Version Information

Server Version: 2.3.1
CLI Version (for CLI related issue): 2.3.1

Environment

OSS

What is the expected behaviour?

More-permissive updates of inherited children should take precedence and be used.

inherited role permission inconsistency should be displayed in the console upon save if they are actually inconsistent.

Keywords

inherited roles

This issue is similar but different: #8063

What is the current behaviour?

This fails silently. Saving the permission is successful, and the console behaves normally, but the role is not updated and refreshing the console gets redirected to the metadata status page which comes up as a 404.

How to reproduce the issue?

1. Create role A. Give it update permissions on table X with a limited row select and a limited column select.
2. Create role B. Give it update permissions on table X with unlimited row and column select permissions.
3. Create inherited role C, have it inherit from roles A and B.
4. Refresh the console.

Screenshots or Screencast

Sensitive data, sorry.

Please provide any traces or logs that could help here.

xxxx-hasura-engine-1 | {"type":"metadata","timestamp":"2022-03-18T22:34:40.763+0000","level":"warn","detail":{"message":"Inconsistent Metadata!","info":{"objects":[{"reason":"Could not inherit permission for the role 'xxaaxx' for the entity: 'update permission, table: xxbbxx, source: 'default''","name":"xxaaxx","type":"inherited role permission inconsistency","entity":{"permission_type":"update","source":"default","table":"xxbbxx"}}]}}}

Any possible solutions?

Don't use inherited roles and instead replicate the functionality manually by computing the equivalent and manually keeping it in sync with what would have been its children.

Can you identify the location in the source code where the problem exists?

Sorry I cannot.

If the bug is confirmed, would you be willing to submit a PR?

Sorry, I don't know haskell.