Sync task permissions with develop

cvat-ai · Oct 3, 2024 · adcb367 · adcb367
1 parent eb790c9
commit adcb367
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/cvat/apps/engine/permissions.py b/cvat/apps/engine/permissions.py
@@ -387,6 +387,8 @@ class Scopes(StrEnum):
         UPLOAD_DATA = 'upload:data'
         IMPORT_BACKUP = 'import:backup'
         EXPORT_BACKUP = 'export:backup'
+        VIEW_VALIDATION_LAYOUT = 'view:validation_layout'
+        UPDATE_VALIDATION_LAYOUT = 'update:validation_layout'
 
     @classmethod
     def create(cls, request, view, obj, iam_context):
@@ -496,8 +498,8 @@ def get_scopes(request, view, obj) -> List[Scopes]:
             ('export_backup', 'GET'): Scopes.EXPORT_BACKUP,
             ('export_backup_v2', 'POST'): Scopes.EXPORT_BACKUP,
             ('preview', 'GET'): Scopes.VIEW,
-            ('validation_layout', 'GET'): Scopes.VIEW,
-            ('validation_layout', 'PATCH'): Scopes.UPDATE,
+            ('validation_layout', 'GET'): Scopes.VIEW_VALIDATION_LAYOUT,
+            ('validation_layout', 'PATCH'): Scopes.UPDATE_VALIDATION_LAYOUT,
         }[(view.action, request.method)]
 
         scopes = []

diff --git a/cvat/apps/engine/rules/tasks.rego b/cvat/apps/engine/rules/tasks.rego
@@ -306,3 +306,17 @@ allow if {
     is_project_staff
 }
 
+allow if {
+    input.scope in {utils.VIEW_VALIDATION_LAYOUT, utils.UPDATE_VALIDATION_LAYOUT}
+    utils.has_perm(utils.USER)
+    utils.is_sandbox
+    is_task_staff
+}
+
+allow if {
+    input.scope in {utils.VIEW_VALIDATION_LAYOUT, utils.UPDATE_VALIDATION_LAYOUT}
+    input.auth.organization.id == input.resource.organization.id
+    organizations.has_perm(organizations.SUPERVISOR)
+    utils.has_perm(utils.USER)
+    is_task_staff
+}