feat: workspace saved client wrapper ACLSearchParams.permissionModes …

…use passed value Signed-off-by: Lin Wang <wonglam@amazon.com>
ruanyl · Sep 20, 2023 · b724852 · b724852
1 parent ccd0520
commit b724852
Showing 1 changed file with 22 additions and 14 deletions.
diff --git a/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts b/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
@@ -4,6 +4,7 @@
  */
 
 import { i18n } from '@osd/i18n';
+import { intersection } from 'lodash';
 
 import {
   OpenSearchDashboardsRequest,
@@ -32,6 +33,12 @@ import { SavedObjectsPermissionControlContract } from '../permission_control/cli
 import { WorkspaceFindOptions } from '../types';
 import { getPrincipalsFromRequest } from '../utils';
 
+const ALL_WORKSPACE_INNER_DATA_PERMISSION_MODES: string[] = [
+  WorkspacePermissionMode.LibraryRead,
+  WorkspacePermissionMode.LibraryWrite,
+  WorkspacePermissionMode.Management,
+];
+
 // Can't throw unauthorized for now, the page will be refreshed if unauthorized
 const generateWorkspacePermissionError = () => {
   SavedObjectsErrorHelpers.decorateForbiddenError(
@@ -360,21 +367,20 @@ export class WorkspaceSavedObjectsClientWrapper {
       if (!options.ACLSearchParams) {
         options.ACLSearchParams = {};
       }
+      const workspaceInnerPermissionModes = options.ACLSearchParams.permissionModes
+        ? intersection(
+            options.ACLSearchParams.permissionModes,
+            ALL_WORKSPACE_INNER_DATA_PERMISSION_MODES
+          )
+        : ALL_WORKSPACE_INNER_DATA_PERMISSION_MODES;
+
       if (this.isRelatedToWorkspace(options.type)) {
-        options.ACLSearchParams.permissionModes = options.permissionModes ?? [
-          WorkspacePermissionMode.LibraryRead,
-          WorkspacePermissionMode.LibraryWrite,
-          WorkspacePermissionMode.Management,
-        ];
+        options.ACLSearchParams.permissionModes = workspaceInnerPermissionModes;
         options.ACLSearchParams.principals = principals;
       } else {
         const permittedWorkspaceIds = await this.permissionControl.getPermittedWorkspaceIds(
           wrapperOptions.request,
-          [
-            WorkspacePermissionMode.LibraryRead,
-            WorkspacePermissionMode.LibraryWrite,
-            WorkspacePermissionMode.Management,
-          ]
+          workspaceInnerPermissionModes
         );
 
         if (options.workspaces) {
@@ -408,10 +414,12 @@ export class WorkspaceSavedObjectsClientWrapper {
            */
           options.workspaces = undefined;
           options.ACLSearchParams.workspaces = permittedWorkspaceIds;
-          options.ACLSearchParams.permissionModes = [
-            WorkspacePermissionMode.Read,
-            WorkspacePermissionMode.Write,
-          ];
+          options.ACLSearchParams.permissionModes = options.ACLSearchParams.permissionModes
+            ? intersection(options.ACLSearchParams.permissionModes, [
+                WorkspacePermissionMode.Read,
+                WorkspacePermissionMode.Write,
+              ])
+            : [WorkspacePermissionMode.Read, WorkspacePermissionMode.Write];
           options.ACLSearchParams.principals = principals;
         }
       }