fix(api): remove roles associated to access policies after removing RBAC extension (#3373)

api/http/handler/extensions/data.go

@@ -59,3 +59,59 @@ func (handler *Handler) upgradeRBACData() error {
 
 	return handler.AuthorizationService.UpdateUsersAuthorizations()
 }
+
+func updateUserAccessPolicyToNoRole(policies portainer.UserAccessPolicies, key portainer.UserID) {
+	tmp := policies[key]
+	tmp.RoleID = 0
+	policies[key] = tmp
+}
+
+func updateTeamAccessPolicyToNoRole(policies portainer.TeamAccessPolicies, key portainer.TeamID) {
+	tmp := policies[key]
+	tmp.RoleID = 0
+	policies[key] = tmp
+}
+
+func (handler *Handler) downgradeRBACData() error {
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for key := range endpointGroup.UserAccessPolicies {
+			updateUserAccessPolicyToNoRole(endpointGroup.UserAccessPolicies, key)
+		}
+
+		for key := range endpointGroup.TeamAccessPolicies {
+			updateTeamAccessPolicyToNoRole(endpointGroup.TeamAccessPolicies, key)
+		}
+
+		err := handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+		if err != nil {
+			return err
+		}
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for key := range endpoint.UserAccessPolicies {
+			updateUserAccessPolicyToNoRole(endpoint.UserAccessPolicies, key)
+		}
+
+		for key := range endpoint.TeamAccessPolicies {
+			updateTeamAccessPolicyToNoRole(endpoint.TeamAccessPolicies, key)
+		}
+
+		err := handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return handler.AuthorizationService.UpdateUsersAuthorizations()
+}

api/http/handler/extensions/extension_delete.go

@@ -29,6 +29,13 @@ func (handler *Handler) extensionDelete(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete extension", err}
 	}
 
+	if extensionID == portainer.RBACExtension {
+		err = handler.downgradeRBACData()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "An error occured during database update", err}
+		}
+	}
+
 	err = handler.ExtensionService.DeleteExtension(extensionID)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete the extension from the database", err}