From 7e343c1a32499270239e4e41e433e6f195571291 Mon Sep 17 00:00:00 2001
From: cstns <cstn.serban@gmail.com>
Date: Mon, 5 Aug 2024 10:49:13 +0300
Subject: [PATCH 1/2] remove dynamically registered permissions

---
 forge/ee/routes/billing/index.js        |  8 -----
 forge/ee/routes/deviceEditor/index.js   |  5 ---
 forge/ee/routes/flowBlueprints/index.js | 11 -------
 forge/ee/routes/pipeline/index.js       |  9 ------
 forge/ee/routes/sharedLibrary/index.js  |  9 ------
 forge/ee/routes/sso/index.js            | 11 -------
 forge/lib/permissions.js                | 43 +++++++++++++++++++++++--
 7 files changed, 40 insertions(+), 56 deletions(-)

diff --git a/forge/ee/routes/billing/index.js b/forge/ee/routes/billing/index.js
index eca74cce2a..2dee50ecd3 100644
--- a/forge/ee/routes/billing/index.js
+++ b/forge/ee/routes/billing/index.js
@@ -7,19 +7,11 @@
 
 const { Readable } = require('stream')
 
-const { registerPermissions } = require('../../../lib/permissions')
-const { Roles } = require('../../../lib/roles.js')
-
 /**
  * @typedef {import('stripe').Stripe.Event} StripeEvent
  */
 
 module.exports = async function (app) {
-    registerPermissions({
-        'team:billing:manual': { description: 'Setups up manual billing on a team', role: Roles.Admin },
-        'team:billing:trial': { description: 'Modify team trial settings', role: Roles.Admin }
-    })
-
     /** @type {import('stripe').Stripe} */
     const stripe = require('stripe')(app.config.billing.stripe.key)
 
diff --git a/forge/ee/routes/deviceEditor/index.js b/forge/ee/routes/deviceEditor/index.js
index 6dbace20a8..6279a7bfa4 100644
--- a/forge/ee/routes/deviceEditor/index.js
+++ b/forge/ee/routes/deviceEditor/index.js
@@ -1,6 +1,4 @@
 const { generateToken } = require('../../../db/utils')
-const { registerPermissions } = require('../../../lib/permissions')
-const { Roles } = require('../../../lib/roles.js')
 
 /**
  * Routes releated to the EE forge api
@@ -12,9 +10,6 @@ module.exports = async function (app) {
     if (!app.comms) {
         return
     }
-    registerPermissions({
-        'device:editor': { description: 'Access the Device Editor', role: Roles.Member }
-    })
 
     /**
      * Add wildcard content parser for these routes
diff --git a/forge/ee/routes/flowBlueprints/index.js b/forge/ee/routes/flowBlueprints/index.js
index c9aef0f3a0..b2dac24d4f 100644
--- a/forge/ee/routes/flowBlueprints/index.js
+++ b/forge/ee/routes/flowBlueprints/index.js
@@ -1,19 +1,8 @@
-const { registerPermissions } = require('../../../lib/permissions')
-const { Roles } = require('../../../lib/roles.js')
-
 const hasValueChanged = (requestProp, existingProp) => (requestProp !== undefined && existingProp !== requestProp)
 
 module.exports = async function (app) {
     app.config.features.register('flowBlueprints', true, true)
 
-    registerPermissions({
-        'flow-blueprint:create': { description: 'Create a Flow Blueprint', role: Roles.Admin },
-        'flow-blueprint:list': { description: 'List all Flow Blueprints' },
-        'flow-blueprint:read': { description: 'View a Flow Blueprint' },
-        'flow-blueprint:delete': { description: 'Delete a Flow Blueprint', role: Roles.Admin },
-        'flow-blueprint:edit': { description: 'Edit a Flow Blueprint', role: Roles.Admin }
-    })
-
     app.get('/', {
         preHandler: app.needsPermission('flow-blueprint:list'),
         schema: {
diff --git a/forge/ee/routes/pipeline/index.js b/forge/ee/routes/pipeline/index.js
index 688999494b..8aa17800e2 100644
--- a/forge/ee/routes/pipeline/index.js
+++ b/forge/ee/routes/pipeline/index.js
@@ -2,7 +2,6 @@ const { ValidationError } = require('sequelize')
 
 const { KEY_PROTECTED } = require('../../../db/models/ProjectSettings.js')
 const { ControllerError } = require('../../../lib/errors.js')
-const { registerPermissions } = require('../../../lib/permissions')
 const { Roles } = require('../../../lib/roles.js')
 
