From ac78fcdf94f90ae5e7ca65dab2d8def3b2be1385 Mon Sep 17 00:00:00 2001
From: Phil Renaud <phil@riotindustries.com>
Date: Thu, 26 Sep 2024 16:26:58 -0400
Subject: [PATCH] Modify variable access permissions for UI users with write in
 only certain namespaces

---
 .changelog/24073.txt         |  3 +++
 ui/app/abilities/variable.js | 27 +++++++++++++++++----------
 2 files changed, 20 insertions(+), 10 deletions(-)
 create mode 100644 .changelog/24073.txt

diff --git a/.changelog/24073.txt b/.changelog/24073.txt
new file mode 100644
index 00000000000..85c50ed4eab
--- /dev/null
+++ b/.changelog/24073.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fixes an issue where variables paths would not let namespaced users write variables unless they also had * namespace variable write permissions
+```
diff --git a/ui/app/abilities/variable.js b/ui/app/abilities/variable.js
index ccc4c548a3b..3dc647246e3 100644
--- a/ui/app/abilities/variable.js
+++ b/ui/app/abilities/variable.js
@@ -116,22 +116,29 @@ export default class Variable extends AbstractAbility {
 
   @computed('allPaths', 'namespace', 'path', 'token.selfTokenPolicies')
   get policiesSupportVariableWriting() {
-    if (this.namespace === WILDCARD_GLOB && this.path === WILDCARD_GLOB) {
-      // If you're checking if you can write from root, and you don't specify a namespace,
-      // Then if you can write in ANY path in ANY namespace, you can get to /new.
+    if (this.path === WILDCARD_GLOB) {
+      // If checking for write permission on the root path
       return this.policyNamespacesIncludeVariablesCapabilities(
         this.token.selfTokenPolicies,
         ['write'],
-        this._nearestMatchingPath(this.path)
+        WILDCARD_GLOB
       );
     } else {
-      // Checking a specific path in a specific namespace.
-      // TODO: This doesn't cover the case when you're checking for the * namespace at a specific path.
-      // Right now we require you to specify yournamespace to enable the button.
+      // Checking a specific path
       const matchingPath = this._nearestMatchingPath(this.path);
-      return this.allPaths
-        .find((path) => path.name === matchingPath)
-        ?.capabilities?.includes('write');
+      if (this.namespace === WILDCARD_GLOB) {
+        // Checking for the * namespace at a specific path
+        return this.policyNamespacesIncludeVariablesCapabilities(
+          this.token.selfTokenPolicies,
+          ['write'],
+          matchingPath
+        );
+      } else {
+        // Checking a specific path in a specific namespace
+        return this.allPaths
+          .find((path) => path.name === matchingPath)
+          ?.capabilities?.includes('write');
+      }
     }
   }