Hide environments user can't access (#704)

paulocsanz · web-flow · commit 29bfbbf9a3aa · 2025-11-28T17:09:41.000-03:00
* Hide environments user can't access

Makes env level RBAC experience better in CLI
diff --git a/src/commands/environment.rs b/src/commands/environment.rs
@@ -161,12 +161,19 @@ async fn delete_environment(args: DeleteArgs) -> Result<()> {
             bail!(RailwayError::EnvironmentNotFound(environment))
         }
     } else if is_terminal {
-        let environments = project
-            .environments
-            .edges
+        let all_environments = &project.environments.edges;
+        let environments = all_environments
             .iter()
+            .filter(|env| env.node.can_access)
             .map(|env| Environment(&env.node))
             .collect::<Vec<_>>();
+        if environments.is_empty() {
+            if all_environments.is_empty() {
+                bail!("Project has no environments");
+            } else {
+                bail!("All environments in this project are restricted");
+            }
+        }
         let r = prompt_options("Select the environment to delete", environments)?;
         (r.0.id.clone(), r.0.name.clone())
     } else {
@@ -240,13 +247,21 @@ async fn link_environment(args: Args) -> std::result::Result<(), anyhow::Error>
         bail!(RailwayError::ProjectDeleted);
     }
 
-    let environments = project
-        .environments
-        .edges
+    let all_environments = &project.environments.edges;
+    let environments = all_environments
         .iter()
+        .filter(|env| env.node.can_access)
         .map(|env| Environment(&env.node))
         .collect::<Vec<_>>();
 
+    if environments.is_empty() {
+        if all_environments.is_empty() {
+            bail!("Project has no environments");
+        } else {
+            bail!("All environments in this project are restricted");
+        }
+    }
+
     let environment = match args.environment {
         // If the environment is specified, find it in the list of environments
         Some(environment) => {
@@ -474,6 +489,7 @@ fn select_duplicate_id_new(
             .environments
             .edges
             .iter()
+            .filter(|env| env.node.can_access)
             .map(|env| Environment(&env.node))
             .collect::<Vec<_>>();
         prompt_options_skippable(
diff --git a/src/commands/link.rs b/src/commands/link.rs
@@ -128,6 +128,14 @@ fn select_environment(
     environment: Option<String>,
     project: &NormalisedProject,
 ) -> Result<NormalisedEnvironment, anyhow::Error> {
+    if project.environments.is_empty() {
+        if project.has_restricted_environments {
+            bail!("All environments in this project are restricted");
+        } else {
+            bail!("Project has no environments");
+        }
+    }
+
     let environment = if let Some(environment) = environment {
         let env = project.environments.iter().find(|e| {
             (e.name.to_lowercase() == environment.to_lowercase())
@@ -260,7 +268,9 @@ structstruck::strike! {
             ///
             /// _**note**_: this isn't what the API returns, we are just extracting what we need
             service_instances: Vec<String>,
-        }>
+        }>,
+        /// Whether the project has restricted environments
+        has_restricted_environments: bool,
     }
 }
 
