Add details for admin permission

gagantrivedi · gagantrivedi · commit c723941293ec · 2025-05-07T17:24:37.000+05:30
diff --git a/api/permissions/permissions_calculator.py b/api/permissions/permissions_calculator.py
@@ -13,11 +13,11 @@
     UserPermissionGroupOrganisationPermission,
 )
 from projects.models import (
+    Project,
     UserPermissionGroupProjectPermission,
     UserProjectPermission,
 )
 
-from .permission_service import is_user_project_admin
 from .rbac_wrapper import (  # type: ignore[attr-defined]
     get_roles_permission_data_for_environment,
     get_roles_permission_data_for_organisation,
@@ -99,6 +99,8 @@ class DetailedPermissionsData:
 @dataclass
 class UserDetailedPermissionsData:
     admin: bool
+    derived_from: PermissionDerivedFromData
+    is_directly_granted: bool
     permissions: typing.List[DetailedPermissionsData]
 
 
@@ -113,15 +115,21 @@ class PermissionData:
     roles: typing.List[RolePermissionData]
     is_organisation_admin: bool = False
     admin_override: bool = False
+    inherited_admin_groups: typing.List[GroupPermissionData] = field(
+        default_factory=list
+    )
+    inherited_admin_roles: typing.List[RolePermissionData] = field(default_factory=list)
 
     @property
     def admin(self) -> bool:
-        return (
+        return bool(
             self.is_organisation_admin
             or self.user.admin
             or any(group.admin for group in self.groups)
             or any(role.admin for role in self.roles)
             or self.admin_override
+            or self.inherited_admin_groups
+            or self.inherited_admin_roles
         )
 
     @property
@@ -157,8 +165,10 @@ def tag_based_permissions(self) -> list[dict]:  # type: ignore[type-arg]
             if role_permission.role.tags
         ]
 
-    def to_detailed_permissions_data(self) -> UserDetailedPermissionsData:
+    def to_detailed_permissions_data(self) -> UserDetailedPermissionsData:  # noqa: C901
         permission_map = {}
+        is_admin_permission_directly_granted = False
+        admin_permission_derived_from = PermissionDerivedFromData()
 
         def add_permission(
             permission_key: str,
@@ -178,32 +188,38 @@ def add_permission(
 
         # Add user's direct permissions
         for permission_key in self.user.permissions:
+            if self.user.admin:
+                is_admin_permission_directly_granted = True
+
             add_permission(permission_key, None, None)
 
         # Add group permissions
         for group_permission in self.groups:
+            if group_permission.admin:
+                admin_permission_derived_from.groups.append(group_permission.group)
+
             for permission_key in group_permission.permissions:
                 add_permission(permission_key, group_permission.group, None)
 
         # Add role permissions
         for role_permission in self.roles:
+            if role_permission.admin:
+                admin_permission_derived_from.roles.append(role_permission.role)
+
             for permission_key in role_permission.permissions:
                 add_permission(permission_key, None, role_permission.role)
 
+        if self.is_organisation_admin or self.user.admin or self.admin_override:
+            is_admin_permission_directly_granted = True
+
         return UserDetailedPermissionsData(
-            admin=self.admin, permissions=list(permission_map.values())
+            admin=self.admin,
+            is_directly_granted=is_admin_permission_directly_granted,
+            derived_from=admin_permission_derived_from,
+            permissions=list(permission_map.values()),
         )
 
 
-def get_project_permission_data(project_id: int, user_id: int) -> PermissionData:
-    project_permission_svc = _ProjectPermissionService(project_id, user_id)
-    return PermissionData(
-        groups=get_groups_permission_data(project_permission_svc.group_qs),
-        user=get_user_permission_data(project_permission_svc.user_permission),  # type: ignore[arg-type]
-        roles=get_roles_permission_data_for_project(project_id, user_id),
-    )
-
-
 def get_organisation_permission_data(
     organisation_id: int, user: "FFAdminUser"
 ) -> PermissionData:
@@ -212,19 +228,42 @@ def get_organisation_permission_data(
         is_organisation_admin=user.is_organisation_admin(organisation_id),
         groups=get_groups_permission_data(org_permission_svc.group_qs),
         user=get_user_permission_data(org_permission_svc.user_permission),  # type: ignore[arg-type]
-        roles=get_roles_permission_data_for_organisation(organisation_id, user.id),
+        roles=org_permission_svc.roles,
+    )
+
+
+def get_project_permission_data(
+    project: Project, user: "FFAdminUser"
+) -> PermissionData:
+    project_permission_svc = _ProjectPermissionService(project.id, user.id)
+    return PermissionData(
+        is_organisation_admin=user.is_organisation_admin(project.organisation_id),
+        groups=get_groups_permission_data(project_permission_svc.group_qs),
+        user=get_user_permission_data(project_permission_svc.user_permission),  # type: ignore[arg-type]
+        roles=project_permission_svc.roles,
     )
 
