Flagsmith · zachaysan · Nov 14, 2023 · Nov 2, 2023 · Nov 2, 2023 · Nov 2, 2023
@@ -5,7 +5,7 @@
 
 ALLOWED_HOSTS.extend([".ngrok.io", "127.0.0.1", "localhost"])
 
-INSTALLED_APPS.extend(["debug_toolbar"])
+INSTALLED_APPS.extend(["debug_toolbar", "django_extensions"])
 
 MIDDLEWARE.extend(["debug_toolbar.middleware.DebugToolbarMiddleware"])
 

@@ -1,9 +1,20 @@
 # Generated by Django 2.2.10 on 2020-02-19 23:43
 
 from django.db import migrations
-
-from environments.permissions.constants import ENVIRONMENT_PERMISSIONS
-
+from environments.permissions.constants import VIEW_ENVIRONMENT, UPDATE_FEATURE_STATE, MANAGE_IDENTITIES, CREATE_CHANGE_REQUEST, APPROVE_CHANGE_REQUEST
+ENVIRONMENT_PERMISSIONS = [
+    (VIEW_ENVIRONMENT, "View permission for the given environment."),
+    (UPDATE_FEATURE_STATE, "Update the state or value for a given feature state."),
+    (MANAGE_IDENTITIES, "Manage identities in the given environment."),
+    (
+        CREATE_CHANGE_REQUEST,
+        "Permission to create change requests in the given environment.",
+    ),
+    (
+        APPROVE_CHANGE_REQUEST,
+        "Permission to approve change requests in the given environment.",
+    ),
+]
 
 def create_default_permissions(apps, schema_editor):
     EnvironmentPermission = apps.get_model('environments', 'EnvironmentPermission')

@@ -5,19 +5,6 @@
 VIEW_IDENTITIES = "VIEW_IDENTITIES"
 CREATE_CHANGE_REQUEST = "CREATE_CHANGE_REQUEST"
 APPROVE_CHANGE_REQUEST = "APPROVE_CHANGE_REQUEST"
-
-ENVIRONMENT_PERMISSIONS = [
-    (VIEW_ENVIRONMENT, "View permission for the given environment."),
-    (UPDATE_FEATURE_STATE, "Update the state or value for a given feature state."),
-    (MANAGE_IDENTITIES, "Manage identities in the given environment."),
-    (
-        CREATE_CHANGE_REQUEST,
-        "Permission to create change requests in the given environment.",
-    ),
-    (
-        APPROVE_CHANGE_REQUEST,
-        "Permission to approve change requests in the given environment.",
-    ),
-]
+MANAGE_SEGMENT_OVERRIDES = "MANAGE_SEGMENT_OVERRIDES"
 
 TAG_SUPPORTED_PERMISSIONS = [UPDATE_FEATURE_STATE]
@@ -0,0 +1,55 @@
+# Generated by Django 3.2.20 on 2023-11-01 19:54
+
+from django.db import migrations
+from environments.permissions.constants import MANAGE_SEGMENT_OVERRIDES, UPDATE_FEATURE_STATE
+from core.migration_helpers import create_new_environment_permissions
+
+from permissions.models import ENVIRONMENT_PERMISSION_TYPE
+
+def add_manage_segment_overrides_permission(apps, schema_editor):
+    PermissionModel = apps.get_model("permissions", "PermissionModel")
+    UserEnvironmentPermission = apps.get_model(
+        "environment_permissions",
+        "UserEnvironmentPermission",
+    )
+    UserPermissionGroupEnvironmentPermission = apps.get_model(
+        "environment_permissions",
+        "UserPermissionGroupEnvironmentPermission",
+    )
+    manage_segment_overrides_permission, _ = PermissionModel.objects.get_or_create(
+        key=MANAGE_SEGMENT_OVERRIDES,
+        description="Permission to manage segment overrides in the given environment",
+        type=ENVIRONMENT_PERMISSION_TYPE,
+    )
+
+    # Add MANAGE_SEGMENT_OVERRIDES to existing UPDATE_FEATURE_STATE holders
+    create_new_environment_permissions(
+        UPDATE_FEATURE_STATE,
+        UserEnvironmentPermission,
+        "userenvironmentpermission",
+        [manage_segment_overrides_permission],
+    )
+    create_new_environment_permissions(
+        UPDATE_FEATURE_STATE,
+        UserPermissionGroupEnvironmentPermission,
+        "userpermissiongroupenvironmentpermission",
+        [manage_segment_overrides_permission],
+    )
+
+
+def remove_manage_segment_overrides_permission(apps, schema_editor):
+    PermissionModel = apps.get_model("permissions", "PermissionModel")
+    PermissionModel.objects.filter(key=MANAGE_SEGMENT_OVERRIDES).delete()
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('environment_permissions', '0007_add_unique_permission_constraint'),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            add_manage_segment_overrides_permission,
+            reverse_code=remove_manage_segment_overrides_permission,
+        )
+    ]
diff --git a/api/environments/tests/test_views.py b/api/environments/tests/test_views.py
@@ -780,9 +780,7 @@ def test_user_can_list_environment_permission(client, environment):
 
