Add extra RBAC bits for resource export controll

server/compose/chart.cue

@@ -99,6 +99,7 @@ chart: {
 			"read": {}
 			"update": {}
 			"delete": {}
+			"export": description:  "Access to export charts"
 		}
 	}
 

server/compose/module.cue

@@ -118,6 +118,7 @@ module: {
 			"read": {}
 			"update": {}
 			"delete": {}
+			"export":        description:  "Access to export modules"
 			"record.create": description:  "Create record"
 			"owned-record.create": description:  "Create record with custom owner"
 			"records.search": description: "List, search or filter records"

server/compose/namespace.cue

@@ -77,13 +77,17 @@ namespace: {
 			"read": {}
 			"update": {}
 			"delete": {}
+			"export": description:         "Access to export the entire namespace"
 			"manage": description:         "Access to namespace admin panel"
 			"module.create": description:  "Create module on namespace"
 			"modules.search": description: "List, search or filter module on namespace"
+			"modules.export": description: "Export modules on namespace"
 			"chart.create": description:   "Create chart on namespace"
 			"charts.search": description:  "List, search or filter chart on namespace"
+			"charts.export": description:  "Export charts on namespace"
 			"page.create": description:    "Create page on namespace"
 			"pages.search": description:   "List, search or filter pages on namespace"
+			"pages.export": description:   "Export pages on namespace"
 		}
 	}
 

server/compose/page.cue

@@ -166,7 +166,7 @@ page: {
 			"read": {}
 			"update": {}
 			"delete": {}
-
+			"export":             description:  "Access to export pages"
 			"page-layout.create": description:    "Create page layout on namespace"
 			"page-layouts.search": description:   "List, search or filter page layouts on namespace"
 		}

server/compose/rest/chart.go

@@ -16,6 +16,7 @@ type (
 
 		CanGrant       bool `json:"canGrant"`
 		CanUpdateChart bool `json:"canUpdateChart"`
+		CanExportChart bool `json:"canExportChart"`
 		CanDeleteChart bool `json:"canDeleteChart"`
 	}
 
@@ -42,6 +43,7 @@ type (
 		CanGrant(context.Context) bool
 
 		CanUpdateChart(context.Context, *types.Chart) bool
+		CanExportChart(context.Context, *types.Chart) bool
 		CanDeleteChart(context.Context, *types.Chart) bool
 	}
 )
@@ -154,6 +156,7 @@ func (ctrl Chart) makePayload(ctx context.Context, c *types.Chart, err error) (*
 		CanGrant: ctrl.ac.CanGrant(ctx),
 
 		CanUpdateChart: ctrl.ac.CanUpdateChart(ctx, c),
+		CanExportChart: ctrl.ac.CanExportChart(ctx, c),
 		CanDeleteChart: ctrl.ac.CanDeleteChart(ctx, c),
 	}, nil
 }

server/compose/rest/module.go

@@ -24,6 +24,7 @@ type (
 		Fields []*moduleFieldPayload `json:"fields"`
 
 		CanGrant             bool `json:"canGrant"`
+		CanExport            bool `json:"canExport"`
 		CanUpdateModule      bool `json:"canUpdateModule"`
 		CanDeleteModule      bool `json:"canDeleteModule"`
 		CanCreateRecord      bool `json:"canCreateRecord"`
@@ -47,6 +48,7 @@ type (
 	moduleAccessController interface {
 		CanGrant(context.Context) bool
 
+		CanExportModule(context.Context, *types.Module) bool
 		CanUpdateModule(context.Context, *types.Module) bool
 		CanDeleteModule(context.Context, *types.Module) bool
 		CanCreateRecordOnModule(context.Context, *types.Module) bool
@@ -189,6 +191,8 @@ func (ctrl Module) makePayload(ctx context.Context, m *types.Module, err error)
 
 		CanGrant: ctrl.ac.CanGrant(ctx),
 
+		CanExport: ctrl.ac.CanExportModule(ctx, m),
+
 		CanUpdateModule: ctrl.ac.CanUpdateModule(ctx, m),
 		CanDeleteModule: ctrl.ac.CanDeleteModule(ctx, m),
 

server/compose/rest/namespace.go

@@ -31,12 +31,16 @@ type (
 		*types.Namespace
 
 		CanGrant           bool `json:"canGrant"`
+		CanExportNamespace bool `json:"canExportNamespace"`
 		CanUpdateNamespace bool `json:"canUpdateNamespace"`
 		CanDeleteNamespace bool `json:"canDeleteNamespace"`
 		CanManageNamespace bool `json:"canManageNamespace"`
 		CanCreateModule    bool `json:"canCreateModule"`
+		CanExportModule    bool `json:"canExportModule"`
 		CanCreateChart     bool `json:"canCreateChart"`
+		CanExportChart     bool `json:"canExportChart"`
 		CanCreatePage      bool `json:"canCreatePage"`
+		CanExportPage      bool `json:"canExportPage"`
 	}
 
 	namespaceSetPayload struct {
@@ -71,13 +75,17 @@ type (
 	namespaceAccessController interface {
 		CanGrant(context.Context) bool
 
