Remove duplicate privileges_group_mapping method that produces slig…

…htly different results

src/middlewared/middlewared/plugins/account.py

@@ -23,7 +23,7 @@
 from middlewared.utils.filesystem.copy import copytree, CopyTreeConfig
 from middlewared.utils.nss import pwd, grp
 from middlewared.utils.nss.nss_common import NssModule
-from middlewared.utils.privilege import credential_has_full_admin, privileges_group_mapping
+from middlewared.utils.privilege import credential_has_full_admin
 from middlewared.async_validators import check_path_resides_within_volume
 from middlewared.utils.sid import db_id_to_rid, DomainRid
 from middlewared.plugins.account_.constants import (
@@ -1612,11 +1612,13 @@ async def group_extend(self, group, ctx):
         group['name'] = group['group']
         group['users'] = ctx['memberships'].get(group['id'], [])
 
-        privilege_mappings = privileges_group_mapping(ctx['privileges'], [group['gid']], 'local_groups')
+        privilege_mappings = await self.middleware.call(
+            'privilege.compose_privilege_for_groups', 'local_groups', {group['gid']}, ctx['privileges'],
+        )
         if privilege_mappings['allowlist']:
-            privilege_mappings['roles'].append('HAS_ALLOW_LIST')
+            privilege_mappings['roles'].add('HAS_ALLOW_LIST')
             if {'method': '*', 'resource': '*'} in privilege_mappings['allowlist']:
-                privilege_mappings['roles'].append('FULL_ADMIN')
+                privilege_mappings['roles'].add('FULL_ADMIN')
 
         match group['group']:
             case 'builtin_administrators':

src/middlewared/middlewared/plugins/account_/privilege.py

@@ -10,7 +10,6 @@
 from middlewared.utils.privilege import (
     LocalAdminGroups,
     privilege_has_webui_access,
-    privileges_group_mapping
 )
 import middlewared.sqlalchemy as sa
 
@@ -349,14 +348,14 @@ async def privileges_for_groups(self, groups_key, group_ids):
         else:
             group_ids = set(group_ids)
 
-        privileges = await self.middleware.call('datastore.query', 'account.privilege')
-        return privileges_group_mapping(privileges, group_ids, groups_key)['privileges']
+        return (await self.compose_privilege_for_groups(groups_key, group_ids))['privileges']
 
     @private
     async def compose_privilege(self, privileges):
         compose = {
             'roles': set(),
             'allowlist': [],
+            'privileges': privileges,
             'web_shell': False,
             'webui_access': False,
         }
@@ -378,6 +377,17 @@ async def compose_privilege(self, privileges):
 
         return compose
 
+    @private
+    async def compose_privilege_for_groups(self, groups_key, group_ids, privileges=None):
+        if privileges is None:
+            privileges = await self.middleware.call('datastore.query', 'account.privilege')
+
+        return await self.compose_privilege([
+            privilege
+            for privilege in privileges
+            if set(privilege[groups_key]) & group_ids
+        ])
+
     @private
     async def full_privilege(self):
         return {

src/middlewared/middlewared/utils/privilege.py

@@ -72,29 +72,6 @@ def app_credential_full_admin_or_user(
     return credential_full_admin_or_user(app.authenticated_credentials, username)
 
 
-def privileges_group_mapping(
-    privileges: list,
-    group_ids: list,
-    groups_key: str,
-) -> dict:
-    allowlist = []
-    roles = set()
-    privileges_out = []
-
-    group_ids = set(group_ids)
-    for privilege in privileges:
-        if set(privilege[groups_key]) & group_ids:
-            allowlist.extend(privilege['allowlist'])
-            roles |= set(privilege['roles'])
-            privileges_out.append(privilege)
-
-    return {
-        'allowlist': allowlist,
-        'roles': list(roles),
-        'privileges': privileges_out
-    }
-
-
 def credential_is_limited_to_own_jobs(credential: object | None) -> bool:
     if credential is None or not credential.is_user_session:
         return False