 // Declare getLogger functions to provide type hints / quick code nav / code completion
@@ -12,14 +11,6 @@ const getTeamLogger = (app) => { return app.auditLog.Team }
 module.exports = async function (app) {
     const teamLogger = getTeamLogger(app)
 
-    registerPermissions({
-        'pipeline:read': { description: 'View a pipeline', role: Roles.Member },
-        'pipeline:create': { description: 'Create a pipeline', role: Roles.Owner },
-        'pipeline:edit': { description: 'Edit a pipeline', role: Roles.Owner },
-        'pipeline:delete': { description: 'Delete a pipeline', role: Roles.Owner },
-        'application:pipeline:list': { description: 'List pipelines within an application', role: Roles.Member }
-    })
-
     app.addHook('preHandler', async (request, reply) => {
         if (request.params.pipelineId) {
             const pipelineId = request.params.pipelineId
diff --git a/forge/ee/routes/sharedLibrary/index.js b/forge/ee/routes/sharedLibrary/index.js
index 14a1f56063..8d58d677d0 100644
--- a/forge/ee/routes/sharedLibrary/index.js
+++ b/forge/ee/routes/sharedLibrary/index.js
@@ -1,13 +1,4 @@
-const { registerPermissions } = require('../../../lib/permissions')
-const { Roles } = require('../../../lib/roles.js')
-
 module.exports = async function (app) {
-    registerPermissions({
-        'library:entry:create': { description: 'Create entries in a team library', role: Roles.Member },
-        'library:entry:list': { description: 'List entries in a team library', role: Roles.Member },
-        'library:entry:delete': { description: 'Delete an entry in a team library', role: Roles.Member }
-    })
-
     app.addHook('preHandler', app.verifySession)
     app.addHook('preHandler', async (request, response) => {
         // The request has a valid token, but need to check the token is allowed
diff --git a/forge/ee/routes/sso/index.js b/forge/ee/routes/sso/index.js
index 338526508f..dfbe577723 100644
--- a/forge/ee/routes/sso/index.js
+++ b/forge/ee/routes/sso/index.js
@@ -1,17 +1,6 @@
 const fp = require('fastify-plugin')
 
-const { registerPermissions } = require('../../../lib/permissions')
-const { Roles } = require('../../../lib/roles.js')
-
 module.exports = fp(async function (app, opts) {
-    registerPermissions({
-        'saml-provider:create': { description: 'Create a SAML Provider', role: Roles.Admin },
-        'saml-provider:list': { description: 'List all SAML Providers', role: Roles.Admin },
-        'saml-provider:read': { description: 'View a SAML Provider', role: Roles.Admin },
-        'saml-provider:delete': { description: 'Delete a SAML Provider', role: Roles.Admin },
-        'saml-provider:edit': { description: 'Edit a SAML Provider', role: Roles.Admin }
-    })
-
     // Get all
     app.get('/ee/sso/providers', {
         preHandler: app.needsPermission('saml-provider:list')
diff --git a/forge/lib/permissions.js b/forge/lib/permissions.js
index 8cb046ff81..a1de05fdcf 100644
--- a/forge/lib/permissions.js
+++ b/forge/lib/permissions.js
@@ -1,5 +1,8 @@
 const { Roles } = require('./roles.js')
 const Permissions = {
+    /**
+     * OS Permissions
+     */
     // User Actions
     'user:create': { description: 'Create User', role: Roles.Admin },
     'user:list': { description: 'List platform users', role: Roles.Admin },
@@ -113,15 +116,49 @@ const Permissions = {
     'platform:stats:token': { description: 'Create/Delete platform stats token', role: Roles.Admin },
     'platform:audit-log': { description: 'View platform audit log', role: Roles.Admin },
 
