalPermission(action=global_action, decision=decision))
+                else:
+                    required_permissions.append(
+                        ObjectPermission(
+                            namespace=impacted_schema.namespace,
+                            name=impacted_schema.name,
+                            action=PermissionAction.UPDATE.value,
+                            decision=decision,
+                        )
+                    )
+
+            graphql_context.active_permissions.raise_for_permissions(permissions=required_permissions)
+
         _, _, in_list2 = compare_lists(list1=list(nodes.keys()), list2=node_ids)
         if in_list2:
             for node_id in in_list2:

backend/infrahub/permissions/__init__.py

@@ -2,12 +2,13 @@
 from infrahub.permissions.local_backend import LocalPermissionBackend
 from infrahub.permissions.manager import PermissionManager
 from infrahub.permissions.report import report_schema_permissions
-from infrahub.permissions.types import AssignedPermissions
+from infrahub.permissions.types import AssignedPermissions, get_global_permission_for_kind
 
 __all__ = [
     "AssignedPermissions",
     "LocalPermissionBackend",
     "PermissionBackend",
     "PermissionManager",
+    "get_global_permission_for_kind",
     "report_schema_permissions",
 ]

backend/infrahub/permissions/types.py

@@ -2,8 +2,12 @@
 
 from typing import TYPE_CHECKING, TypedDict
 
+from infrahub.core.constants import GlobalPermissions, InfrahubKind
+from infrahub.core.schema import NodeSchema
+
 if TYPE_CHECKING:
     from infrahub.core.account import GlobalPermission, ObjectPermission
+    from infrahub.core.schema import MainSchemaTypes
     from infrahub.permissions.constants import BranchRelativePermissionDecision
 
 
@@ -18,3 +22,25 @@ class KindPermissions(TypedDict):
     delete: BranchRelativePermissionDecision
     update: BranchRelativePermissionDecision
     view: BranchRelativePermissionDecision
+
+
+def get_global_permission_for_kind(schema: MainSchemaTypes) -> GlobalPermissions | None:
+    kind_permission_map = {
+        InfrahubKind.GENERICACCOUNT: GlobalPermissions.MANAGE_ACCOUNTS,
+        InfrahubKind.ACCOUNTGROUP: GlobalPermissions.MANAGE_ACCOUNTS,
+        InfrahubKind.ACCOUNTROLE: GlobalPermissions.MANAGE_ACCOUNTS,
+        InfrahubKind.BASEPERMISSION: GlobalPermissions.MANAGE_PERMISSIONS,
+        InfrahubKind.GENERICREPOSITORY: GlobalPermissions.MANAGE_REPOSITORIES,
+    }
+
+    if schema.kind in kind_permission_map:
+        return kind_permission_map[schema.kind]
+
+    if isinstance(schema, NodeSchema):
+        for base in schema.inherit_from:
+            try:
+                return kind_permission_map[base]
+            except KeyError:
+                continue
+
+    return None