Updated rego rules, job assignee can resolve an issue (#5167)

43e22c2c · Boris Sekachev · GitHub · 80c72340 · 43e22c2c · 43e22c2c
5 changed file
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -61,6 +61,7 @@ non-ascii paths while adding files from "Connected file share" (issue #4428)
 - Skeleton points exported out of order in the COCO Keypoints format
  (<https://github.com/opencv/cvat/issues/5048>)
 - Changing an object causes current z layer to be set to the maximum (<https://github.com/opencv/cvat/pull/5145>)
+- Job assignee can not resolve an issue (<https://github.com/opencv/cvat/pull/5167>)
 - Create manifest with cvat/server docker container command (<https://github.com/opencv/cvat/pull/5172>)

 ### Security

--- a/cvat/apps/iam/rules/issues.csv
+++ b/cvat/apps/iam/rules/issues.csv
@@ -10,9 +10,9 @@ view,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee,
 view,Issue,Organization,N/A,,GET,/issues/{id},User,Maintainer
 view,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner, Assignee",,GET,/issues/{id},None,Worker
 update,Issue,Sandbox,N/A,,PATCH,/issues/{id},Admin,N/A
-update,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,PATCH,/issues/{id},Worker,N/A
+update,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner, Assignee",,PATCH,/issues/{id},Worker,N/A
 update,Issue,Organization,N/A,,PATCH,/issues/{id},User,Maintainer
-update,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,PATCH,/issues/{id},Worker,Worker
+update,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner, Assignee",,PATCH,/issues/{id},Worker,Worker
 delete,Issue,Sandbox,N/A,,DELETE,/issues/{id},Admin,N/A
 delete,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,DELETE,/issues/{id},Worker,N/A
 delete,Issue,Organization,N/A,,DELETE,/issues/{id},User,Maintainer

--- a/cvat/apps/iam/rules/issues.rego
+++ b/cvat/apps/iam/rules/issues.rego
@@ -222,23 +222,38 @@ allow {
 }

 allow {
-    { utils.UPDATE, utils.DELETE }[input.scope]
+    input.scope == utils.UPDATE
    utils.is_sandbox
    utils.has_perm(utils.WORKER)
-    is_issue_admin
+    is_issue_staff
 }

 allow {
-    { utils.UPDATE, utils.DELETE }[input.scope]
+    input.scope == utils.UPDATE
    input.auth.organization.id == input.resource.organization.id
-    utils.has_perm(utils.USER)
-    organizations.has_perm(organizations.MAINTAINER)
+    utils.has_perm(utils.WORKER)
+    organizations.is_member
+    is_issue_staff
 }

 allow {
-    { utils.UPDATE, utils.DELETE }[input.scope]
+    input.scope == utils.DELETE
+    utils.is_sandbox
+    utils.has_perm(utils.WORKER)
+    is_issue_admin
+}
+
+allow {
+    input.scope == utils.DELETE
    input.auth.organization.id == input.resource.organization.id
    utils.has_perm(utils.WORKER)
    organizations.is_member
    is_issue_admin
 }
+
+allow {
+    { utils.UPDATE, utils.DELETE }[input.scope]
+    input.auth.organization.id == input.resource.organization.id
+    utils.has_perm(utils.USER)
+    organizations.has_perm(organizations.MAINTAINER)
+}
--- a/cvat/apps/iam/rules/issues_test.gen.rego
+++ b/cvat/apps/iam/rules/issues_test.gen.rego
--- a/tests/python/rest_api/test_issues.py
+++ b/tests/python/rest_api/test_issues.py
@@ -169,7 +169,7 @@ class TestPatchIssues:
            ("user", True, None, True),
            ("user", False, None, False),
            ("worker", False, True, True),
-            ("worker", True, False, False),
+            ("worker", True, False, True),
            ("worker", False, False, False),
        ],
    )
@@ -203,7 +203,7 @@ class TestPatchIssues:
            ("owner", True, None, True),
            ("owner", False, None, True),
            ("worker", False, True, True),
-            ("worker", True, False, False),
+            ("worker", True, False, True),
            ("worker", False, False, False),
        ],
    )