[8.11] Fix custom branding for users without "Saved Object Management" privilege (#171308) (#171530)

# Backport

This will backport the following commits from `main` to `8.11`:
- [Fix custom branding for users without "Saved Object Management"
privilege (#171308)](https://github.com/elastic/kibana/pull/171308)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Anton
Dosov","email":"anton.dosov@elastic.co"},"sourceCommit":{"committedDate":"2023-11-20T12:36:21Z","message":"Fix
custom branding for users without \"Saved Object Management\" privilege
(#171308)\n\n## Summary\r\n\r\nfix
https://github.com/elastic/kibana/issues/163842\r\n\r\nCurrently, Saved
Objects Management Kibana privilege ( either read or\r\nall) is needed
in order for a user to see custom branding. Without it,\r\nusers with
custom roles see the default branding after logging in.\r\n\r\nCustom
branding is stored in the new \"global\" advanced
settings\r\n(\"config-global\" saved object). Only users with Saved
Objects Management\r\nprivilege had access to it. This PR adds
\"config-global\" to the list of\r\nautomatically applied privileges
similar to
\"config\".","sha":"385fe054ffc3c7c85d0a887ff106aae6b1ec6d75","branchLabelMapping":{"^v8.12.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:SharedUX","backport:prev-minor","v8.12.0"],"number":171308,"url":"https://github.com/elastic/kibana/pull/171308","mergeCommit":{"message":"Fix
custom branding for users without \"Saved Object Management\" privilege
(#171308)\n\n## Summary\r\n\r\nfix
https://github.com/elastic/kibana/issues/163842\r\n\r\nCurrently, Saved
Objects Management Kibana privilege ( either read or\r\nall) is needed
in order for a user to see custom branding. Without it,\r\nusers with
custom roles see the default branding after logging in.\r\n\r\nCustom
branding is stored in the new \"global\" advanced
settings\r\n(\"config-global\" saved object). Only users with Saved
Objects Management\r\nprivilege had access to it. This PR adds
\"config-global\" to the list of\r\nautomatically applied privileges
similar to
\"config\".","sha":"385fe054ffc3c7c85d0a887ff106aae6b1ec6d75"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.12.0","labelRegex":"^v8.12.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/171308","number":171308,"mergeCommit":{"message":"Fix
custom branding for users without \"Saved Object Management\" privilege
(#171308)\n\n## Summary\r\n\r\nfix
https://github.com/elastic/kibana/issues/163842\r\n\r\nCurrently, Saved
Objects Management Kibana privilege ( either read or\r\nall) is needed
in order for a user to see custom branding. Without it,\r\nusers with
custom roles see the default branding after logging in.\r\n\r\nCustom
branding is stored in the new \"global\" advanced
settings\r\n(\"config-global\" saved object). Only users with Saved
Objects Management\r\nprivilege had access to it. This PR adds
\"config-global\" to the list of\r\nautomatically applied privileges
similar to
\"config\".","sha":"385fe054ffc3c7c85d0a887ff106aae6b1ec6d75"}}]}]
BACKPORT-->

Co-authored-by: Anton Dosov <anton.dosov@elastic.co>

x-pack/plugins/features/server/feature_registry.test.ts

@@ -52,7 +52,7 @@ describe('FeatureRegistry', () => {
             app: ['app1'],
             savedObject: {
               all: ['space', 'etc', 'telemetry'],
-              read: ['canvas', 'config', 'url'],
+              read: ['canvas', 'config', 'config-global', 'url'],
             },
             api: ['someApiEndpointTag', 'anotherEndpointTag'],
             ui: ['allowsFoo', 'showBar', 'showBaz'],
@@ -60,7 +60,7 @@ describe('FeatureRegistry', () => {
           read: {
             savedObject: {
               all: [],
-              read: ['config', 'url', 'telemetry'],
+              read: ['config', 'config-global', 'url', 'telemetry'],
             },
             ui: [],
           },
@@ -125,7 +125,7 @@ describe('FeatureRegistry', () => {
                 app: ['app1'],
                 savedObject: {
                   all: ['space', 'etc', 'telemetry'],
-                  read: ['canvas', 'config', 'url'],
+                  read: ['canvas', 'config', 'config-global', 'url'],
                 },
                 api: ['someApiEndpointTag', 'anotherEndpointTag'],
                 ui: ['allowsFoo', 'showBar', 'showBaz'],
@@ -290,7 +290,7 @@ describe('FeatureRegistry', () => {
       expect(allPrivilege?.savedObject.all).toEqual(['telemetry']);
     });
 
