v1.5.0: fix user activity permissions, fix removing nodes from egress… (#3865)

* v1.5.0: fix user activity permissions, fix removing nodes from egress models

* v1.5.0: fix egress update

logic/egress.go

@@ -10,6 +10,8 @@ import (
 	"github.com/gravitl/netmaker/db"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/schema"
+	"golang.org/x/exp/slog"
+	"gorm.io/datatypes"
 )
 
 var ValidateEgressReq = validateEgressReq
@@ -431,16 +433,29 @@ func GetNodeEgressInfo(targetNode *models.Node, eli []schema.Egress, acls []mode
 }
 
 func RemoveNodeFromEgress(node models.Node) {
-	egs, _ := (&schema.Egress{
-		Network: node.Network,
-	}).ListByNetwork(db.WithContext(context.TODO()))
-	for _, egI := range egs {
+	ctx := db.WithContext(context.TODO())
+	egs, err := (&schema.Egress{Network: node.Network}).ListByNetwork(ctx)
+	if err != nil {
+		slog.Error("RemoveNodeFromEgress: failed to list egresses", "error", err.Error())
+		return
+	}
+	for i := range egs {
+		egI := &egs[i]
 		if _, ok := egI.Nodes[node.ID.String()]; ok {
 			delete(egI.Nodes, node.ID.String())
-			egI.Update(db.WithContext(context.TODO()))
+			// Build a new map to ensure GORM persists the change; in-place modification
+			// of the same map reference may not be detected by Updates(&struct).
+			newNodes := make(datatypes.JSONMap)
+			for k, v := range egI.Nodes {
+				newNodes[k] = v
+			}
+			if err := db.FromContext(ctx).Table(egI.Table()).Where("id = ?", egI.ID).Updates(map[string]any{
+				"nodes": newNodes,
+			}).Error; err != nil {
+				slog.Error("RemoveNodeFromEgress: failed to update egress", "id", egI.ID, "error", err.Error())
+			}
 		}
 	}
-
 }
 
 func GetEgressRanges(netID models.NetworkID) (map[string][]string, map[string]struct{}, error) {

pro/controllers/events.go

@@ -14,8 +14,7 @@ import (
 
 func EventHandlers(r *mux.Router) {
 	r.HandleFunc("/api/v1/network/activity", logic.SecurityCheck(true, http.HandlerFunc(listNetworkActivity))).Methods(http.MethodGet)
-	r.HandleFunc("/api/v1/user/activity", logic.SecurityCheck(false,
-		logic.ContinueIfUserMatch(http.HandlerFunc(listUserActivity)))).Methods(http.MethodGet)
+	r.HandleFunc("/api/v1/user/activity", logic.SecurityCheck(false, http.HandlerFunc(listUserActivity))).Methods(http.MethodGet)
 	r.HandleFunc("/api/v1/activity", logic.SecurityCheck(true, http.HandlerFunc(listActivity))).Methods(http.MethodGet)
 }
 
@@ -101,9 +100,20 @@ func listUserActivity(w http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	caller, err := logic.GetUser(r.Header.Get("user"))
+	if err != nil {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	if caller.UserName != username && caller.PlatformRoleID != models.SuperAdminRole && caller.PlatformRoleID != models.AdminRole {
+		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
+			Code:    http.StatusForbidden,
+			Message: "you are not authorized to view this user's activity",
+		})
+		return
+	}
 	fromDateStr := r.URL.Query().Get("from_date")
 	toDateStr := r.URL.Query().Get("to_date")
-	var err error
 	var fromDate, toDate time.Time
 	if fromDateStr != "" && toDateStr != "" {
 		fromDate, err = time.Parse(time.RFC3339, fromDateStr)