pgadmin-org
diff --git a/‎docs/en_US/images/add_role.png
26 KB b/‎docs/en_US/images/add_role.png
26 KB
diff --git a/‎docs/en_US/images/permissions.png
87.2 KB b/‎docs/en_US/images/permissions.png
87.2 KB
diff --git a/‎docs/en_US/images/roles.png
45.9 KB b/‎docs/en_US/images/roles.png
45.9 KB
diff --git a/‎docs/en_US/images/user.png
-70.4 KB b/‎docs/en_US/images/user.png
-70.4 KB
diff --git a/‎docs/en_US/images/users.png
62.4 KB b/‎docs/en_US/images/users.png
62.4 KB
diff --git a/‎docs/en_US/user_management.rst
Lines changed: 56 additions & 2 deletions b/‎docs/en_US/user_management.rst
Lines changed: 56 additions & 2 deletions
diff --git a/‎web/migrations/versions/1f0eddc8fc79_.py
Lines changed: 14 additions & 0 deletions b/‎web/migrations/versions/1f0eddc8fc79_.py
Lines changed: 14 additions & 0 deletions
diff --git a/‎web/pgadmin/__init__.py
Lines changed: 2 additions & 0 deletions b/‎web/pgadmin/__init__.py
Lines changed: 2 additions & 0 deletions
diff --git a/‎web/pgadmin/browser/server_groups/servers/__init__.py
Lines changed: 3 additions & 1 deletion b/‎web/pgadmin/browser/server_groups/servers/__init__.py
Lines changed: 3 additions & 1 deletion
diff --git a/‎web/pgadmin/browser/server_groups/servers/static/js/server.js
Lines changed: 2 additions & 2 deletions b/‎web/pgadmin/browser/server_groups/servers/static/js/server.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎web/pgadmin/browser/static/js/MainMenuFactory.js
Lines changed: 4 additions & 2 deletions b/‎web/pgadmin/browser/static/js/MainMenuFactory.js
Lines changed: 4 additions & 2 deletions
diff --git a/‎web/pgadmin/browser/static/js/browser.js
Lines changed: 1 addition & 0 deletions b/‎web/pgadmin/browser/static/js/browser.js
Lines changed: 1 addition & 0 deletions
diff --git a/‎web/pgadmin/browser/static/js/withCheckPermission.js
Lines changed: 17 additions & 0 deletions b/‎web/pgadmin/browser/static/js/withCheckPermission.js
Lines changed: 17 additions & 0 deletions
diff --git a/‎web/pgadmin/dashboard/static/js/components/SectionContainer.jsx
Lines changed: 2 additions & 1 deletion b/‎web/pgadmin/dashboard/static/js/components/SectionContainer.jsx
Lines changed: 2 additions & 1 deletion
diff --git a/‎web/pgadmin/misc/file_manager/__init__.py
Lines changed: 27 additions & 6 deletions b/‎web/pgadmin/misc/file_manager/__init__.py
Lines changed: 27 additions & 6 deletions
diff --git a/‎web/pgadmin/misc/file_manager/static/js/components/FileManager.jsx
Lines changed: 1 addition & 1 deletion b/‎web/pgadmin/misc/file_manager/static/js/components/FileManager.jsx
Lines changed: 1 addition & 1 deletion
diff --git a/‎web/pgadmin/model/__init__.py
Lines changed: 45 additions & 0 deletions b/‎web/pgadmin/model/__init__.py
Lines changed: 45 additions & 0 deletions
diff --git a/‎web/pgadmin/static/js/components/FormComponents.jsx
Lines changed: 2 additions & 1 deletion b/‎web/pgadmin/static/js/components/FormComponents.jsx
Lines changed: 2 additions & 1 deletion
@@ -12,7 +12,7 @@ When you authenticate with pgAdmin, the server definitions associated with that
 login role are made available in the tree control.
 
 Users Tab
-*******************
+*********
 An administrative user can use the *Users* tab to:
 
 * manage pgAdmin users
@@ -21,7 +21,7 @@ An administrative user can use the *Users* tab to:
 * deactivate user
 * unlock a locked user
 
-.. image:: images/user.png
+.. image:: images/users.png
     :alt: pgAdmin user management window
     :align: center
 
@@ -78,6 +78,60 @@ users, but otherwise have the same capabilities as those with the *User* role.
 * Click the *Help* button (?) to access online help.
 
