Fixes for static data sources and build with permissions (#12657)

* fixes for static ds * update
2026-05-23 17:08:34 +00:00 · 2025-04-21 23:23:17 +05:30 · 2025-04-21 23:23:17 +05:30 · 8923d75d58
commit 8923d75d58
parent bdcd84bef5
5 changed files with 26 additions and 19 deletions
--- a/server/src/modules/app/guards/ability.guard.ts
+++ b/server/src/modules/app/guards/ability.guard.ts
@ -94,11 +94,10 @@ export abstract class AbilityGuard implements CanActivate {

      // Validate all features against resource if any
      if (!features.every((feature) => ability.can(feature, this.getSubjectType(), resourceId || undefined))) {
-        throw new ForbiddenException(
-          JSON.stringify({
-            organizationId: app?.organizationId,
-          })
-        );
+        throw new ForbiddenException({
+          message: 'You do not have permission to access this resource',
+          organizationId: app?.organizationId,
+        });
      }
      return true;
    }
--- a/server/src/modules/data-queries/ability/app/index.ts
+++ b/server/src/modules/data-queries/ability/app/index.ts
@ -31,6 +31,9 @@ export class FeatureAbilityFactory extends AbilityFactory<FEATURE_KEY, Subjects>

    const appId = request?.tj_resource_id;

+    // Always grant RUN_EDITOR and RUN_VIEWER permissions
+    can([FEATURE_KEY.RUN_EDITOR, FEATURE_KEY.RUN_VIEWER], App);
+
    // Admin or super admin and do all operations
    if (isAdmin || superAdmin) {
      can(
@ -86,11 +89,11 @@ export class FeatureAbilityFactory extends AbilityFactory<FEATURE_KEY, Subjects>
    }

    if (isAllViewable) {
-      can([FEATURE_KEY.GET, FEATURE_KEY.PREVIEW, FEATURE_KEY.RUN_VIEWER], App);
+      can([FEATURE_KEY.GET, FEATURE_KEY.PREVIEW, FEATURE_KEY.RUN_VIEWER, FEATURE_KEY.RUN_EDITOR], App);
      return;
    }
    if (resourcePermissions?.viewableAppsId?.length && appId && resourcePermissions?.viewableAppsId?.includes(appId)) {
-      can([FEATURE_KEY.GET, FEATURE_KEY.PREVIEW, FEATURE_KEY.RUN_VIEWER], App);
+      can([FEATURE_KEY.GET, FEATURE_KEY.PREVIEW, FEATURE_KEY.RUN_VIEWER, FEATURE_KEY.RUN_EDITOR], App);
      return;
    }
  }
--- a/server/src/modules/data-queries/ability/data-source/index.ts
+++ b/server/src/modules/data-queries/ability/data-source/index.ts
@ -30,10 +30,14 @@ export class FeatureAbilityFactory extends AbilityFactory<FEATURE_KEY, Subjects>
    const isAllViewable = !!resourcePermissions?.isAllUsable;

    const dataSourceId = request?.tj_resource_id;
+    const isStatic = request?.resource_type === 'static';
+
+    // Always grant RUN_EDITOR and RUN_VIEWER permissions
+    can([FEATURE_KEY.RUN_EDITOR, FEATURE_KEY.RUN_VIEWER], DataSource);

    // Define permissions for data queries

-    if (isAdmin || superAdmin || isAllEditable || isCanCreate || isCanDelete) {
+    if (isStatic || isAdmin || superAdmin || isAllEditable || isCanCreate || isCanDelete) {
      can(
        [
          FEATURE_KEY.CREATE,
--- a/server/src/modules/data-queries/guards/validate-query-source.guard.ts
+++ b/server/src/modules/data-queries/guards/validate-query-source.guard.ts
@ -45,6 +45,7 @@ export class ValidateQuerySourceGuard implements CanActivate {
    // Attach the found app to the request
    request.tj_data_source = dataSource;
    request.tj_resource_id = dataSource.id;
+    request.resource_type = dataSource?.type;

    // Return true to allow the request to proceed
    return true;
--- a/server/src/modules/data-sources/ability/index.ts
+++ b/server/src/modules/data-sources/ability/index.ts
@ -87,19 +87,19 @@ export class FeatureAbilityFactory extends AbilityFactory<FEATURE_KEY, Subjects>
      return;
    }

-    if (
-      resourcePermissions?.configurableDataSourceId?.length &&
-      dataSourceId &&
-      resourcePermissions?.configurableDataSourceId?.includes(dataSourceId)
-    ) {
-      can(
-        [FEATURE_KEY.GET, FEATURE_KEY.UPDATE, FEATURE_KEY.GET_BY_ENVIRONMENT, FEATURE_KEY.TEST_CONNECTION],
-        DataSource
-      );
+    if (resourcePermissions?.configurableDataSourceId?.length) {
+      can([FEATURE_KEY.GET, FEATURE_KEY.TEST_CONNECTION, FEATURE_KEY.GET_BY_ENVIRONMENT], DataSource);
+
+      if (dataSourceId && resourcePermissions?.configurableDataSourceId?.includes(dataSourceId)) {
+        can(
+          [FEATURE_KEY.GET, FEATURE_KEY.UPDATE, FEATURE_KEY.GET_BY_ENVIRONMENT, FEATURE_KEY.TEST_CONNECTION],
+          DataSource
+        );
+      }
    }

    if (isAllViewable) {
-      can([FEATURE_KEY.GET_BY_ENVIRONMENT], DataSource);
+      can([FEATURE_KEY.GET_BY_ENVIRONMENT, FEATURE_KEY.GET, FEATURE_KEY.TEST_CONNECTION], DataSource);
      return;
    }
    if (
@ -107,7 +107,7 @@ export class FeatureAbilityFactory extends AbilityFactory<FEATURE_KEY, Subjects>
      dataSourceId &&
      resourcePermissions?.usableDataSourcesId?.includes(dataSourceId)
    ) {
-      can([FEATURE_KEY.GET, FEATURE_KEY.GET_BY_ENVIRONMENT], DataSource);
+      can([FEATURE_KEY.GET, FEATURE_KEY.GET_BY_ENVIRONMENT, FEATURE_KEY.TEST_CONNECTION], DataSource);
      return;
    }
  }