+		CanExportNamespace(context.Context, *types.Namespace) bool
 		CanUpdateNamespace(context.Context, *types.Namespace) bool
 		CanDeleteNamespace(context.Context, *types.Namespace) bool
 		CanManageNamespace(context.Context, *types.Namespace) bool
 
 		CanCreateModuleOnNamespace(context.Context, *types.Namespace) bool
+		CanExportModulesOnNamespace(context.Context, *types.Namespace) bool
 		CanCreateChartOnNamespace(context.Context, *types.Namespace) bool
+		CanExportChartsOnNamespace(context.Context, *types.Namespace) bool
 		CanCreatePageOnNamespace(context.Context, *types.Namespace) bool
+		CanExportPagesOnNamespace(context.Context, *types.Namespace) bool
 	}
 )
 
@@ -351,13 +359,17 @@ func (ctrl Namespace) makePayload(ctx context.Context, ns *types.Namespace, err
 		Namespace: ns,
 
 		CanGrant:           ctrl.ac.CanGrant(ctx),
+		CanExportNamespace: ctrl.ac.CanExportNamespace(ctx, ns),
 		CanUpdateNamespace: ctrl.ac.CanUpdateNamespace(ctx, ns),
 		CanDeleteNamespace: ctrl.ac.CanDeleteNamespace(ctx, ns),
 		CanManageNamespace: ctrl.ac.CanManageNamespace(ctx, ns),
 
 		CanCreateModule: ctrl.ac.CanCreateModuleOnNamespace(ctx, ns),
+		CanExportModule: ctrl.ac.CanExportModulesOnNamespace(ctx, ns),
 		CanCreateChart:  ctrl.ac.CanCreateChartOnNamespace(ctx, ns),
+		CanExportChart:  ctrl.ac.CanExportChartsOnNamespace(ctx, ns),
 		CanCreatePage:   ctrl.ac.CanCreatePageOnNamespace(ctx, ns),
+		CanExportPage:   ctrl.ac.CanExportPagesOnNamespace(ctx, ns),
 	}, nil
 }
 
@@ -421,6 +433,13 @@ func (ctrl Namespace) exportCompose(ctx context.Context, namespaceID uint64) (re
 	if err != nil {
 		return
 	}
+
+	// @todo this isn't ok, will do for now
+	if !ctrl.ac.CanExportNamespace(ctx, n) {
+		err = fmt.Errorf("not allowed to export namespace %s", n.Name)
+		return
+	}
+
 	nsNode, err := composeEnvoy.NamespaceToEnvoyNode(n)
 	if err != nil {
 		return

server/compose/rest/page.go

@@ -20,6 +20,7 @@ type (
 		Children []*pagePayload `json:"children,omitempty"`
 
 		CanGrant      bool `json:"canGrant"`
+		CanExportPage bool `json:"canExportPage"`
 		CanUpdatePage bool `json:"canUpdatePage"`
 		CanDeletePage bool `json:"canDeletePage"`
 	}
@@ -60,6 +61,7 @@ type (
 		CanGrant(context.Context) bool
 
 		CanUpdatePage(context.Context, *types.Page) bool
+		CanExportPage(context.Context, *types.Page) bool
 		CanDeletePage(context.Context, *types.Page) bool
 	}
 )
@@ -273,6 +275,7 @@ func (ctrl Page) makePayload(ctx context.Context, c *types.Page, err error) (*pa
 		CanGrant: ctrl.ac.CanGrant(ctx),
 