@@ -269,62 +279,76 @@ structstruck::strike! {
 impl From<Project> for NormalisedProject {
     fn from(value: Project) -> Self {
         match value {
-            Project::External(project) => NormalisedProject::new(
-                project.id,
-                project.name,
-                project
+            Project::External(project) => {
+                let total_envs = project.environments.edges.len();
+                let accessible_envs: Vec<_> = project
                     .environments
                     .edges
                     .into_iter()
+                    .filter(|env| env.node.can_access)
                     .map(|env| NormalisedEnvironment::new(env.node.id, env.node.name))
-                    .collect(),
-                project
-                    .services
-                    .edges
-                    .into_iter()
-                    .map(|service| {
-                        NormalisedService::new(
-                            service.node.id,
-                            service.node.name,
-                            service
-                                .node
-                                .service_instances
-                                .edges
-                                .into_iter()
-                                .map(|instance| instance.node.environment_id)
-                                .collect(),
-                        )
-                    })
-                    .collect(),
-            ),
-            Project::Workspace(project) => NormalisedProject::new(
-                project.id,
-                project.name,
-                project
+                    .collect();
+                let has_restricted = total_envs > accessible_envs.len();
+                NormalisedProject::new(
+                    project.id,
+                    project.name,
+                    accessible_envs,
+                    project
+                        .services
+                        .edges
+                        .into_iter()
+                        .map(|service| {
+                            NormalisedService::new(
+                                service.node.id,
+                                service.node.name,
+                                service
+                                    .node
+                                    .service_instances
+                                    .edges
+                                    .into_iter()
+                                    .map(|instance| instance.node.environment_id)
+                                    .collect(),
+                            )
+                        })
+                        .collect(),
+                    has_restricted,
+                )
+            }
+            Project::Workspace(project) => {
+                let total_envs = project.environments.edges.len();
+                let accessible_envs: Vec<_> = project
                     .environments
                     .edges
                     .into_iter()
+                    .filter(|env| env.node.can_access)
                     .map(|env| NormalisedEnvironment::new(env.node.id, env.node.name))
-                    .collect(),
-                project
-                    .services
-                    .edges
-                    .into_iter()
-                    .map(|service| {
-                        NormalisedService::new(
-                            service.node.id,
-                            service.node.name,
-                            service
-                                .node
-                                .service_instances
-                                .edges
-                                .into_iter()
-                                .map(|instance| instance.node.environment_id)
-                                .collect(),
-                        )
-                    })
-                    .collect(),
-            ),
+                    .collect();
+                let has_restricted = total_envs > accessible_envs.len();
+                NormalisedProject::new(
+                    project.id,
+                    project.name,
+                    accessible_envs,
+                    project
+                        .services
+                        .edges
+                        .into_iter()
+                        .map(|service| {
+                            NormalisedService::new(
+                                service.node.id,
+                                service.node.name,
+                                service
+                                    .node
+                                    .service_instances
+                                    .edges
+                                    .into_iter()
+                                    .map(|instance| instance.node.environment_id)
+                                    .collect(),
+                            )
+                        })
+                        .collect(),
+                    has_restricted,
+                )
+            }
         }
     }
 }
diff --git a/src/controllers/terminal/client.rs b/src/controllers/terminal/client.rs
@@ -49,6 +49,10 @@ impl TerminalClient {
                     .map_err(|e| anyhow::anyhow!("Failed to parse server message: {}", e))?;
 
                 if server_msg.r#type != "welcome" {
+                    // If it's an error message, extract and display the actual error message
+                    if server_msg.r#type == "error" && !server_msg.payload.message.is_empty() {
+                        bail!("Failed to connect: {}", server_msg.payload.message);
+                    }
                     bail!("Expected welcome message, received: {:?}", server_msg);
                 }
 
diff --git a/src/gql/queries/strings/Project.graphql b/src/gql/queries/strings/Project.graphql
@@ -11,6 +11,7 @@ query Project($id: String!) {
         node {
           id
           name
+          canAccess
           deletedAt
         }
       }
diff --git a/src/gql/queries/strings/UserProjects.graphql b/src/gql/queries/strings/UserProjects.graphql
@@ -14,6 +14,7 @@ query UserProjects {
           node {
             id
             name
+            canAccess
           }
         }
       }
@@ -54,6 +55,7 @@ query UserProjects {
                 node {
                   id
                   name
+                  canAccess
                 }
               }
             }
diff --git a/src/gql/schema.json b/src/gql/schema.json
diff --git a/src/main.rs b/src/main.rs

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,10 @@ impl TerminalClient {`
`49`	`49`	`.map_err(\|e\| anyhow::anyhow!("Failed to parse server message: {}", e))?;`
`50`	`50`
`51`	`51`	`if server_msg.r#type != "welcome" {`
	`52`	`+ // If it's an error message, extract and display the actual error message`
	`53`	`+ if server_msg.r#type == "error" && !server_msg.payload.message.is_empty() {`
	`54`	`+ bail!("Failed to connect: {}", server_msg.payload.message);`
	`55`	`+ }`
`52`	`56`	`bail!("Expected welcome message, received: {:?}", server_msg);`
`53`	`57`	`}`
`54`	`58`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ query Project($id: String!) {`
`11`	`11`	`node {`
`12`	`12`	`id`
`13`	`13`	`name`
	`14`	`+ canAccess`
`14`	`15`	`deletedAt`
`15`	`16`	`}`
`16`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ query UserProjects {`
`14`	`14`	`node {`
`15`	`15`	`id`
`16`	`16`	`name`
	`17`	`+ canAccess`
`17`	`18`	`}`
`18`	`19`	`}`
`19`	`20`	`}`
`@@ -54,6 +55,7 @@ query UserProjects {`
`54`	`55`	`node {`
`55`	`56`	`id`
`56`	`57`	`name`
	`58`	`+ canAccess`
`57`	`59`	`}`
`58`	`60`	`}`
`59`	`61`	`}`