flagsmith icon indicating copy to clipboard operation
flagsmith copied to clipboard

Published 20 hours ago verified publisher icon Flagsmith

Users without CREATE_FEATURE permissions cannot toggle MV features from list

Open rolodato opened this issue 1 year ago • 0 comments

How are you running Flagsmith

  • [x] Self Hosted with Docker
  • [x] Self Hosted with Kubernetes
  • [x] SaaS at flagsmith.com
  • [ ] Some other way (add details in description below)

Describe the bug

Trying to toggle a multivariate feature from the features list without having CREATE_FEATURE permissions in that project silently fails without an error.

Steps To Reproduce

  1. Create a user that has permissions to update feature states in an environment, but not to create features in that project
  2. From the features list in that environment, try to toggle the feature on/off. The request below fails with a 403:
await fetch("http://localhost:8000/api/v1/projects/38/features/4/mv-options/1/", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0",
        "Accept": "application/json",
        "Accept-Language": "en-US,en;q=0.7,es-AR;q=0.3",
        "Content-Type": "application/json; charset=utf-8",
        "AUTHORIZATION": "Token ...",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin",
        "Priority": "u=0"
    },
    "referrer": "http://localhost:8000/project/38/environment/iMPPkoycz5xhNdPQLxHqKw/features",
    "body": "{\"id\":1,\"uuid\":\"a534a964-64ff-4d2b-a89a-61c15d338e11\",\"type\":\"unicode\",\"integer_value\":null,\"string_value\":\"\",\"boolean_value\":null,\"default_percentage_allocation\":0,\"feature\":4}",
    "method": "PUT",
    "mode": "cors"
});

This only happens when trying to toggle the feature from the features list. Trying to edit it from the feature modal succeeds with this request:

await fetch("http://localhost:8000/api/v1/environments/iMPPkoycz5xhNdPQLxHqKw/featurestates/9/", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0",
        "Accept": "application/json",
        "Accept-Language": "en-US,en;q=0.7,es-AR;q=0.3",
        "Content-Type": "application/json; charset=utf-8",
        "AUTHORIZATION": "Token ...",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin",
        "Priority": "u=4"
    },
    "referrer": "http://localhost:8000/project/38/environment/iMPPkoycz5xhNdPQLxHqKw/features?feature=4&tab=value",
    "body": "{\"id\":9,\"feature_state_value\":null,\"multivariate_feature_state_values\":[{\"id\":1,\"multivariate_feature_option\":1,\"percentage_allocation\":0}],\"identity\":null,\"deleted_at\":null,\"uuid\":\"62e69479-77cb-4eab-8f26-57689eeac5b8\",\"enabled\":false,\"created_at\":\"2024-08-08T19:47:19.406907Z\",\"updated_at\":\"2024-08-08T19:47:42.103780Z\",\"live_from\":\"2024-08-08T19:47:19.404748Z\",\"version\":1,\"feature\":4,\"environment\":9,\"feature_segment\":null,\"change_request\":null,\"environment_feature_version\":null}",
    "method": "PUT",
    "mode": "cors"
});

This happens on environments with our without versioning enabled.

Expected behavior

This should work :)

Screenshots

No response

rolodato avatar Aug 08 '24 20:08 rolodato