 
+Roles Tab
+*********
+An administrative user can use the *Roles* tab to:
+
+* manage pgAdmin roles
+* delete roles
+
+.. image:: images/roles.png
+  :alt: pgAdmin roles management window
+  :align: center
+
+Use the *Search* field to specify criteria and review a list of roles
+that match the specified criteria. You can enter a value that matches
+the following criteria types: *Role Name* or *Description*.
+
+To add a role, click the Add (+) button at the top left corner. It will open a
+dialog where you can fill in details for the new role.
+
+.. image:: images/add_role.png
+  :alt: pgAdmin roles management window add new role
+  :align: center
+
+Provide information about the new pgAdmin role in the row:
+
+* Use the *Role Name* field to specify a unique name for the role.
+* Use the *Description* field to provide a brief description of the role.
+
+To delete a role, click the trash icon to the left of the row and confirm deletion
+in the *Delete role?* dialog. If the role is associated with any users or resources,
+you may need to reassign those associations before deletion.
+
+Roles allow administrators to group privileges and assign them to users more efficiently.
+This helps in managing permissions and access control within the pgAdmin client.
+
+* Click the *Refresh* button to get the latest roles list.
+* Click the *Help* button (?) to access online help.
+
+
+Permissions Tab
+***************
+An administrative user can use the *Permissions* tab to manage pgAdmin permissions for 
+a role.
+
+.. image:: images/permissions.png
+  :alt: pgAdmin permissions management window
+  :align: center
+
+* Filter permissions using the *Search* field by entering names that match the list.
+* Administrators can select permissions from the list of available permissions, and
+  choose to grant or revoke these permissions for specific roles.
+* The permissions are applied to the selected role immediately.
+
+
+
 Using 'setup.py' command line script
 ####################################
 
 
@@ -30,6 +30,20 @@ def upgrade():
                   sa.Column('db_res_type', sa.String(length=32),
                             server_default=RESTRICTION_TYPE_DATABASES))
 
+    # For adding custom role permissions
+    op.add_column('role', sa.Column('permissions', sa.Text()))
+
+    # get metadata from current connection
+    meta = sa.MetaData()
+    # define table representation
+    meta.reflect(op.get_bind(), only=('role',))
+    role_table = sa.Table('role', meta)
+
+    from pgadmin.tools.user_management.PgPermissions import AllPermissionTypes
+    op.execute(
+        role_table.update().where(role_table.c.name == 'User')
+        .values(permissions=",".join(AllPermissionTypes.__dict__.keys())))
+
 
 def downgrade():
     # pgAdmin only upgrades, downgrade not implemented.
 
@@ -349,6 +349,8 @@ def get_locale():
         app.config['SECURITY_MSG_INVALID_PASSWORD'] = \
         (gettext("Incorrect username or password."), "error")
     app.config['SECURITY_PASSWORD_LENGTH_MIN'] = config.PASSWORD_LENGTH_MIN
+    app.config['SECURITY_MSG_UNAUTHORIZED'] = \
+        (gettext("You do not have permission to this resource."), "error")
 
     # Create database connection object and mailer
     db.init_app(app)
 
@@ -13,7 +13,7 @@
 from flask import render_template, request, make_response, jsonify, \
     current_app, url_for, session
 from flask_babel import gettext
-from flask_security import current_user
+from flask_security import current_user, permissions_required
 from pgadmin.user_login_check import pga_login_required
 from psycopg.conninfo import make_conninfo, conninfo_to_dict
 
@@ -24,6 +24,7 @@
 from pgadmin.utils.crypto import encrypt, decrypt, pqencryptpassword
 from pgadmin.utils.menu import MenuItem
 from pgadmin.tools.sqleditor.utils.query_history import QueryHistory
+from pgadmin.tools.user_management.PgPermissions import AllPermissionTypes
 
 import config
 from config import PG_DEFAULT_DRIVER
@@ -1081,6 +1082,7 @@ def update_connection_string(manager, server):
         display_conn_string = make_conninfo(**con_info_ord)
         return display_conn_string
 
+    @permissions_required(AllPermissionTypes.object_register_server)
     @pga_login_required
     def create(self, gid):
         """Add a server node to the settings database"""
 