     # Then
     assert response.status_code == status.HTTP_200_OK
-    assert (
-        len(response.json()) == 6
-    )  # hard code how many permissions we expect there to be
+    assert len(response.json()) == 7
 
 
 def test_environment_my_permissions_reruns_400_for_master_api_key(

@@ -3,7 +3,7 @@
 from rest_framework.permissions import IsAuthenticated
 
 from environments.models import Environment
-from environments.permissions.constants import UPDATE_FEATURE_STATE
+from environments.permissions.constants import MANAGE_SEGMENT_OVERRIDES
 
 
 class FeatureSegmentPermissions(IsAuthenticated):
@@ -25,12 +25,12 @@ def has_permission(self, request, view):
                 environment = Environment.objects.get(id=int(environment))
 
                 return request.user.has_environment_permission(
-                    UPDATE_FEATURE_STATE, environment
+                    MANAGE_SEGMENT_OVERRIDES, environment
                 )
 
         return False
 
     def has_object_permission(self, request, view, obj):
         return request.user.has_environment_permission(
-            UPDATE_FEATURE_STATE, environment=obj.environment
+            MANAGE_SEGMENT_OVERRIDES, environment=obj.environment
         )
@@ -1,7 +1,7 @@
 from rest_framework import serializers
 from rest_framework.exceptions import PermissionDenied
 
-from environments.permissions.constants import UPDATE_FEATURE_STATE
+from environments.permissions.constants import MANAGE_SEGMENT_OVERRIDES
 from features.models import FeatureSegment
 
 
@@ -115,7 +115,7 @@ def validate(self, attrs):
         environment = environments.pop()
 
         if not self.context["request"].user.has_environment_permission(
-            UPDATE_FEATURE_STATE, environment
+            MANAGE_SEGMENT_OVERRIDES, environment
         ):
             raise PermissionDenied("You do not have permission to perform this action.")
 

@@ -4,6 +4,7 @@
 from rest_framework.permissions import IsAuthenticated
 
 from environments.models import Environment
+from environments.permissions.constants import MANAGE_SEGMENT_OVERRIDES
 from environments.permissions.constants import (
     TAG_SUPPORTED_PERMISSIONS as TAG_SUPPORTED_ENVIRONMENT_PERMISSIONS,
 )
@@ -164,8 +165,7 @@ def has_permission(self, request, view):
             Environment, api_key=view.kwargs["environment_api_key"]
         )
 
-        # TODO: create dedicated permission for creating segment overrides
         return request.user.has_environment_permission(
-            permission=UPDATE_FEATURE_STATE,
+            permission=MANAGE_SEGMENT_OVERRIDES,
             environment=environment,
         )
@@ -787,6 +787,35 @@ def test_get_feature_evaluation_data(project, feature, environment, mocker, clie
     )
 
 
+def test_create_segment_override_forbidden(feature, segment, environment, api_client):
+    # Given
+    url = reverse(
+        "api-v1:environments:create-segment-override",
+        args=[environment.api_key, feature.id],
+    )
+    user = FFAdminUser.objects.create(email="[email protected]")
+    api_client.force_authenticate(user)
+
+    # When
+    enabled = True
+    string_value = "foo"
+    data = {
+        "feature_state_value": {"string_value": string_value},
+        "enabled": enabled,
+        "feature_segment": {"segment": segment.id},
+    }
+
+    response = api_client.post(
+        url, data=json.dumps(data), content_type="application/json"
+    )
+
+    # Then
+    assert response.status_code == 403
+    assert response.data == {
+        "detail": "You do not have permission to perform this action."
+    }
+
+
 def test_create_segment_override(admin_client, feature, segment, environment):
     # Given
     url = reverse(

@@ -690,8 +690,8 @@ def organisation_has_got_feature(request, organisation):
     request_body=CreateSegmentOverrideFeatureStateSerializer(),
     responses={200: CreateSegmentOverrideFeatureStateSerializer()},
 )
-@permission_classes([CreateSegmentOverridePermissions()])
 @api_view(["POST"])
+@permission_classes([CreateSegmentOverridePermissions])
 def create_segment_override(
     request: Request, environment_api_key: str, feature_pk: int
 ):

@@ -2,9 +2,22 @@
 
 from django.db import migrations, models
 
-from environments.permissions.constants import ENVIRONMENT_PERMISSIONS
 from permissions.models import PROJECT_PERMISSION_TYPE, ENVIRONMENT_PERMISSION_TYPE
 from projects.permissions import PROJECT_PERMISSIONS
+from environments.permissions.constants import VIEW_ENVIRONMENT, UPDATE_FEATURE_STATE, MANAGE_IDENTITIES, CREATE_CHANGE_REQUEST, APPROVE_CHANGE_REQUEST
+ENVIRONMENT_PERMISSIONS = [
+    (VIEW_ENVIRONMENT, "View permission for the given environment."),
+    (UPDATE_FEATURE_STATE, "Update the state or value for a given feature state."),
+    (MANAGE_IDENTITIES, "Manage identities in the given environment."),
+    (
+        CREATE_CHANGE_REQUEST,
+        "Permission to create change requests in the given environment.",
+    ),
+    (
+        APPROVE_CHANGE_REQUEST,
+        "Permission to approve change requests in the given environment.",
+    ),
+]
 
 
 def insert_default_project_permissions(apps, schema_model):

@@ -129,6 +129,7 @@ pip-tools = "~6.13.0"
 pytest-cov = "~4.1.0"
 datamodel-code-generator = "~0.22"
 requests-mock = "^1.11.0"
+django-extensions = "^3.2.3"
 
 [build-system]
 requires = ["poetry-core>=1.5.0"]