 
 def get_environment_permission_data(
     environment: "Environment", user: "FFAdminUser"
 ) -> PermissionData:
-    environment_permission_svc = _EnvironmentPermissionService(environment.id, user.id)
+    project_permission_svc = _ProjectPermissionService(environment.project_id, user.id)
+    environment_permission_svc = _EnvironmentPermissionService(
+        environment.id, user.id, project_permission_svc=project_permission_svc
+    )
+
     return PermissionData(
+        is_organisation_admin=user.is_organisation_admin(
+            environment.project.organisation_id
+        ),
         groups=get_groups_permission_data(environment_permission_svc.group_qs),
         user=get_user_permission_data(environment_permission_svc.user_permission),  # type: ignore[arg-type]
-        roles=get_roles_permission_data_for_environment(environment.id, user.id),
-        admin_override=is_user_project_admin(user, project=environment.project),
+        roles=environment_permission_svc.roles_data,
+        inherited_admin_groups=get_groups_permission_data(
+            environment_permission_svc.inherited_admin_group_qs
+        ),
+        inherited_admin_roles=environment_permission_svc.inherited_admin_roles,
+        admin_override=environment_permission_svc.inherited_user_admin,
     )
 
 
@@ -289,11 +328,46 @@ def group_qs(self) -> GroupPermissionQs:
             group__users=self.user_id, organisation=self.organisation_id
         )
 
+    @property
+    def roles(self) -> typing.List[RolePermissionData]:
+        roles_permission_data: typing.List[RolePermissionData] = (
+            get_roles_permission_data_for_organisation(
+                self.organisation_id, self.user_id
+            )
+        )
+        return roles_permission_data
+
+
+@dataclass
+class _ProjectPermissionService:
+    project_id: int
+    user_id: int
+
+    @property
+    def user_permission(self) -> typing.Optional[UserProjectPermission]:
+        return UserProjectPermission.objects.filter(
+            project_id=self.project_id, user_id=self.user_id
+        ).first()
+
+    @property
+    def group_qs(self) -> GroupPermissionQs:
+        return UserPermissionGroupProjectPermission.objects.filter(
+            group__users=self.user_id, project=self.project_id
+        )
+
+    @property
+    def roles(self) -> typing.List[RolePermissionData]:
+        roles_permission_data: typing.List[RolePermissionData] = (
+            get_roles_permission_data_for_project(self.project_id, self.user_id)
+        )
+        return roles_permission_data
+
 
 @dataclass
 class _EnvironmentPermissionService:
     environment_id: int
     user_id: int
+    project_permission_svc: _ProjectPermissionService
 
     @property
     def user_permission(self) -> typing.Optional[UserEnvironmentPermission]:
@@ -307,20 +381,23 @@ def group_qs(self) -> GroupPermissionQs:
             group__users=self.user_id, environment=self.environment_id
         )
 
+    @property
+    def roles_data(self) -> typing.List[RolePermissionData]:
+        roles_permission_data: typing.List[RolePermissionData] = (
+            get_roles_permission_data_for_environment(self.environment_id, self.user_id)
+        )
+        return roles_permission_data
 
-@dataclass
-class _ProjectPermissionService:
-    project_id: int
-    user_id: int
+    @property
+    def inherited_user_admin(self) -> bool:
+        if user_permission := self.project_permission_svc.user_permission:
+            return user_permission.admin
+        return False
 
     @property
-    def user_permission(self) -> typing.Optional[UserProjectPermission]:
-        return UserProjectPermission.objects.filter(
-            project_id=self.project_id, user_id=self.user_id
-        ).first()
+    def inherited_admin_group_qs(self) -> GroupPermissionQs:
+        return self.project_permission_svc.group_qs.filter(admin=True)
 
     @property
-    def group_qs(self) -> GroupPermissionQs:
-        return UserPermissionGroupProjectPermission.objects.filter(
-            group__users=self.user_id, project=self.project_id
-        )
+    def inherited_admin_roles(self) -> typing.List[RolePermissionData]:
+        return [role for role in self.project_permission_svc.roles if role.admin]
diff --git a/api/permissions/serializers.py b/api/permissions/serializers.py
@@ -78,3 +78,5 @@ class DetailedPermissionsSerializer(serializers.Serializer):  # type: ignore[typ
 class UserDetailedPermissionsSerializer(serializers.Serializer):  # type: ignore[type-arg]
     admin = serializers.BooleanField()
     permissions = DetailedPermissionsSerializer(many=True)
+    is_directly_granted = serializers.BooleanField()
+    derived_from = DerivedFromSerializer()
diff --git a/api/projects/views.py b/api/projects/views.py
@@ -185,7 +185,9 @@ def user_permissions(self, request: Request, pk: int = None):  # type: ignore[no
                     "detail": "This endpoint can only be used with a user and not Master API Key"
                 },
             )
-        permission_data = get_project_permission_data(pk, user_id=request.user.id)
+
+        project = self.get_object()
+        permission_data = get_project_permission_data(project, user=request.user)  # type: ignore[arg-type]
         serializer = UserObjectPermissionsSerializer(instance=permission_data)
         return Response(serializer.data)
 
