Skip to content

prevent users from adding incidents/FRs to event groups #497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 19, 2025
Merged

prevent users from adding incidents/FRs to event groups #497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions lib/authz/permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,8 @@ func EventPermissions(
) (eventPermissions map[int32]EventPermissionMask, globalPermissions GlobalPermissionMask, err error) {
accessByEvent := make(map[int32][]imsdb.EventAccess)
if eventID != nil {
// If the eventID is the ID for an event group, this query returns no rows.
// This prevents users from adding entities under event groups, which we don't want.
accessRows, err := imsDBQ.EventAndParentAccess(ctx, imsDBQ, imsdb.EventAndParentAccessParams{EventID: *eventID})
if err != nil {
return nil, GlobalNoPermissions, fmt.Errorf("[EventAccess]: %w", err)
Expand Down
4 changes: 4 additions & 0 deletions store/imsdb/querier.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 9 additions & 2 deletions store/imsdb/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 9 additions & 2 deletions store/queries.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,17 @@ set
where ID = ?
;

-- This returns access for a target event, as well as for that event's
-- parent group, if any. If the target event *is* a group, this query
-- will return nothing. That's intentional, and it helps prevent people
-- from adding incidents or FRs to event groups as though those were events.
-- name: EventAndParentAccess :many
select sqlc.embed(ea)
from EVENT_ACCESS ea
where ea.EVENT = sqlc.arg(event_id)
from `EVENT` e
join EVENT_ACCESS ea
on e.ID = ea.EVENT
where e.ID = sqlc.arg(event_id)
and not e.IS_GROUP
union all
select sqlc.embed(ea)
from `EVENT` e
Expand Down
Loading