 		CanUpdatePage: ctrl.ac.CanUpdatePage(ctx, c),
+		CanExportPage: ctrl.ac.CanExportPage(ctx, c),
 		CanDeletePage: ctrl.ac.CanDeletePage(ctx, c),
 	}, nil
 }

server/compose/service/access_control.gen.go

@@ -167,6 +167,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.ChartRbacResource(0, 0),
 			"op":   "delete",
 		},
+		{
+			"type": types.ChartResourceType,
+			"any":  types.ChartRbacResource(0, 0),
+			"op":   "export",
+		},
 		{
 			"type": types.ModuleResourceType,
 			"any":  types.ModuleRbacResource(0, 0),
@@ -182,6 +187,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.ModuleRbacResource(0, 0),
 			"op":   "delete",
 		},
+		{
+			"type": types.ModuleResourceType,
+			"any":  types.ModuleRbacResource(0, 0),
+			"op":   "export",
+		},
 		{
 			"type": types.ModuleResourceType,
 			"any":  types.ModuleRbacResource(0, 0),
@@ -222,6 +232,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.NamespaceRbacResource(0),
 			"op":   "delete",
 		},
+		{
+			"type": types.NamespaceResourceType,
+			"any":  types.NamespaceRbacResource(0),
+			"op":   "export",
+		},
 		{
 			"type": types.NamespaceResourceType,
 			"any":  types.NamespaceRbacResource(0),
@@ -237,6 +252,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.NamespaceRbacResource(0),
 			"op":   "modules.search",
 		},
+		{
+			"type": types.NamespaceResourceType,
+			"any":  types.NamespaceRbacResource(0),
+			"op":   "modules.export",
+		},
 		{
 			"type": types.NamespaceResourceType,
 			"any":  types.NamespaceRbacResource(0),
@@ -247,6 +267,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.NamespaceRbacResource(0),
 			"op":   "charts.search",
 		},
+		{
+			"type": types.NamespaceResourceType,
+			"any":  types.NamespaceRbacResource(0),
+			"op":   "charts.export",
+		},
 		{
 			"type": types.NamespaceResourceType,
 			"any":  types.NamespaceRbacResource(0),
@@ -257,6 +282,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.NamespaceRbacResource(0),
 			"op":   "pages.search",
 		},
+		{
+			"type": types.NamespaceResourceType,
+			"any":  types.NamespaceRbacResource(0),
+			"op":   "pages.export",
+		},
 		{
 			"type": types.PageResourceType,
 			"any":  types.PageRbacResource(0, 0),
@@ -272,6 +302,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.PageRbacResource(0, 0),
 			"op":   "delete",
 		},
+		{
+			"type": types.PageResourceType,
+			"any":  types.PageRbacResource(0, 0),
+			"op":   "export",
+		},
 		{
 			"type": types.PageResourceType,
 			"any":  types.PageRbacResource(0, 0),
@@ -470,6 +505,13 @@ func (svc accessControl) CanDeleteChart(ctx context.Context, r *types.Chart) boo
 	return svc.can(ctx, "delete", r)
 }
 
+// CanExportChart checks if current user can access to export charts
+//
+// This function is auto-generated
+func (svc accessControl) CanExportChart(ctx context.Context, r *types.Chart) bool {
+	return svc.can(ctx, "export", r)
+}
+
 // CanReadModule checks if current user can read
 //
 // This function is auto-generated
@@ -491,6 +533,13 @@ func (svc accessControl) CanDeleteModule(ctx context.Context, r *types.Module) b
 	return svc.can(ctx, "delete", r)
 }
 
+// CanExportModule checks if current user can access to export modules
+//
+// This function is auto-generated
+func (svc accessControl) CanExportModule(ctx context.Context, r *types.Module) bool {
+	return svc.can(ctx, "export", r)
+}
+
 // CanCreateRecordOnModule checks if current user can create record
 //
 // This function is auto-generated
@@ -547,6 +596,13 @@ func (svc accessControl) CanDeleteNamespace(ctx context.Context, r *types.Namesp
 	return svc.can(ctx, "delete", r)
 }
 
+// CanExportNamespace checks if current user can access to export the entire namespace
+//
+// This function is auto-generated
+func (svc accessControl) CanExportNamespace(ctx context.Context, r *types.Namespace) bool {
+	return svc.can(ctx, "export", r)
+}
+
 // CanManageNamespace checks if current user can access to namespace admin panel
 //
 // This function is auto-generated
@@ -568,6 +624,13 @@ func (svc accessControl) CanSearchModulesOnNamespace(ctx context.Context, r *typ
 	return svc.can(ctx, "modules.search", r)
 }
 
+// CanExportModulesOnNamespace checks if current user can export modules on namespace
+//
+// This function is auto-generated
+func (svc accessControl) CanExportModulesOnNamespace(ctx context.Context, r *types.Namespace) bool {
+	return svc.can(ctx, "modules.export", r)
+}
+
 // CanCreateChartOnNamespace checks if current user can create chart on namespace
 //
 // This function is auto-generated
@@ -582,6 +645,13 @@ func (svc accessControl) CanSearchChartsOnNamespace(ctx context.Context, r *type
 	return svc.can(ctx, "charts.search", r)
 }
 