@@ -81,7 +81,7 @@ define('pgadmin.node.server', [
           name: 'create_server_on_sg', node: 'server_group', module: this,
           applies: ['object', 'context'], callback: 'show_obj_properties',
           category: 'register', priority: 1, label: gettext('Server...'),
-          data: {action: 'create'}, enable: 'canCreate',
+          data: {action: 'create'}, enable: 'canCreate', permission: 'object_register_server'
         },{
           name: 'disconnect_all_servers', node: 'server_group', module: this,
           applies: ['object','context'], callback: 'disconnect_all_servers',
@@ -91,7 +91,7 @@ define('pgadmin.node.server', [
           name: 'create_server', node: 'server', module: this,
           applies: ['object', 'context'], callback: 'show_obj_properties',
           category: 'register', priority: 3, label: gettext('Server...'),
-          data: {action: 'create'}, enable: 'canCreate',
+          data: {action: 'create'}, enable: 'canCreate', permission: 'object_register_server'
         },{
           name: 'connect_server', node: 'server', module: this,
           applies: ['object', 'context'], callback: 'connect_server',
 
@@ -11,6 +11,7 @@ import pgAdmin from 'sources/pgadmin';
 import Menu, { MenuItem } from '../../../static/js/helpers/Menu';
 import getApiInstance from '../../../static/js/api_instance';
 import url_for from 'sources/url_for';
+import withCheckPermission from './withCheckPermission';
 
 const MAIN_MENUS = [
   { label: gettext('File'), name: 'file', id: 'mnu_file', index: 0, addSeprator: true, hasDynamicMenuItems: false },
@@ -71,7 +72,7 @@ export default class MainMenuFactory {
   }
 
   static createMenuItem(options) {
-    return new MenuItem({...options, callback: () => {
+    const callback = () => {
       // Some callbacks registered in 'callbacks' check and call specifiec callback function
       if (options.module && 'callbacks' in options.module && options.module.callbacks[options.callback]) {
         options.module.callbacks[options.callback].apply(options.module, [options.data, pgAdmin.Browser.tree?.selected()]);
@@ -89,7 +90,8 @@ export default class MainMenuFactory {
           pgAdmin.Browser.notifier.error(gettext('Error in opening window'));
         });
       }
-    }}, (menu, item)=> {
+    };
+    return new MenuItem({...options, callback: withCheckPermission(options, callback)}, (menu, item)=> {
       pgAdmin.Browser.Events.trigger('pgadmin:enable-disable-menu-items', menu, item);
       window.electronUI?.enableDisableMenuItems(menu?.serialize(), item?.serialize());
     });
 
@@ -391,6 +391,7 @@ define('pgadmin.browser', [
                 checked: _m.checked,
                 below: _m.below,
                 applies: _m.applies,
+                permission: _m.permission,
               };
             };
 
 
@@ -0,0 +1,17 @@
+import pgAdmin from 'sources/pgadmin';
+import current_user from 'pgadmin.user_management.current_user';
+import gettext from 'sources/gettext';
+
+export default function withCheckPermission(options, callback) {
+  // Check if the user has permission to access the menu item
+  return ()=>{
+    if(!options.permission || (options.permission && current_user.permissions?.includes(options.permission))) {
+      callback();
+    } else {
+      pgAdmin.Browser.notifier.alert(
+        gettext('Permission Denied'),
+        gettext('You do not have permission to access this menu item.')
+      );
+    }
+  };
+}
@@ -29,6 +29,7 @@ const StyledBox = styled(Box)(({theme}) => ({
     '& .SectionContainer-cardTitle': {
       padding: '0.25rem 0.5rem',
       fontWeight: 'bold',
+      width: '100%',
     }
   },
 }));
@@ -50,7 +51,7 @@ export default function SectionContainer({title, titleExtras, children, style})
 }
 
 SectionContainer.propTypes = {
-  title: PropTypes.string.isRequired,
+  title: PropTypes.any.isRequired,
   titleExtras: PropTypes.node,
   children: PropTypes.node.isRequired,
   style: PropTypes.object,
 
@@ -35,6 +35,7 @@
 from pgadmin.utils.constants import PREF_LABEL_OPTIONS, MIMETYPE_APP_JS, \
     MY_STORAGE
 from pgadmin.settings.utils import get_file_type_setting
+from pgadmin.tools.user_management.PgPermissions import AllPermissionTypes
 
 # Checks if platform is Windows
 if _platform == "win32":
@@ -345,6 +346,20 @@ def get_closest_parent(storage_dir, last_dir):
 
         return last_dir
 
+    @staticmethod
+    def check_capability_permission(capability):
+        """
+        Check if the user has permission for the capability
+        """
+        if capability == 'create':
+            return current_user.has_permission(
+                AllPermissionTypes.storage_add_folder)
+        elif capability == 'delete':
+            return current_user.has_permission(
+                AllPermissionTypes.storage_remove_folder)
+
+        return True
+
     @staticmethod
     def create_new_transaction(params):
         """
@@ -366,16 +381,20 @@ def create_new_transaction(params):
         show_volumes = isinstance(storage_dir, list) or not storage_dir
         supp_types = allow_upload_files = params.get('supported_types', [])
 
