fix(orchestrator):Fix instance fetching to respect permissions (#671)

LiorSoffer · web-flow · commit 544c80a47305 · 2025-04-22T08:57:33.000+02:00
Signed-off-by: Lior Soffer &lt;liorsoffer1@gmail.com&gt;
diff --git a/workspaces/orchestrator/.changeset/spicy-parents-run.md b/workspaces/orchestrator/.changeset/spicy-parents-run.md
@@ -0,0 +1,5 @@
+---
+'@red-hat-developer-hub/backstage-plugin-orchestrator-backend': patch
+---
+
+Fix instance fetching to respect permissions
diff --git a/workspaces/orchestrator/docs/rbac-policy.csv b/workspaces/orchestrator/docs/rbac-policy.csv
@@ -9,6 +9,9 @@ p, role:default/workflowAdmin, orchestrator.workflow, read, allow
 p, role:default/workflowAdmin, orchestrator.workflow.use, update, allow
 p, role:default/workflowAdmin, orchestrator.workflowAdminView, read, allow
 
+p, role:default/workflowDenied, orchestrator.workflow, read, deny
+p, role:default/workflowDenied, orchestrator.workflow.use, update, deny 
+
 g, user:development/guest, role:default/workflowUser
 g, user:default/rgolangh, role:default/workflowAdmin
 g, user:default/mareklibra, role:default/workflowAdmin
diff --git a/workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts b/workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts
@@ -232,9 +232,10 @@ export class DataIndexService {
     if (pagination) pagination.sortField ??= FETCH_PROCESS_INSTANCES_SORT_FIELD;
 
     const processIdNotNullCondition = 'processId: {isNull: false}';
-    const definitionIdsCondition = definitionIds
-      ? `processId: {in: ${JSON.stringify(definitionIds)}}`
-      : undefined;
+    const definitionIdsCondition =
+      definitionIds && definitionIds.length > 0
+        ? `processId: {in: ${JSON.stringify(definitionIds)}}`
+        : undefined;
     const type = 'ProcessInstance';
     const filterCondition = filter
       ? buildFilterCondition(
diff --git a/workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts b/workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts
@@ -801,6 +801,9 @@ function setupInternalRoutes(
             allWorkflowIds,
           );
 
+        if (!authorizedWorkflowIds || authorizedWorkflowIds.length === 0)
+          res.json([]);
+
         const result = await routerApi.v2.getInstances(
           buildPagination(req),
           getRequestFilters(req),

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@red-hat-developer-hub/backstage-plugin-orchestrator-backend': patch
 +---
++
 +Fix instance fetching to respect permissions