Add panel permissions and guards, update authorization logic, and enhance tests

backend/src/entities/cedar-authorization/cedar-action-map.ts

@@ -11,13 +11,18 @@ export enum CedarAction {
 	DashboardCreate = 'dashboard:create',
 	DashboardEdit = 'dashboard:edit',
 	DashboardDelete = 'dashboard:delete',
+	PanelRead = 'panel:read',
+	PanelCreate = 'panel:create',
+	PanelEdit = 'panel:edit',
+	PanelDelete = 'panel:delete',
 }
 
 export enum CedarResourceType {
 	Connection = 'RocketAdmin::Connection',
 	Group = 'RocketAdmin::Group',
 	Table = 'RocketAdmin::Table',
 	Dashboard = 'RocketAdmin::Dashboard',
+	Panel = 'RocketAdmin::Panel',
 }
 
 export const CEDAR_ACTION_TYPE = 'RocketAdmin::Action';
@@ -31,4 +36,5 @@ export interface CedarValidationRequest {
 	groupId?: string;
 	tableName?: string;
 	dashboardId?: string;
+	panelId?: string;
 }

backend/src/entities/cedar-authorization/cedar-authorization.service.ts

@@ -34,7 +34,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 	}
 
 	async validate(request: CedarValidationRequest): Promise<boolean> {
-		const { userId, action, groupId, tableName, dashboardId } = request;
+		const { userId, action, groupId, tableName, dashboardId, panelId } = request;
 		let { connectionId } = request;
 
 		const actionPrefix = action.split(':')[0];
@@ -61,13 +61,20 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 				const needsSentinel = action === CedarAction.DashboardCreate || !dashboardId;
 				const effectiveDashboardId = needsSentinel ? '__new__' : dashboardId;
 				resourceId = `${connectionId}/${effectiveDashboardId}`;
-				return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, effectiveDashboardId);
+				return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, effectiveDashboardId, undefined);
+			}
+			case 'panel': {
+				resourceType = CedarResourceType.Panel;
+				const needsSentinel = action === CedarAction.PanelCreate || !panelId;
+				const effectivePanelId = needsSentinel ? '__new__' : panelId;
+				resourceId = `${connectionId}/${effectivePanelId}`;
+				return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, undefined, effectivePanelId);
 			}
 			default:
 				return false;
 		}
 
-		return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, dashboardId);
+		return this.evaluate(userId, connectionId, action, resourceType, resourceId, tableName, dashboardId, undefined);
 	}
 
 	invalidatePolicyCacheForConnection(connectionId: string): void {
@@ -169,6 +176,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		resourceId: string,
 		tableName?: string,
 		dashboardId?: string,
+		panelId?: string,
 	): Promise<boolean> {
 		await this.assertUserNotSuspended(userId);
 
@@ -178,7 +186,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		const groupPolicies = this.loadPoliciesPerGroup(userGroups);
 		if (groupPolicies.length === 0) return false;
 
-		const entities = buildCedarEntities(userId, userGroups, connectionId, tableName, dashboardId);
+		const entities = buildCedarEntities(userId, userGroups, connectionId, tableName, dashboardId, panelId);
 
 		for (const policy of groupPolicies) {
 			const call = {
@@ -303,6 +311,19 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 				);
 			}
 		}
+
+		const panelResourceIds = [...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Panel::"([^"]+)"/g)].map(
+			(m) => m[1],
+		);
+
+		for (const panelRef of panelResourceIds) {
+			if (!panelRef.startsWith(`${connectionId}/`)) {
+				throw new HttpException(
+					{ message: Messages.CEDAR_POLICY_REFERENCES_FOREIGN_CONNECTION },
+					HttpStatus.BAD_REQUEST,
+				);
+			}
+		}
 	}
 
 }

backend/src/entities/cedar-authorization/cedar-entity-builder.ts

@@ -12,6 +12,7 @@ export function buildCedarEntities(
 	connectionId: string,
 	tableName?: string,
 	dashboardId?: string,
+	panelId?: string,
 ): Array<CedarEntityRecord> {
 	const entities: Array<CedarEntityRecord> = [];
 
