From ef3ee3aba8511f78868e4dd3429a71ca8b470588 Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Mon, 28 Jul 2025 15:58:11 -0400
Subject: [PATCH] fix(portal): relax gateway group perms (#10034)

This is hit by the client channel when a gateway group needs to be
hydrated, which should only require "connect gateways" permissions.
---
 elixir/apps/domain/lib/domain/gateways.ex        |  9 ++++++++-
 elixir/apps/domain/test/domain/gateways_test.exs | 14 +++++++++-----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/elixir/apps/domain/lib/domain/gateways.ex b/elixir/apps/domain/lib/domain/gateways.ex
index da2c0463f..4dfc1d0ca 100644
--- a/elixir/apps/domain/lib/domain/gateways.ex
+++ b/elixir/apps/domain/lib/domain/gateways.ex
@@ -24,7 +24,14 @@ defmodule Domain.Gateways do
   end
 
   def fetch_group_by_id(id, %Auth.Subject{} = subject, opts \\ []) do
-    with :ok <- Auth.ensure_has_permissions(subject, Authorizer.manage_gateways_permission()),
+    required_permissions =
+      {:one_of,
+       [
+         Authorizer.manage_gateways_permission(),
+         Authorizer.connect_gateways_permission()
+       ]}
+
+    with :ok <- Auth.ensure_has_permissions(subject, required_permissions),
          true <- Repo.valid_uuid?(id) do
       Group.Query.all()
       |> Group.Query.by_id(id)
diff --git a/elixir/apps/domain/test/domain/gateways_test.exs b/elixir/apps/domain/test/domain/gateways_test.exs
index 3fbc27499..8f92139ae 100644
--- a/elixir/apps/domain/test/domain/gateways_test.exs
+++ b/elixir/apps/domain/test/domain/gateways_test.exs
@@ -87,11 +87,15 @@ defmodule Domain.GatewaysTest do
     } do
       subject = Fixtures.Auth.remove_permissions(subject)
 
-      assert fetch_group_by_id(Ecto.UUID.generate(), subject) ==
-               {:error,
-                {:unauthorized,
-                 reason: :missing_permissions,
-                 missing_permissions: [Gateways.Authorizer.manage_gateways_permission()]}}
+      assert {:error,
+              {:unauthorized,
+               reason: :missing_permissions, missing_permissions: [{:one_of, missing_permissions}]}} =
+               fetch_group_by_id(Ecto.UUID.generate(), subject)
+
+      assert Enum.sort(missing_permissions) == [
+               Gateways.Authorizer.connect_gateways_permission(),
+               Gateways.Authorizer.manage_gateways_permission()
+             ]
     end
   end