Permissions: More granular access and Project Access page

gen/openapi-config.ts

@@ -7,7 +7,7 @@ const outputFiles = {
   market: ['marketAddonList', 'marketAddonDetail', 'marketAddonVersionDetail'],
   watchers: ['getEntityWatchers', 'setEntityWatchers'],
   inbox: ['manageInboxItem'],
-  project: ['getProject', 'listProjects', 'getProjectAnatomy'],
+  project: ['getProject', 'listProjects', 'getProjectAnatomy', 'getProjectUsers'],
   review: [
     'getReviewablesForVersion',
     'getReviewablesForProduct',

src/api/rest/permissions.ts

@@ -0,0 +1,89 @@
+import { RestAPI as api } from '../../services/ayon'
+const injectedRtkApi = api.injectEndpoints({
+  endpoints: (build) => ({
+    getCurrentUserPermissions: build.query<
+      GetCurrentUserPermissionsApiResponse,
+      GetCurrentUserPermissionsApiArg
+    >({
+      query: () => ({ url: `/api/users/me/permissions` }),
+    }),
+    getCurrentUserProjectPermissions: build.query<
+      GetCurrentUserProjectPermissionsApiResponse,
+      GetCurrentUserProjectPermissionsApiArg
+    >({
+      query: (queryArg) => ({ url: `/api/users/me/permissions/${queryArg.projectName}` }),
+    }),
+  }),
+  overrideExisting: false,
+})
+export { injectedRtkApi as api }
+export type GetCurrentUserPermissionsApiResponse = /** status 200 Successful Response */ any
+export type GetCurrentUserPermissionsApiArg = void
+export type GetCurrentUserProjectPermissionsApiResponse =
+  /** status 200 Successful Response */ Permissions
+export type GetCurrentUserProjectPermissionsApiArg = {
+  projectName: string
+}
+export type ErrorResponse = {
+  code: number
+  detail: string
+}
+export type ValidationError = {
+  loc: (string | number)[]
+  msg: string
+  type: string
+}
+export type HttpValidationError = {
+  detail?: ValidationError[]
+}
+export type StudioSettingsAccessModel = {
+  enabled?: boolean
+  /** List of addons a user can access */
+  addons?: string[]
+}
+export type ProjectSettingsAccessModel = {
+  enabled?: boolean
+  /** List of addons a user can access */
+  addons?: string[]
+  /** Allow users to update the project anatomy */
+  anatomy_update?: boolean
+}
+export type FolderAccess = {
+  access_type?: string
+  /** The path of the folder to allow access to. Required for access_type 'hierarchy and 'children' */
+  path?: string
+}
+export type FolderAccessList = {
+  enabled?: boolean
+  access_list?: FolderAccess[]
+}
+export type AttributeAccessList = {
+  enabled?: boolean
+  attributes?: string[]
+}
+export type EndpointsAccessList = {
+  enabled?: boolean
+  endpoints?: string[]
+}
+export type Permissions = {
+  /** Restrict access to studio settings */
+  studio_settings?: StudioSettingsAccessModel
+  /** Restrict write access to project settings */
+  project_settings?: ProjectSettingsAccessModel
+  /** Whitelist folders a user can create */
+  create?: FolderAccessList
+  /** Whitelist folders a user can read */
+  read?: FolderAccessList
+  /** Whitelist folders a user can update */
+  update?: FolderAccessList
+  /** Whitelist folders a user can publish to */
+  publish?: FolderAccessList
+  /** Whitelist folders a user can delete */
+  delete?: FolderAccessList
+  /** Whitelist attributes a user can read */
+  attrib_read?: AttributeAccessList
+  /** Whitelist attributes a user can write */
+  attrib_write?: AttributeAccessList
+  /** Whitelist REST endpoints a user can access */
+  endpoints?: EndpointsAccessList
+}