@@ -58,5 +59,13 @@ export function buildCedarEntities(
 		});
 	}
 
+	if (panelId) {
+		entities.push({
+			uid: { type: 'RocketAdmin::Panel', id: `${connectionId}/${panelId}` },
+			attrs: { connectionId: connectionId },
+			parents: [{ type: 'RocketAdmin::Connection', id: connectionId }],
+		});
+	}
+
 	return entities;
 }

backend/src/entities/cedar-authorization/cedar-policy-generator.ts

@@ -87,6 +87,46 @@ export function generateCedarPolicyForGroup(
 		}
 	}
 
+	if (permissions.panels) {
+		let hasPanelCreatePermission = false;
+		let hasPanelReadPermission = false;
+		for (const panel of permissions.panels) {
+			const panelRef = `RocketAdmin::Panel::"${connectionId}/${panel.panelId}"`;
+			const access = panel.accessLevel;
+
+			if (access.read) {
+				hasPanelReadPermission = true;
+				policies.push(
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:read",\n  resource == ${panelRef}\n);`,
+				);
+			}
+			if (access.create) {
+				hasPanelCreatePermission = true;
+			}
+			if (access.edit) {
+				policies.push(
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:edit",\n  resource == ${panelRef}\n);`,
+				);
+			}
+			if (access.delete) {
+				policies.push(
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:delete",\n  resource == ${panelRef}\n);`,
+				);
+			}
+		}
+		const newPanelRef = `RocketAdmin::Panel::"${connectionId}/__new__"`;
+		if (hasPanelReadPermission) {
+			policies.push(
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:read",\n  resource == ${newPanelRef}\n);`,
+			);
+		}
+		if (hasPanelCreatePermission) {
+			policies.push(
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:create",\n  resource == ${newPanelRef}\n);`,
+			);
+		}
+	}
+
 	for (const table of permissions.tables) {
 		const tableRef = `RocketAdmin::Table::"${connectionId}/${table.tableName}"`;
 		const access = table.accessLevel;

backend/src/entities/cedar-authorization/cedar-policy-parser.ts

@@ -2,6 +2,7 @@ import { AccessLevelEnum } from '../../enums/index.js';
 import {
 	IComplexPermission,
 	IDashboardPermissionData,
+	IPanelPermissionData,
 	ITablePermissionData,
 } from '../permission/permission.interface.js';
 
@@ -24,10 +25,12 @@ export function parseCedarPolicyToClassicalPermissions(
 		group: { groupId, accessLevel: AccessLevelEnum.none },
 		tables: [],
 		dashboards: [],
+		panels: [],
 	};
 
 	const tableMap = new Map<string, ITablePermissionData>();
 	const dashboardMap = new Map<string, IDashboardPermissionData>();
+	const panelMap = new Map<string, IPanelPermissionData>();
 
 	for (const permit of permits) {
 		if (permit.isWildcard) {
@@ -75,6 +78,16 @@ export function parseCedarPolicyToClassicalPermissions(
 				applyDashboardAction(dashboardEntry, permit.action);
 				break;
 			}
+			case 'panel:read':
+			case 'panel:create':
+			case 'panel:edit':
+			case 'panel:delete': {
+				const panelId = extractPanelId(permit.resourceId, connectionId);
+				if (!panelId) break;
+				const panelEntry = getOrCreatePanelEntry(panelMap, panelId);
+				applyPanelAction(panelEntry, permit.action);
+				break;
+			}
 		}
 	}
 
@@ -84,6 +97,7 @@ export function parseCedarPolicyToClassicalPermissions(
 		a.readonly = a.visibility && !a.add && !a.edit && !a.delete;
 	}
 	result.dashboards = Array.from(dashboardMap.values());
+	result.panels = Array.from(panelMap.values());
 
 	return result;
 }
@@ -268,3 +282,49 @@ function applyDashboardAction(entry: IDashboardPermissionData, action: string):
 			break;
 	}
 }
+
+function extractPanelId(resourceId: string | null, connectionId: string): string | null {
+	if (!resourceId) return null;
+	const prefix = `${connectionId}/`;
+	if (resourceId.startsWith(prefix)) {
+		return resourceId.slice(prefix.length);
+	}
+	return resourceId;
+}
+
+function getOrCreatePanelEntry(
+	map: Map<string, IPanelPermissionData>,
+	panelId: string,
+): IPanelPermissionData {
+	let entry = map.get(panelId);
+	if (!entry) {
+		entry = {
+			panelId,
+			accessLevel: {
+				read: false,
+				create: false,
+				edit: false,
+				delete: false,
+			},
+		};
+		map.set(panelId, entry);
+	}
+	return entry;
+}
+
+function applyPanelAction(entry: IPanelPermissionData, action: string): void {
+	switch (action) {
+		case 'panel:read':
+			entry.accessLevel.read = true;
+			break;
+		case 'panel:create':
+			entry.accessLevel.create = true;
+			break;
+		case 'panel:edit':
+			entry.accessLevel.edit = true;
+			break;
+		case 'panel:delete':
+			entry.accessLevel.delete = true;
+			break;
+	}
+}

