[Workspace]Response forbidden error for not permitted workspace

[wanglam]

Description

This PR is for fixing 500 error when import sample data to a not permitted workspace. It should return a forbidden error.

Screenshot

Testing the changes

• Clone branch code and run yarn osd bootstrap --single-version loose
• Add below configs in config/opensearch_dashboards.yml

savedObjects.permission.enabled: true
workspace.enabled: true
uiSettings:
  overrides:
    'home:useNewHomePage': true
opensearchDashboards.dashboardAdmin.users: ['admin']

• Run yarn start --no-base-path
• Login with admin user
• Visit internal users page and create a test-user
• Visit a existing workspace settings page and add test-user as a read-only collaborator
• Open an incognito window and login with test-user
• Goto the sample data page of the same workspace
• Click "Add data" button, it should show error like screenshot below
• Should see "403" response in devtools

Changelog

• feat: [Workspace] Response forbidden error for not permitted workspace

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.87%. Comparing base (e09c137) to head (1ee8730).
Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8641   +/-   ##
=======================================
  Coverage   60.86%   60.87%           
=======================================
  Files        3790     3790           
  Lines       90222    90224    +2     
  Branches    14144    14145    +1     
=======================================
+ Hits        54918    54925    +7     
+ Misses      31838    31834    -4     
+ Partials     3466     3465    -1     

Flag	Coverage Δ
Linux_1	29.08% <ø> (ø)
Linux_2	56.39% <ø> (ø)
Linux_3	37.72% <ø> (+<0.01%)	⬆️
Linux_4	29.81% <100.00%> (+<0.01%)	⬆️
Windows_1	29.09% <ø> (ø)
Windows_2	56.34% <ø> (ø)
Windows_3	37.72% <ø> (ø)
Windows_4	29.81% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Hailong-am]

do we have any other error except forbidden error? should we use whatever code the error has

  const status = error && error[code] || 400;
  return res.customError({ body: errMsg, statusCode: status });

[wanglam]

I've searched the whole org, there are three places will generate ForbiddenError:

1. OpenSearch response forbidden error:

   OpenSearch-Dashboards/src/core/server/saved_objects/service/lib/decorate_opensearch_error.ts

   Line 80 in 32b11de

   return SavedObjectsErrorHelpers.decorateForbiddenError(error, reason);

2. Workspace saved object permission wrapper forbidden error:

   OpenSearch-Dashboards/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts

   Line 47 in 32b11de

   SavedObjectsErrorHelpers.decorateForbiddenError(

3. Data source permission wrapper forbidden error:

   OpenSearch-Dashboards/src/plugins/data_source_management/server/saved_objects/data_source_premission_client_wrapper.ts

   Line 163 in 32b11de

   SavedObjectsErrorHelpers.decorateForbiddenError(

   
   I think it's OK to response 403 for case 2 and 3, seems they are user permission related issues.
   For case 1, the server response 500 in the old implementation. The current implementation will return 403.
   We may need to check the error message if we want to distinguish these cases. Do you have other suggestions? I think response 403 would be OK for case 1.

[SuZhou-Joe]

Nit: Why do we check if there is workspaceId present? I think returning 403 error if the error is a forbidden error seems straightforward to me.