@@ -265,8 +267,10 @@ def get_serializer_class(self):  # type: ignore[no-untyped-def]
 @permission_classes([IsAuthenticated, IsProjectAdmin])
 def get_user_project_permissions(request, **kwargs):  # type: ignore[no-untyped-def]
     user_id = kwargs["user_pk"]
+    project = get_object_or_404(Project, pk=kwargs["project_pk"])
+    user = get_object_or_404(FFAdminUser, pk=user_id)
 
-    permission_data = get_project_permission_data(kwargs["project_pk"], user_id=user_id)
+    permission_data = get_project_permission_data(project, user=user)
     # TODO: expose `user` and `groups` attributes from user_permissions_data
     serializer = UserObjectPermissionsSerializer(instance=permission_data)
     return Response(serializer.data)
diff --git a/api/tests/unit/environments/test_unit_environments_views.py b/api/tests/unit/environments/test_unit_environments_views.py
@@ -315,6 +315,8 @@ def test_environment_user_can_get_their_detailed_permissions(
     # Then
     assert response.status_code == status.HTTP_200_OK
     assert response.json()["admin"] is False
+    assert response.json()["is_directly_granted"] is False
+    assert response.json()["derived_from"] == {"groups": [], "roles": []}
     assert response.json()["permissions"] == [
         {
             "permission_key": "VIEW_ENVIRONMENT",
@@ -364,6 +366,8 @@ def test_environment_admin_can_get_detailed_permissions_of_other_user(
     # Then
     assert response.status_code == status.HTTP_200_OK
     assert response.json()["admin"] is False
+    assert response.json()["is_directly_granted"] is False
+    assert response.json()["derived_from"] == {"groups": [], "roles": []}
     assert response.json()["permissions"] == [
         {
             "permission_key": "VIEW_ENVIRONMENT",
diff --git a/api/tests/unit/organisations/test_unit_organisations_views.py b/api/tests/unit/organisations/test_unit_organisations_views.py
@@ -2083,6 +2083,8 @@ def test_organisation_user_can_get_their_detailed_permissions(
     # Then
     assert response.status_code == status.HTTP_200_OK
     assert response.json()["admin"] is False
+    assert response.json()["is_directly_granted"] is False
+    assert response.json()["derived_from"] == {"groups": [], "roles": []}
     assert response.json()["permissions"] == [
         {
             "permission_key": "CREATE_PROJECT",
@@ -2132,6 +2134,8 @@ def test_organisation_admin_can_get_detailed_permissions_of_other_user(
     # Then
     assert response.status_code == status.HTTP_200_OK
     assert response.json()["admin"] is False
+    assert response.json()["is_directly_granted"] is False
+    assert response.json()["derived_from"] == {"groups": [], "roles": []}
     assert response.json()["permissions"] == [
         {
             "permission_key": "CREATE_PROJECT",
diff --git a/api/tests/unit/permissions/test_unit_permissions_calculator.py b/api/tests/unit/permissions/test_unit_permissions_calculator.py
@@ -105,7 +105,7 @@ def test_project_permissions_calculator_get_permission_data(  # type: ignore[no-
         group_project_permission.permissions.add(project_permissions[permission_key])
 
     # When
-    user_permission_data = get_project_permission_data(project.id, user_id=user.id)
+    user_permission_data = get_project_permission_data(project, user=user)
 
     # Then
     assert user_permission_data.admin == expected_admin
@@ -378,7 +378,6 @@ def test_permission_data_to_detailed_permissions_data() -> None:
             role_three_permission_data,
         ],
     ).to_detailed_permissions_data()
-
     # Then
     for permission in detailed_permission_data.permissions:
         assert permission.permission_key in expected_permissions
@@ -389,3 +388,11 @@ def test_permission_data_to_detailed_permissions_data() -> None:
 
     assert detailed_permission_data.admin is True
     assert len(detailed_permission_data.permissions) == 4
+    assert detailed_permission_data.is_directly_granted is True
+    assert detailed_permission_data.derived_from.groups == [
+        group_one_permission_data.group,
+        group_two_permission_data.group,
+    ]
+    assert detailed_permission_data.derived_from.roles == [
+        role_one_permission_data.role
+    ]
diff --git a/api/tests/unit/projects/test_unit_projects_views.py b/api/tests/unit/projects/test_unit_projects_views.py
@@ -964,6 +964,8 @@ def test_project_user_can_get_their_detailed_permissions(
     # Then
     assert response.status_code == status.HTTP_200_OK
     assert response.json()["admin"] is False
+    assert response.json()["is_directly_granted"] is False
+    assert response.json()["derived_from"] == {"groups": [], "roles": []}
     assert response.json()["permissions"] == [
         {
             "permission_key": "VIEW_PROJECT",
@@ -1013,6 +1015,8 @@ def test_project_admin_can_get_detailed_permissions_of_other_user(
     # Then
     assert response.status_code == status.HTTP_200_OK
     assert response.json()["admin"] is False
+    assert response.json()["is_directly_granted"] is False
+    assert response.json()["derived_from"] == {"groups": [], "roles": []}
     assert response.json()["permissions"] == [
         {
             "permission_key": "VIEW_PROJECT",