src/api/rest/project.ts

@@ -12,6 +12,14 @@ const injectedRtkApi = api.injectEndpoints({
         method: 'HEAD',
       }),
     }),
+    getProjectFilePayload: build.query<
+      GetProjectFilePayloadApiResponse,
+      GetProjectFilePayloadApiArg
+    >({
+      query: (queryArg) => ({
+        url: `/api/projects/${queryArg.projectName}/files/${queryArg.fileId}/payload`,
+      }),
+    }),
     getProjectFileThumbnail: build.query<
       GetProjectFileThumbnailApiResponse,
       GetProjectFileThumbnailApiArg
@@ -32,12 +40,10 @@ const injectedRtkApi = api.injectEndpoints({
     getProjectActivity: build.query<GetProjectActivityApiResponse, GetProjectActivityApiArg>({
       query: (queryArg) => ({
         url: `/api/projects/${queryArg.projectName}/dashboard/activity`,
-        params: {
-          days: queryArg.days,
-        },
+        params: { days: queryArg.days },
       }),
     }),
-    getProjectUsers: build.query<GetProjectUsersApiResponse, GetProjectUsersApiArg>({
+    getProjectTeams: build.query<GetProjectTeamsApiResponse, GetProjectTeamsApiArg>({
       query: (queryArg) => ({ url: `/api/projects/${queryArg.projectName}/dashboard/users` }),
     }),
     getProjectAnatomy: build.query<GetProjectAnatomyApiResponse, GetProjectAnatomyApiArg>({
@@ -72,14 +78,13 @@ const injectedRtkApi = api.injectEndpoints({
     getProjectSiteRoots: build.query<GetProjectSiteRootsApiResponse, GetProjectSiteRootsApiArg>({
       query: (queryArg) => ({
         url: `/api/projects/${queryArg.projectName}/siteRoots`,
-        headers: {
-          'x-ayon-site-id': queryArg['x-ayon-site-id'],
-        },
-        params: {
-          platform: queryArg.platform,
-        },
+        headers: { 'x-ayon-site-id': queryArg['x-ayon-site-id'] },
+        params: { platform: queryArg.platform },
       }),
     }),
+    getProjectUsers: build.query<GetProjectUsersApiResponse, GetProjectUsersApiArg>({
+      query: (queryArg) => ({ url: `/api/projects/${queryArg.projectName}/users` }),
+    }),
     getProjectEntityUris: build.mutation<
       GetProjectEntityUrisApiResponse,
       GetProjectEntityUrisApiArg
@@ -104,6 +109,11 @@ export type GetProjectFileHeadApiArg = {
   fileId: string
   projectName: string
 }
+export type GetProjectFilePayloadApiResponse = /** status 200 Successful Response */ any
+export type GetProjectFilePayloadApiArg = {
+  fileId: string
+  projectName: string
+}
 export type GetProjectFileThumbnailApiResponse = /** status 200 Successful Response */ any
 export type GetProjectFileThumbnailApiArg = {
   fileId: string
@@ -124,8 +134,9 @@ export type GetProjectActivityApiArg = {
   /** Number of days to retrieve activity for */
   days?: number
 }
-export type GetProjectUsersApiResponse = /** status 200 Successful Response */ UsersResponseModel
-export type GetProjectUsersApiArg = {
+export type GetProjectTeamsApiResponse =
+  /** status 200 Successful Response */ ProjectTeamsResponseModel
+export type GetProjectTeamsApiArg = {
   projectName: string
 }
 export type GetProjectAnatomyApiResponse = /** status 200 Successful Response */ ProjectAnatomy
@@ -173,6 +184,12 @@ export type GetProjectSiteRootsApiArg = {
   /** Site ID may be specified either as a query parameter (`site_id` or `site`) or in a header. */
   'x-ayon-site-id'?: string
 }
+export type GetProjectUsersApiResponse = /** status 200 Successful Response */ {
+  [key: string]: string[]
+}
+export type GetProjectUsersApiArg = {
+  projectName: string
+}
 export type GetProjectEntityUrisApiResponse = /** status 200 Successful Response */ GetUrisResponse
 export type GetProjectEntityUrisApiArg = {
   projectName: string
@@ -238,7 +255,7 @@ export type ActivityResponseModel = {
   /** Activity per day normalized to 0-100 */
   activity: number[]
 }
-export type UsersResponseModel = {
+export type ProjectTeamsResponseModel = {
   /** Number of active team members */
   teamSizeActive?: number
   /** Total number of team members */
@@ -299,6 +316,7 @@ export type Templates = {
   others?: CustomTemplate[]
 }
 export type ProjectAttribModel = {
+  priority?: 'urgent' | 'high' | 'normal' | 'low'
   /** Frame rate */
   fps?: number
   /** Horizontal resolution */
@@ -346,6 +364,8 @@ export type Status = {
   state?: 'not_started' | 'in_progress' | 'done' | 'blocked'
   icon?: string
   color?: string
+  /** Limit the status to specific entity types. */
+  scope?: string[]
   original_name?: string
 }
 export type Tag = {
@@ -398,6 +418,7 @@ export type LinkTypeModel = {
   data?: object
 }
 export type ProjectAttribModel2 = {
+  priority?: 'urgent' | 'high' | 'normal' | 'low'
   /** Frame rate */
   fps?: number
   /** Horizontal resolution */