backend/src/entities/cedar-authorization/cedar-schema.ts

@@ -45,6 +45,15 @@ export const CEDAR_SCHEMA = {
 					},
 				},
 			},
+			Panel: {
+				memberOfTypes: ['Connection'],
+				shape: {
+					type: 'Record',
+					attributes: {
+						connectionId: { type: 'String' },
+					},
+				},
+			},
 		},
 		actions: {
 			'connection:read': {
@@ -119,6 +128,30 @@ export const CEDAR_SCHEMA = {
 					resourceTypes: ['Dashboard'],
 				},
 			},
+			'panel:read': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
+			'panel:create': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
+			'panel:edit': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
+			'panel:delete': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Panel'],
+				},
+			},
 		},
 	},
 };

backend/src/entities/permission/permission.interface.ts

@@ -5,6 +5,7 @@ export interface IComplexPermission {
 	group: IGroupPermissionData;
 	tables: Array<ITablePermissionData>;
 	dashboards?: Array<IDashboardPermissionData>;
+	panels?: Array<IPanelPermissionData>;
 }
 
 export interface IConnectionPermissionData {
@@ -45,3 +46,15 @@ export interface IDashboardPermissionData {
 	dashboardId: string;
 	accessLevel: IDashboardAccessLevel;
 }
+
+export interface IPanelAccessLevel {
+	read: boolean;
+	create: boolean;
+	edit: boolean;
+	delete: boolean;
+}
+
+export interface IPanelPermissionData {
+	panelId: string;
+	accessLevel: IPanelAccessLevel;
+}

backend/src/entities/visualizations/panel-position/panel-position.controller.ts

@@ -18,6 +18,7 @@ import { Timeout, TimeoutDefaults } from '../../../decorators/timeout.decorator.
 import { UserId } from '../../../decorators/user-id.decorator.js';
 import { InTransactionEnum } from '../../../enums/in-transaction.enum.js';
 import { ConnectionEditGuard } from '../../../guards/connection-edit.guard.js';
+import { DashboardEditGuard } from '../../../guards/dashboard-edit.guard.js';
 import { SentryInterceptor } from '../../../interceptors/sentry.interceptor.js';
 import { CreatePanelPositionDs } from './data-structures/create-panel-position.ds.js';
 import { DeletePanelPositionDs } from './data-structures/delete-panel-position.ds.js';
@@ -67,7 +68,7 @@ export class DashboardWidgetController {
 	@ApiBody({ type: CreatePanelPositionDto })
 	@ApiParam({ name: 'dashboardId', required: true })
 	@ApiParam({ name: 'connectionId', required: true })
-	@UseGuards(ConnectionEditGuard)
+	@UseGuards(DashboardEditGuard)
 	@Post('/dashboard/:dashboardId/widget/:connectionId')
 	async createWidget(
 		@SlugUuid('connectionId') connectionId: string,
@@ -100,7 +101,7 @@ export class DashboardWidgetController {
 	@ApiParam({ name: 'dashboardId', required: true })
 	@ApiParam({ name: 'widgetId', required: true })
 	@ApiParam({ name: 'connectionId', required: true })
-	@UseGuards(ConnectionEditGuard)
+	@UseGuards(DashboardEditGuard)
 	@Put('/dashboard/:dashboardId/widget/:widgetId/:connectionId')
 	async updateWidget(
 		@SlugUuid('connectionId') connectionId: string,
@@ -134,7 +135,7 @@ export class DashboardWidgetController {
 	@ApiParam({ name: 'dashboardId', required: true })
 	@ApiParam({ name: 'widgetId', required: true })
 	@ApiParam({ name: 'connectionId', required: true })
-	@UseGuards(ConnectionEditGuard)
+	@UseGuards(DashboardEditGuard)
 	@Delete('/dashboard/:dashboardId/widget/:widgetId/:connectionId')
 	async deleteWidget(
 		@SlugUuid('connectionId') connectionId: string,

backend/src/entities/visualizations/panel/data-structures/find-all-panels.ds.ts

@@ -1,4 +1,5 @@
 export class FindAllPanelsDs {
 	connectionId: string;
 	masterPassword: string;
+	userId: string;
 }