From e1eb0172499ca0045bd285d33379d590f7509d07 Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Tue, 12 Dec 2023 13:36:33 -0500 Subject: [PATCH] fix: send back queries but ignore them on the FE (#15507) > #15009 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality --- changes/15009-queries-observer | 1 + .../pages/queries/ManageQueriesPage/ManageQueriesPage.tsx | 7 +++++++ server/service/queries.go | 5 ++++- server/service/queries_test.go | 4 ++-- 4 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 changes/15009-queries-observer diff --git a/changes/15009-queries-observer b/changes/15009-queries-observer new file mode 100644 index 0000000000..d92ecc41c5 --- /dev/null +++ b/changes/15009-queries-observer @@ -0,0 +1 @@ +- Fixes bug where Global Observers were not able to list all queries through the API. \ No newline at end of file diff --git a/frontend/pages/queries/ManageQueriesPage/ManageQueriesPage.tsx b/frontend/pages/queries/ManageQueriesPage/ManageQueriesPage.tsx index c7318ab266..80f6caabb5 100644 --- a/frontend/pages/queries/ManageQueriesPage/ManageQueriesPage.tsx +++ b/frontend/pages/queries/ManageQueriesPage/ManageQueriesPage.tsx @@ -90,6 +90,7 @@ const ManageQueriesPage = ({ filteredQueriesPath, isPremiumTier, isSandboxMode, + isGlobalObserver, config, } = useContext(AppContext); const { setLastEditedQueryBody, setSelectedQueryTargetsByType } = useContext( @@ -137,6 +138,12 @@ const ManageQueriesPage = ({ [{ scope: "queries", teamId: teamIdForApi }], ({ queryKey: [{ teamId }] }) => queriesAPI.loadAll(teamId).then(({ queries }) => { + if (isGlobalObserver) { + return queries + .filter((q: ISchedulableQuery) => q.observer_can_run) + .map(enhanceQuery); + } + return queries.map(enhanceQuery); }), { diff --git a/server/service/queries.go b/server/service/queries.go index 47429b7923..094a8519ce 100644 --- a/server/service/queries.go +++ b/server/service/queries.go @@ -114,7 +114,10 @@ func (svc *Service) ListQueries(ctx context.Context, opt fleet.ListOptions, team func onlyShowObserverCanRunQueries(user *fleet.User, teamID *uint) bool { if user.GlobalRole != nil && *user.GlobalRole == fleet.RoleObserver { - return true + // Return false here because Global Observers should be able to access all queries via API. + // However, the UI will only show queries that have "observer can run" set to true. + // See the user permissions matrix: https://fleetdm.com/docs/using-fleet/manage-access#user-permissions + return false } return teamID != nil && user.TeamMembership(func(ut fleet.UserTeam) bool { diff --git a/server/service/queries_test.go b/server/service/queries_test.go index cd929ad153..5d1815d703 100644 --- a/server/service/queries_test.go +++ b/server/service/queries_test.go @@ -14,7 +14,7 @@ import ( func TestFilterQueriesForObserver(t *testing.T) { t.Run("global role", func(t *testing.T) { - require.True(t, onlyShowObserverCanRunQueries(&fleet.User{ + require.False(t, onlyShowObserverCanRunQueries(&fleet.User{ GlobalRole: ptr.String(fleet.RoleObserver), }, nil)) @@ -89,7 +89,7 @@ func TestListQueries(t *testing.T) { { title: "global observer", user: &fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)}, - expectedOpts: fleet.ListQueryOptions{OnlyObserverCanRun: true}, + expectedOpts: fleet.ListQueryOptions{OnlyObserverCanRun: false}, }, { title: "team maintainer",