-    // *** EE Permissions ***
-
+    /**
+     * EE Permissions
+     */
     // Device Groups
     'application:device-group:create': { description: 'Create a device group', role: Roles.Owner },
     'application:device-group:list': { description: 'List device groups', role: Roles.Member },
     'application:device-group:update': { description: 'Update a device group', role: Roles.Owner },
     'application:device-group:delete': { description: 'Delete a device group', role: Roles.Owner },
     'application:device-group:read': { description: 'View a device group', role: Roles.Member },
-    'application:device-group:membership:update': { description: 'Update a device group membership', role: Roles.Owner }
+    'application:device-group:membership:update': { description: 'Update a device group membership', role: Roles.Owner },
+
+    // Device Editor
+    'device:editor': { description: 'Access the Device Editor', role: Roles.Member },
+
+    // Team Billing
+    'team:billing:manual': { description: 'Setups up manual billing on a team', role: Roles.Admin },
+    'team:billing:trial': { description: 'Modify team trial settings', role: Roles.Admin },
+
+    // Flow Blueprints
+    'flow-blueprint:create': { description: 'Create a Flow Blueprint', role: Roles.Admin },
+    'flow-blueprint:list': { description: 'List all Flow Blueprints' },
+    'flow-blueprint:read': { description: 'View a Flow Blueprint' },
+    'flow-blueprint:delete': { description: 'Delete a Flow Blueprint', role: Roles.Admin },
+    'flow-blueprint:edit': { description: 'Edit a Flow Blueprint', role: Roles.Admin },
+
+    // Library
+    'library:entry:create': { description: 'Create entries in a team library', role: Roles.Member },
+    'library:entry:list': { description: 'List entries in a team library', role: Roles.Member },
+    'library:entry:delete': { description: 'Delete an entry in a team library', role: Roles.Member },
+
+    // Pipeline
+    'pipeline:read': { description: 'View a pipeline', role: Roles.Member },
+    'pipeline:create': { description: 'Create a pipeline', role: Roles.Owner },
+    'pipeline:edit': { description: 'Edit a pipeline', role: Roles.Owner },
+    'pipeline:delete': { description: 'Delete a pipeline', role: Roles.Owner },
+    'application:pipeline:list': { description: 'List pipelines within an application', role: Roles.Member },
+
+    // SAML
+    'saml-provider:create': { description: 'Create a SAML Provider', role: Roles.Admin },
+    'saml-provider:list': { description: 'List all SAML Providers', role: Roles.Admin },
+    'saml-provider:read': { description: 'View a SAML Provider', role: Roles.Admin },
+    'saml-provider:delete': { description: 'Delete a SAML Provider', role: Roles.Admin },
+    'saml-provider:edit': { description: 'Edit a SAML Provider', role: Roles.Admin }
 }
 
 module.exports = {

From 78e1bbfc64f65cfcb6b4e0ee7d9d51775dea2751 Mon Sep 17 00:00:00 2001
From: cstns <cstn.serban@gmail.com>
Date: Mon, 5 Aug 2024 11:17:20 +0300
Subject: [PATCH 2/2] code cleanup

---
 forge/lib/permissions.js | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/forge/lib/permissions.js b/forge/lib/permissions.js
index a1de05fdcf..39c2479056 100644
--- a/forge/lib/permissions.js
+++ b/forge/lib/permissions.js
@@ -162,10 +162,5 @@ const Permissions = {
 }
 
 module.exports = {
-    Permissions,
-    registerPermissions: function (newPermisssions) {
-        Object.keys(newPermisssions).forEach(key => {
-            Permissions[key] = newPermisssions[key]
-        })
-    }
+    Permissions
 }