prevent users from adding incidents/FRs to event groups (#497)

groups are intended as placeholders for use by permissions,
so users shouldn't be able to add incidents/FRs onto the groups
themselves.

Author: srabraham

lib/authz/permission.go

@@ -102,6 +102,8 @@ func EventPermissions(
 ) (eventPermissions map[int32]EventPermissionMask, globalPermissions GlobalPermissionMask, err error) {
 	accessByEvent := make(map[int32][]imsdb.EventAccess)
 	if eventID != nil {
+		// If the eventID is the ID for an event group, this query returns no rows.
+		// This prevents users from adding entities under event groups, which we don't want.
 		accessRows, err := imsDBQ.EventAndParentAccess(ctx, imsDBQ, imsdb.EventAndParentAccessParams{EventID: *eventID})
 		if err != nil {
 			return nil, GlobalNoPermissions, fmt.Errorf("[EventAccess]: %w", err)

store/imsdb/querier.go

@@ -22,10 +22,17 @@ set
 where ID = ?
 ;
 
+-- This returns access for a target event, as well as for that event's
+-- parent group, if any. If the target event *is* a group, this query
+-- will return nothing. That's intentional, and it helps prevent people
+-- from adding incidents or FRs to event groups as though those were events.
 -- name: EventAndParentAccess :many
 select sqlc.embed(ea)
-from EVENT_ACCESS ea
-where ea.EVENT = sqlc.arg(event_id)
+from `EVENT` e
+    join EVENT_ACCESS ea
+        on e.ID = ea.EVENT
+where e.ID = sqlc.arg(event_id)
+    and not e.IS_GROUP
 union all
 select sqlc.embed(ea)
 from `EVENT` e