src/containers/AddonSettings/AddonSettings.jsx

@@ -1,4 +1,4 @@
-import { useState, useMemo  } from 'react'
+import { useState, useMemo } from 'react'
 import { useSelector } from 'react-redux'
 import { toast } from 'react-toastify'
 
@@ -37,6 +37,8 @@ import { getValueByPath, setValueByPath, sameKeysStructure, compareObjects } fro
 import arrayEquals from '@helpers/arrayEquals'
 import { cloneDeep } from 'lodash'
 import { usePaste } from '@context/pasteContext'
+import useUserProjectPermissions from '@hooks/useUserProjectPermissions'
+import EmptyPlaceholder from '@components/EmptyPlaceholder/EmptyPlaceholder'
 
 /*
  * key is {addonName}|{addonVersion}|{variant}|{siteId}|{projectKey}
@@ -52,6 +54,7 @@ const isChildPath = (childPath, parentPath) => {
 }
 
 const AddonSettings = ({ projectName, showSites = false }) => {
+  const isUser = useSelector((state) => state.user.data.isUser)
   //const navigate = useNavigate()
   const [showHelp, setShowHelp] = useState(false)
   const [selectedAddons, setSelectedAddons] = useState([])
@@ -73,6 +76,8 @@ const AddonSettings = ({ projectName, showSites = false }) => {
   const [promoteBundle] = usePromoteBundleMutation()
   const { requestPaste } = usePaste()
 
+  const userPermissions = useUserProjectPermissions(!isUser)
+
   const projectKey = projectName || '_'
 
   const onAddonFocus = ({ addonName, addonVersion, siteId, path }) => {
@@ -281,8 +286,7 @@ const AddonSettings = ({ projectName, showSites = false }) => {
           }
 
           return { ...unpinnedKeys, [addonKey]: addonChanges }
-        })  // setUnpinnedKeys
-
+        }) // setUnpinnedKeys
       }
     }
   }
@@ -294,15 +298,15 @@ const AddonSettings = ({ projectName, showSites = false }) => {
   const onRemoveOverride = async (addon, siteId, path) => {
     // Remove a single override for this addon (within current project and variant)
     // path is an array of strings
-    
-    // TODO: Use this to staged unpin. 
+
+    // TODO: Use this to staged unpin.
     // It is not used now because we don't have an information about the original value
     //
     // const key = `${addon.name}|${addon.version}|${addon.variant}|${siteId || '_'}|${projectKey}`
     //
     // setChangedKeys((changedKeys) => {
     //   const keyData = changedKeys[key] || []
-    //   
+    //
     //   const index = keyData.findIndex((keyItem) => arrayEquals(keyItem, path))
     //   if (index === -1) {
     //     keyData.push(path)
@@ -502,8 +506,8 @@ const AddonSettings = ({ projectName, showSites = false }) => {
           Are you sure you want to push <strong>{bundleName}</strong> to production?
         </p>
         <p>
-          This will mark the current staging bundle as production and copy all staging
-          studio settings and staging projects overrides to production as well.
+          This will mark the current staging bundle as production and copy all staging studio
+          settings and staging projects overrides to production as well.
         </p>
       </>
     )
@@ -627,6 +631,10 @@ const AddonSettings = ({ projectName, showSites = false }) => {
         />
         <SaveButton
           label="Save Changes"
+          disabled={!userPermissions.canEditSettings(projectName)}
+          data-tooltip={
+            !userPermissions.canEditSettings(projectName) ? "You don't have edit permissions" : undefined
+          }
           onClick={onSave}
           active={canCommit}
           saving={setAddonSettingsUpdating}
@@ -641,6 +649,13 @@ const AddonSettings = ({ projectName, showSites = false }) => {
     setCurrentSelection(null)
   }
 
