server: fix inherited_roles issue when some of the underlying roles don't have permissions configured

GitOrigin-RevId: 771491ec0cf6c0d860ef374ed67b426220fa2b96

CHANGELOG.md

@@ -5,6 +5,8 @@
 ### Bug fixes and improvements
 (Add entries here in the order of: server, console, cli, docs, others)
 
+- server: fix inherited_roles issue when some of the underlying roles don't have permissions configured (fixes #6672)
+
 
 ## v2.0.0-alpha.5
 

server/src-lib/Hasura/RQL/DDL/Schema/Cache/Permission.hs

@@ -180,7 +180,7 @@ buildTablePermissions = Inc.cache proc (source, tableCache, tableFields, tablePe
        let singleRoleSelectPerms =
              map ((_permSel =<<) . (`M.lookup` nonInheritedRolePermissions)) $
                   toList roleSet
-           nonEmptySelPerms = NE.nonEmpty =<< sequenceA singleRoleSelectPerms
+           nonEmptySelPerms = NE.nonEmpty $ catMaybes singleRoleSelectPerms
            combinedSelPermInfo = combineSelectPermInfos <$> nonEmptySelPerms
        returnA -< RolePermInfo Nothing combinedSelPermInfo Nothing Nothing)
     |) inheritedRolesMap

server/tests-py/queries/graphql_query/permissions/inherited_roles/inherited_role_with_some_roles_having_no_permissions.yaml

@@ -0,0 +1,25 @@
+description: |
+  Suppose an inherited role `ir1` is created out of role1, role2 and role3. role1 and role2 have some select
+  permissions configured for a Table T and role3 doesn't have any select permissions configured for T. In such cases, the inherited role `ir1` should work as if the inherited role is created out of only role1 and role2 or the inherited role's permissions should be only constructed out of the permissions which exist for the underlying roles. In this case, the
+  `guest` role doesn't have select permissions configured for the table `author`
+url: /v1/graphql
+status: 200
+headers:
+  X-Hasura-Role: author_editor_guest_inherited_role
+  X-Hasura-Author-Id: '1'
+  X-Hasura-Editor-Id: '1'
+query:
+  query: |
+    query {
+      authors {
+        id
+        name
+        followers
+      }
+    }
+reponse:
+  data:
+    authors:
+      - id: 1
+        name: J.K.Rowling
+        followers: 1232344

server/tests-py/queries/graphql_query/permissions/inherited_roles/schema_setup.yaml

@@ -43,3 +43,29 @@ args:
       RETURNS INT AS $$
       SELECT employee_row.salary * 12
       $$ LANGUAGE sql STABLE;
+
+      CREATE TABLE authors (
+        id serial primary key,
+        name text,
+        followers int
+      );
+
+      CREATE TABLE articles (
+        id serial primary key,
+        title text,
+        content text,
+        is_published boolean default false,
+        author_id int references authors(id)
+      );
+
+      insert into authors (name, followers) values
+      ('J.K.Rowling', 1232344),
+      ('Paulo Coelho', 21312332),
+      ('Murakami', 1232132);
+
+      insert into articles (title, content, is_published, author_id) values
+      ('title 1', 'content 1', false, 1),
+      ('title 2', 'content 2', true, 2),
+      ('title 3', 'content 3', true, 1),
+      ('title 4', 'content 4', true, 3),
+      ('title 5', 'content 5', true, 2);

server/tests-py/queries/graphql_query/permissions/inherited_roles/schema_teardown.sql

@@ -1,5 +0,0 @@
-type: run_sql
-args:
-  cascade: true
-  sql: |
-    DROP

server/tests-py/queries/graphql_query/permissions/inherited_roles/schema_teardown.yaml

@@ -5,3 +5,5 @@ args:
     DROP TABLE employee CASCADE;
     DROP TABLE manager;
     DROP TABLE team;
+    DROP TABLE articles;
+    DROP TABLE authors;

server/tests-py/queries/graphql_query/permissions/inherited_roles/setup.yaml

@@ -100,3 +100,74 @@ args:
     role_set:
       - manager
       - employee
+
+- type: pg_track_table
+  args:
+    table: authors
+
+- type: pg_track_table
+  args:
+    table: articles
+
+- type: pg_create_select_permission
+  args:
+    table: authors
+    role: author
+    permission:
+      columns:
+        - id
+        - name
+        - followers
+      allow_aggregations: false
+      filter:
+        id: X-Hasura-Author-Id
+
+- type: pg_create_select_permission
+  args:
+    table: authors
+    role: editor
+    permission:
+      columns:
+        - name
+        - followers
+      allow_aggregations: true
+      filter: {}
+
+- type: pg_create_select_permission
+  args:
+    table: articles
+    role: guest
+    permission:
+      columns:
+        - title
+        - content
+        - author_id
+      allow_aggregations: true
+      filter:
+        is_published: true
+
+- type: pg_create_select_permission
+  args:
+    table: articles
+    role: author
+    permission:
+      columns: "*"
+      allow_aggregations: true
+      filter:
+        author_id: X-Hasura-Author-Id
+
+- type: pg_create_select_permission
+  args:
+    table: articles
+    role: editor
+    permission:
+      columns: "*"
+      filter: {}
+
+- type: add_inherited_role
+  args:
+    role_name: author_editor_guest_inherited_role
+    role_set:
+      - author
+      - editor
+      - guest

server/tests-py/queries/graphql_query/permissions/inherited_roles/teardown.yaml

@@ -1,3 +1,9 @@
-type: drop_inherited_role
+type: bulk
 args:
-  role_name: manager_employee
+  - type: drop_inherited_role
+    args:
+      role_name: manager_employee
+
+  - type: drop_inherited_role
+    args:
+      role_name: author_editor_guest_inherited_role

server/tests-py/test_graphql_queries.py

@@ -415,6 +415,9 @@ class TestGraphQLInheritedRoles:
     def test_basic_inherited_role(self, hge_ctx, transport):
         check_query_f(hge_ctx, self.dir() + '/basic_inherited_roles.yaml')
 
+    def test_inherited_role_when_some_roles_may_not_have_permission_configured(self, hge_ctx, transport):
+        check_query_f(hge_ctx, self.dir() + '/inherited_role_with_some_roles_having_no_permissions.yaml')
+
 
 @pytest.mark.parametrize("transport", ['http', 'websocket'])
 @usefixtures('per_class_tests_db_state')