HomePhabricator
Diffusion Comm b49929e80a2b

[keyserver] Write a script to compare database role permissions match…
b49929e80a2b
Actions

Description

[keyserver] Write a script to compare database role permissions match expectations

Summary:
This is a script that addresses some feedback from D9599. Ideally, before I put up a diff to attempt to unify universalCommunityPermissions and the general thread permission blobs created for Admins and Members in some way to acheive consistency, it'll be good to run a script against the database contents for roles and permissions to see if there's anything else I'll need to take into consideration. I've already noted that join_thread can probably be removed from universalCommunityPermissions, but the script should tell me the rest.

The flow of the script is as follows:

  1. Fetch roles for community roots and community announcement roots
  2. Extract the relevant information for each role
  3. Get the expected permissions for the role and the actual/existing permissions for the role
  4. Call deepDiff two ways on these two permission blobs
  5. If there are any disrepencies, attempt to link them back to some user surfaced permissions that could indicate that it's only a result of a user editing a role and not a malformed database

I'm not really sure how this script will behave against a production database, but some thorough testing hasn't led to any glaring issues. I'm expecting a ton of output though that I'll need to sit and parse through.

Resolves ENG-5621

Test Plan:
Edited a role's permissions to trigger some changes between the expected and actual role permissions for a role. This is the output of the script:

====================================
Validating: Role Name (Members) | Role ID (90477) | Thread Type (8) | Thread ID (90476)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {
  "join_thread": true,
  "descendant_react_to_message": true,
  "descendant_edit_message": true,
  "descendant_add_members": true,
  "descendant_edit_entries": true,
  "descendant_edit_thread": true,
  "descendant_edit_thread_description": true,
  "descendant_edit_thread_color": true,
  "descendant_toplevel_create_subthreads": true,
  "descendant_edit_thread_avatar": true,
  "descendant_toplevel_create_sidebars": true
}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

userSurfacedExistingPermissionsToExpectedPermissions = [
  "edit_calendar",
  "create_and_edit_channels",
  "add_members",
  "react_to_messages",
  "edit_messages"
]
====================================
Validating: Role Name (Admins) | Role ID (90478) | Thread Type (8) | Thread ID (90476)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Members) | Role ID (90496) | Thread Type (8) | Thread ID (90495)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Admins) | Role ID (90497) | Thread Type (8) | Thread ID (90495)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Members) | Role ID (90515) | Thread Type (8) | Thread ID (90514)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Admins) | Role ID (90516) | Thread Type (8) | Thread ID (90514)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Members) | Role ID (90534) | Thread Type (9) | Thread ID (90533)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Admins) | Role ID (90535) | Thread Type (9) | Thread ID (90533)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Members) | Role ID (90547) | Thread Type (9) | Thread ID (90546)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Admins) | Role ID (90548) | Thread Type (9) | Thread ID (90546)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Members) | Role ID (90560) | Thread Type (9) | Thread ID (90559)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================
Validating: Role Name (Admins) | Role ID (90561) | Thread Type (9) | Thread ID (90559)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role:

====================================

Reviewers: ashoat, atul, ginsu

Reviewed By: ashoat

Subscribers: tomek, wyilio

Differential Revision: https://phab.comm.dev/D9675

Details

Provenance
rohanAuthored on Nov 2 2023, 6:19 PM
Reviewer
ashoat
Differential Revision
D9675: [keyserver] Write a script to compare database role permissions match expectations
Parents
rCOMM0eb7a828a7d8: [lib] Add some unit tests for `invertObjectToMap<K, V>(obj: { [K]: V })`
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
keyserver/
src/
scripts/

rCOMMb49929e80a2b

View Options

keyserver/src/scripts/validate-role-permissions.js

Loading...