+        allow_folder_create = ['create'] if \
+            Filemanager.check_capability_permission('create') else []
+        allow_folder_delete = ['delete'] if \
+            Filemanager.check_capability_permission('delete') else []
         # tuples with (capabilities, files_only, folders_only, title)
         capability_map = {
             'select_file': (
-                ['select_file', 'rename', 'upload', 'delete'],
+                ['select_file', 'rename', 'upload'] + allow_folder_delete,
                 True,
                 False,
                 gettext("Select File")
             ),
             'select_folder': (
-                ['select_folder', 'rename', 'create'],
+                ['select_folder', 'rename'] + allow_folder_create,
                 False,
                 True,
                 gettext("Select Folder")
@@ -387,14 +406,14 @@ def create_new_transaction(params):
                 gettext("Select File")
             ),
             'create_file': (
-                ['select_file', 'rename', 'create'],
+                ['select_file', 'rename'] + allow_folder_create,
                 True,
                 False,
                 gettext("Create File")
             ),
             'storage_dialog': (
-                ['select_folder', 'select_file', 'download',
-                 'rename', 'delete', 'upload', 'create'],
+                ['select_folder', 'select_file', 'download', 'rename',
+                 'upload'] + allow_folder_delete + allow_folder_create,
                 True,
                 False,
                 gettext("Storage Manager")
@@ -767,7 +786,9 @@ def validate_request(self, capability):
         stored in the session
         """
         trans_data = Filemanager.get_trasaction_selection(self.trans_id)
-        return False if capability not in trans_data['capabilities'] else True
+        # capability
+        return False if capability not in trans_data['capabilities'] \
+            else Filemanager.check_capability_permission(capability)
 
     def getfolder(self, path=None, file_type="", show_hidden=False):
         """
 
@@ -873,4 +873,4 @@ FileManager.propTypes = {
   onCancel: PropTypes.func,
   sharedStorages: PropTypes.array,
   restrictedSharedStorage: PropTypes.array,
-};
+};
@@ -59,6 +59,29 @@
 )
 
 
+class PgAdminDbArrayString(types.TypeDecorator):
+    cache_ok = True
+    impl = types.String
+
+    def process_bind_param(self, value, dialect):
+        try:
+            if len(value) == 0:
+                return None
+
+            return ",".join(value)
+        except Exception as _:
+            return None
+
+    def process_result_value(self, value, dialect):
+        try:
+            if value == '':
+                return []
+
+            return value.split(',')
+        except Exception as _:
+            return []
+
+
 class PgAdminDbBinaryString(types.TypeDecorator):
     """
     To make binary string storing compatible with both
@@ -92,6 +115,28 @@ class Role(db.Model, RoleMixin):
     id = db.Column(db.Integer(), primary_key=True)
     name = db.Column(db.String(128), unique=True, nullable=False)
     description = db.Column(db.String(256), nullable=False)
+    # permissions needs to be an array, use custom type to support
+    # both SQLite and PostgreSQL
+    permissions = db.Column(PgAdminDbArrayString())
+
+    def get_permissions(self):
+        from pgadmin.tools.user_management.PgPermissions \
+            import AllPermissionTypes
+        if self.name == 'Administrator':
+            return filter(lambda x: not x.startswith('_'),
+                          AllPermissionTypes.__dict__.keys())
+
+        return super().get_permissions()
+
+
+# We override the default UserMixin to change behaviour of has_permission
+# Administrator has all permissions
+class CustomUserMixin(UserMixin):
+    def has_permission(self, permission: str) -> bool:
+        if 'Administrator' in self.roles:
+            return True
+
+        return super().has_permission(permission)
 
 
 class User(db.Model, UserMixin):
 
@@ -1280,7 +1280,8 @@ const StyledNotifierMessageBox = styled(Box)(({theme}) => ({
   '& .FormFooter-message': {
     color: theme.palette.text.primary,
     marginLeft: theme.spacing(0.5),
-    whiteSpace: 'pre-line'
+    whiteSpace: 'pre-line',
+    userSelect: 'text'
   },
   '& .FormFooter-messageCenter': {
     color: theme.palette.text.primary,