+  if (!userPermissions.canViewSettings(projectName)) {
+    return <EmptyPlaceholder
+      icon="settings_alert"
+      message="You don't have permissions to view the addon settings for this project"
+    />
+  }
+
   return (
     <Splitter layout="horizontal" style={{ width: '100%', height: '100%' }}>
       <SplitterPanel size={80} style={{ display: 'flex', flexDirection: 'row', gap: 8 }}>
@@ -698,7 +713,11 @@ const AddonSettings = ({ projectName, showSites = false }) => {
         <Section className={showHelp && 'settings-help-visible'}>
           {settingsListHeader}
           <Section>
-            <ScrollPanel className="transparent nopad" style={{ flexGrow: 1 }} id="settings-scroll-panel">
+            <ScrollPanel
+              className="transparent nopad"
+              style={{ flexGrow: 1 }}
+              id="settings-scroll-panel"
+            >
               {selectedAddons
                 .filter((addon) => !addon.isBroken)
                 .reverse()
@@ -761,10 +780,10 @@ const AddonSettings = ({ projectName, showSites = false }) => {
       <SplitterPanel size={20}>
         <Section wrap style={{ minWidth: 300 }}>
           <Toolbar>{commitToolbar}</Toolbar>
-          <SettingsChangesTable 
-            changes={changedKeys} 
-            unpins={unpinnedKeys} 
-            onRevert={onRevertChange} 
+          <SettingsChangesTable
+            changes={changedKeys}
+            unpins={unpinnedKeys}
+            onRevert={onRevertChange}
           />
           {/*}
           <ScrollPanel className="transparent nopad" style={{ flexGrow: 1 }}>

src/containers/SettingsEditor/FormTemplates/ObjectFieldTemplate.tsx

@@ -250,7 +250,7 @@ function ObjectFieldTemplate(props: { id: string } & ObjectFieldTemplateProps) {
         </BadgeWrapper>
       </>
     )
-  }
+  } // Root object - show badges and title
 
   titleComponent = props.idSchema.$id === 'root' ? rootTitle : stringTitle
 
@@ -263,6 +263,12 @@ function ObjectFieldTemplate(props: { id: string } & ObjectFieldTemplateProps) {
     contextMenu(e, contextMenuModel)
   }
 
+
+  const hasEnabled = (props?.schema?.properties || {}).hasOwnProperty('enabled')
+  const isEnabled = props?.formData?.enabled
+
+  const disabled = props.formContext.hideDisabledGroups && hasEnabled && !isEnabled
+
   return (
     <SettingsPanel
       objId={objId}
@@ -276,6 +282,7 @@ function ObjectFieldTemplate(props: { id: string } & ObjectFieldTemplateProps) {
       onContextMenu={onContextMenu}
       currentId={props.formContext.currentId}
       layout={undefined}
+      disabled={disabled}
     >
       {fields}
     </SettingsPanel>

src/containers/SettingsEditor/SettingsEditor.sass

@@ -116,7 +116,7 @@ $field-gap: 8px
     padding: 0 3px
 
     .form-inline-field-label
-      flex-basis: 200px
+      flex-basis: 250px
       padding-left: 4px
       cursor: pointer
       user-select: none