-    it(`automatically grants access to config, url, and telemetry saved objects`, () => {
+    it(`automatically grants access to config, config-global, url, and telemetry saved objects`, () => {
       const feature: KibanaFeatureConfig = {
         id: 'test-feature',
         name: 'Test Feature',
@@ -324,11 +324,16 @@ describe('FeatureRegistry', () => {
 
       const allPrivilege = result[0].privileges?.all;
       const readPrivilege = result[0].privileges?.read;
-      expect(allPrivilege?.savedObject.read).toEqual(['config', 'url']);
-      expect(readPrivilege?.savedObject.read).toEqual(['config', 'telemetry', 'url']);
+      expect(allPrivilege?.savedObject.read).toEqual(['config', 'config-global', 'url']);
+      expect(readPrivilege?.savedObject.read).toEqual([
+        'config',
+        'config-global',
+        'telemetry',
+        'url',
+      ]);
     });
 
-    it(`automatically grants 'all' access to telemetry and 'read' to [config, url] saved objects for the reserved privilege`, () => {
+    it(`automatically grants 'all' access to telemetry and 'read' to [config, config-global, url] saved objects for the reserved privilege`, () => {
       const feature: KibanaFeatureConfig = {
         id: 'test-feature',
         name: 'Test Feature',
@@ -359,7 +364,7 @@ describe('FeatureRegistry', () => {
 
       const reservedPrivilege = result[0]!.reserved!.privileges[0].privilege;
       expect(reservedPrivilege.savedObject.all).toEqual(['telemetry']);
-      expect(reservedPrivilege.savedObject.read).toEqual(['config', 'url']);
+      expect(reservedPrivilege.savedObject.read).toEqual(['config', 'config-global', 'url']);
     });
 
     it(`does not duplicate the automatic grants if specified on the incoming feature`, () => {
@@ -373,14 +378,14 @@ describe('FeatureRegistry', () => {
             ui: [],
             savedObject: {
               all: ['telemetry'],
-              read: ['config', 'url'],
+              read: ['config', 'config-global', 'url'],
             },
           },
           read: {
             ui: [],
             savedObject: {
               all: [],
-              read: ['config', 'url'],
+              read: ['config', 'config-global', 'url'],
             },
           },
         },
@@ -397,8 +402,13 @@ describe('FeatureRegistry', () => {
       const allPrivilege = result[0].privileges!.all;
       const readPrivilege = result[0].privileges!.read;
       expect(allPrivilege?.savedObject.all).toEqual(['telemetry']);
-      expect(allPrivilege?.savedObject.read).toEqual(['config', 'url']);
-      expect(readPrivilege?.savedObject.read).toEqual(['config', 'url', 'telemetry']);
+      expect(allPrivilege?.savedObject.read).toEqual(['config', 'config-global', 'url']);
+      expect(readPrivilege?.savedObject.read).toEqual([
+        'config',
+        'config-global',
+        'url',
+        'telemetry',
+      ]);
     });
 
     it(`does not allow duplicate features to be registered`, () => {
@@ -484,7 +494,7 @@ describe('FeatureRegistry', () => {
             name: 'Foo',
             app: ['app1', 'app2'],
             savedObject: {
-              all: ['config', 'space', 'etc'],
+              all: ['config', 'config-global', 'space', 'etc'],
               read: ['canvas'],
             },
             api: ['someApiEndpointTag', 'anotherEndpointTag'],

x-pack/plugins/features/server/feature_registry.ts

@@ -118,7 +118,12 @@ function applyAutomaticAllPrivilegeGrants(
   allPrivileges.forEach((allPrivilege) => {
     if (allPrivilege) {
       allPrivilege.savedObject.all = uniq([...allPrivilege.savedObject.all, 'telemetry']);
-      allPrivilege.savedObject.read = uniq([...allPrivilege.savedObject.read, 'config', 'url']);
+      allPrivilege.savedObject.read = uniq([
+        ...allPrivilege.savedObject.read,
+        'config',
+        'config-global',
+        'url',
+      ]);
     }
   });
 }
@@ -131,6 +136,7 @@ function applyAutomaticReadPrivilegeGrants(
       readPrivilege.savedObject.read = uniq([
         ...readPrivilege.savedObject.read,
         'config',
+        'config-global',
         'telemetry',
         'url',
       ]);