Add an AllRead key

2025-07-15 13:58:36 +02:00 · 2025-06-19 11:29:16 +02:00 · 2025-06-19 11:29:16 +02:00 · b421c8e7de
commit b421c8e7de
parent 00eb258a53
2 changed files with 49 additions and 0 deletions
--- a/crates/meilisearch-auth/src/store.rs
+++ b/crates/meilisearch-auth/src/store.rs
@ -89,6 +89,7 @@ impl HeedAuthStore {
        for action in &key.actions {
            match action {
                Action::All => actions.extend(enum_iterator::all::<Action>()),
+                Action::AllRead => actions.extend(enum_iterator::all::<Action>().filter(|a| a.is_read())),
                Action::DocumentsAll => {
                    actions.extend(
                        [Action::DocumentsGet, Action::DocumentsDelete, Action::DocumentsAdd]
--- a/crates/meilisearch-types/src/keys.rs
+++ b/crates/meilisearch-types/src/keys.rs
@ -218,6 +218,9 @@ pub enum Action {
    #[serde(rename = "*")]
    #[deserr(rename = "*")]
    All = 0,
+    #[serde(rename = "*.read")]
+    #[deserr(rename = "*.read")]
+    AllRead,
    #[serde(rename = "search")]
    #[deserr(rename = "search")]
    Search,
@ -396,6 +399,51 @@ impl Action {
        }
    }

+    /// Whether the action should be included in [Action::AllRead].
+    pub fn is_read(&self) -> bool {
+        use Action::*;
+
+        // It's using an exhaustive match to force the addition of new actions.
+        match self {
+            // Any action that expands to others must return false, as it wouldn't be able to expand recursively.
+            All | AllRead | DocumentsAll | IndexesAll | ChatsAll | TasksAll | SettingsAll
+                | StatsAll | MetricsAll | DumpsAll | SnapshotsAll | ChatsSettingsAll => false,
+
+            Search => true,
+            DocumentsAdd => false,
+            DocumentsGet => true,
+            DocumentsDelete => false,
+            IndexesAdd => false,
+            IndexesGet => true,
+            IndexesUpdate => false,
+            IndexesDelete => false,
+            IndexesSwap => false,
+            TasksCancel => false,
+            TasksDelete => false,
+            TasksGet => true,
+            SettingsGet => true,
+            SettingsUpdate => false,
+            StatsGet => true,
+            MetricsGet => true,
+            DumpsCreate => false,
+            SnapshotsCreate => false,
+            Version => true,
+            KeysAdd => false,
+            KeysGet => false, // Prevent privilege escalation by not allowing reading other keys.
+            KeysUpdate => false,
+            KeysDelete => false,
+            ExperimentalFeaturesGet => true,
+            ExperimentalFeaturesUpdate => false,
+            NetworkGet => true,
+            NetworkUpdate => false,
+            ChatCompletions => false, // Disabled because it might trigger generation of new chats.
+            ChatsGet => true,
+            ChatsDelete => false,
+            ChatsSettingsGet => true,
+            ChatsSettingsUpdate => false,
+        }
+    }
+
    pub const fn repr(&self) -> u8 {
        *self as u8
    }