+// CanExportChartsOnNamespace checks if current user can export charts on namespace
+//
+// This function is auto-generated
+func (svc accessControl) CanExportChartsOnNamespace(ctx context.Context, r *types.Namespace) bool {
+	return svc.can(ctx, "charts.export", r)
+}
+
 // CanCreatePageOnNamespace checks if current user can create page on namespace
 //
 // This function is auto-generated
@@ -596,6 +666,13 @@ func (svc accessControl) CanSearchPagesOnNamespace(ctx context.Context, r *types
 	return svc.can(ctx, "pages.search", r)
 }
 
+// CanExportPagesOnNamespace checks if current user can export pages on namespace
+//
+// This function is auto-generated
+func (svc accessControl) CanExportPagesOnNamespace(ctx context.Context, r *types.Namespace) bool {
+	return svc.can(ctx, "pages.export", r)
+}
+
 // CanReadPage checks if current user can read
 //
 // This function is auto-generated
@@ -617,6 +694,13 @@ func (svc accessControl) CanDeletePage(ctx context.Context, r *types.Page) bool
 	return svc.can(ctx, "delete", r)
 }
 
+// CanExportPage checks if current user can access to export pages
+//
+// This function is auto-generated
+func (svc accessControl) CanExportPage(ctx context.Context, r *types.Page) bool {
+	return svc.can(ctx, "export", r)
+}
+
 // CanCreatePageLayoutOnPage checks if current user can create page layout on namespace
 //
 // This function is auto-generated
@@ -848,12 +932,14 @@ func rbacResourceOperations(r string) map[string]bool {
 			"read":   true,
 			"update": true,
 			"delete": true,
+			"export": true,
 		}
 	case types.ModuleResourceType:
 		return map[string]bool{
 			"read":                true,
 			"update":              true,
 			"delete":              true,
+			"export":              true,
 			"record.create":       true,
 			"owned-record.create": true,
 			"records.search":      true,
@@ -868,19 +954,24 @@ func rbacResourceOperations(r string) map[string]bool {
 			"read":           true,
 			"update":         true,
 			"delete":         true,
+			"export":         true,
 			"manage":         true,
 			"module.create":  true,
 			"modules.search": true,
+			"modules.export": true,
 			"chart.create":   true,
 			"charts.search":  true,
+			"charts.export":  true,
 			"page.create":    true,
 			"pages.search":   true,
+			"pages.export":   true,
 		}
 	case types.PageResourceType:
 		return map[string]bool{
 			"read":                true,
 			"update":              true,
 			"delete":              true,
+			"export":              true,
 			"page-layout.create":  true,
 			"page-layouts.search": true,
 		}

server/provision/000_base/compose_access_control.yaml

@@ -5,12 +5,17 @@ allow:
 
     corteza::compose:namespace/*:
       - read
+      - export
+      - modules.export
+      - charts.export
+      - pages.export
       - pages.search
       - modules.search
       - charts.search
 
     corteza::compose:module/*/*:
       - read
+      - export
       - records.search
 
     corteza::compose:module-field/*/*/*:
@@ -18,12 +23,14 @@ allow:
 
     corteza::compose:page/*/*:
       - read
+      - export
 
     corteza::compose:page-layout/*/*/*:
       - read
 
     corteza::compose:chart/*/*:
       - read
+      - export
 
     corteza::compose:record/*/*/*:
       - read
@@ -41,6 +48,10 @@ allow:
       - update
       - delete
       - manage
+      - export
+      - modules.export
+      - charts.export
+      - pages.export
       - page.create
       - pages.search
       - module.create
@@ -52,6 +63,7 @@ allow:
       - read
       - update
       - delete
+      - export
       - record.create
       - records.search
 
@@ -69,11 +81,13 @@ allow:
       - read
       - update
       - delete
+      - export
 
     corteza::compose:page/*/*:
       - read
       - update
       - delete
+      - export
 
     corteza::compose:page-layout/*/*/*:
       - read
@@ -93,6 +107,10 @@ allow:
       - update
       - delete
       - manage
+      - export
+      - modules.export
+      - charts.export
+      - pages.export
       - page.create
       - pages.search
       - module.create
@@ -104,6 +122,7 @@ allow:
       - read
       - update
       - delete
+      - export
       - record.create
       - records.search
 
@@ -120,8 +139,10 @@ allow:
       - read
       - update
       - delete
+      - export
 
     corteza::compose:page/*/*:
       - read
       - update
       - delete
+      - export