feat(5308): Add endpoints to support permission debugging

api/environments/permissions/permissions.py

@@ -53,7 +53,8 @@ def has_object_permission(self, request, view, obj):  # type: ignore[no-untyped-
             return request.user.has_environment_permission(VIEW_ENVIRONMENT, obj)
 
         return request.user.is_environment_admin(obj) or view.action in [
-            "user_permissions"
+            "user_permissions",
+            "detailed_permissions",
         ]
 
 

api/environments/views.py

@@ -30,9 +30,11 @@
 from permissions.permissions_calculator import get_environment_permission_data
 from permissions.serializers import (
     PermissionModelSerializer,
+    UserDetailedPermissionsSerializer,
     UserObjectPermissionsSerializer,
 )
 from projects.models import Project
+from users.models import FFAdminUser
 from webhooks.mixins import TriggerSampleWebhookMixin
 from webhooks.webhooks import WebhookType
 
@@ -243,6 +245,35 @@ def user_permissions(self, request, *args, **kwargs):  # type: ignore[no-untyped
         serializer = UserObjectPermissionsSerializer(instance=permission_data)
         return Response(serializer.data)
 
+    @swagger_auto_schema(
+        responses={200: UserDetailedPermissionsSerializer},
+    )  # type: ignore[misc]
+    @action(
+        detail=True,
+        methods=["GET"],
+        url_path=r"user-detailed-permissions/(?P<user_id>\d+)",
+        url_name="user-detailed-permissions",
+    )
+    def detailed_permissions(
+        self, request: Request, api_key: str, user_id: str
+    ) -> Response:
+        environment = self.get_object()
+        user = request.user
+        user_id_int = int(user_id)
+
+        if request.user.id != user_id_int:
+            if not request.user.is_environment_admin(environment):  # type: ignore[union-attr]
+                # Only environment admin can get permissions of other users
+                raise PermissionDenied()
+
+            user = get_object_or_404(FFAdminUser, id=user_id_int)
+
+        permission_data = get_environment_permission_data(environment, user)  # type: ignore[arg-type]
+        serializer = UserDetailedPermissionsSerializer(
+            permission_data.to_detailed_permissions_data()
+        )
+        return Response(serializer.data)
+
     @swagger_auto_schema(responses={200: SDKEnvironmentDocumentModel})  # type: ignore[misc]
     @action(detail=True, methods=["GET"], url_path="document")
     def get_document(self, request, api_key: str):  # type: ignore[no-untyped-def]

api/organisations/permissions/permissions.py

@@ -105,7 +105,8 @@ def has_permission(self, request, view):  # type: ignore[no-untyped-def]
 
     def has_object_permission(self, request, view, obj):  # type: ignore[no-untyped-def]
         return request.user.is_organisation_admin(obj) or (
-            view.action == "my_permissions" and request.user.belongs_to(obj)
+            view.action in ["my_permissions", "detailed_permissions"]
+            and request.user.belongs_to(obj)
         )
 
 

api/organisations/views.py

@@ -10,7 +10,7 @@
 from rest_framework import status, viewsets
 from rest_framework.authentication import BasicAuthentication
 from rest_framework.decorators import action, api_view, authentication_classes
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.generics import ListAPIView, get_object_or_404
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -53,9 +53,11 @@
 from permissions.permissions_calculator import get_organisation_permission_data
 from permissions.serializers import (
     PermissionModelSerializer,
+    UserDetailedPermissionsSerializer,
     UserObjectPermissionsSerializer,
 )
 from projects.serializers import ProjectListSerializer
+from users.models import FFAdminUser
 from users.serializers import UserIdSerializer
 from webhooks.mixins import TriggerSampleWebhookMixin
 from webhooks.webhooks import WebhookType
@@ -275,6 +277,33 @@ def my_permissions(self, request, pk):  # type: ignore[no-untyped-def]
 
         return Response(serializer.data)
 
+    @swagger_auto_schema(
+        responses={200: UserDetailedPermissionsSerializer},
+    )  # type: ignore[misc]
+    @action(
+        detail=True,
+        methods=["GET"],
+        url_path=r"user-detailed-permissions/(?P<user_id>\d+)",
+        url_name="user-detailed-permissions",
+    )
+    def detailed_permissions(self, request: Request, pk: str, user_id: str) -> Response:
+        organisation = self.get_object()
+        user = request.user
+        user_id_int = int(user_id)
+
+        if request.user.id != user_id_int:
+            if not request.user.is_organisation_admin(organisation):  # type: ignore[union-attr]
+                # Only organisation admin can get permissions of other users
+                raise PermissionDenied()
+
+            user = get_object_or_404(FFAdminUser, id=user_id_int)
+
+        permission_data = get_organisation_permission_data(organisation, user)  # type: ignore[arg-type]
+        serializer = UserDetailedPermissionsSerializer(
+            permission_data.to_detailed_permissions_data()
+        )
+        return Response(serializer.data)
+
 
 @api_view(["POST"])
 @authentication_classes([BasicAuthentication])