updated permission macros to give admins access to task-data and proc… (#314)

* updated permission macros to give admins access to task-data and process-data w/ burnettk * do not check for write to process-models if diagram is readonly anyway w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com>
2023-06-08 11:39:14 -04:00 · 2023-06-08 11:39:14 -04:00 · 4b2970170c
parent ab5fa70e41
commit 4b2970170c
4 changed files with 22 additions and 5 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@ -77,6 +77,7 @@ PATH_SEGMENTS_FOR_PERMISSION_ALL = [
    {"path": "/process-instance-terminate", "relevant_permissions": ["create"]},
    {"path": "/process-model-natural-language", "relevant_permissions": ["create"]},
    {"path": "/process-model-publish", "relevant_permissions": ["create"]},
+    {"path": "/process-model-tests", "relevant_permissions": ["create"]},
    {"path": "/task-data", "relevant_permissions": ["read", "update"]},
 ]

@ -534,6 +535,9 @@ class AuthorizationService:

        # read comes from PG and PM permissions
        permissions_to_assign.append(PermissionToAssign(permission="update", target_uri="/task-data/*"))
+        permissions_to_assign.append(PermissionToAssign(permission="read", target_uri="/task-data/*"))
+        permissions_to_assign.append(PermissionToAssign(permission="read", target_uri="/process-data/*"))
+        permissions_to_assign.append(PermissionToAssign(permission="read", target_uri="/process-data-file-download/*"))

        for permission in ["create", "read", "update", "delete"]:
            permissions_to_assign.append(PermissionToAssign(permission=permission, target_uri="/process-instances/*"))
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py
@ -131,6 +131,7 @@ class TestAuthorizationService(BaseTest):
                ("/process-instances/some-process-group:some-process-model:*", "read"),
                ("/process-model-natural-language/some-process-group:some-process-model:*", "create"),
                ("/process-model-publish/some-process-group:some-process-model:*", "create"),
+                ("/process-model-tests/some-process-group:some-process-model:*", "create"),
                ("/process-models/some-process-group:some-process-model:*", "create"),
                ("/process-models/some-process-group:some-process-model:*", "delete"),
                ("/process-models/some-process-group:some-process-model:*", "read"),
@ -214,6 +215,7 @@ class TestAuthorizationService(BaseTest):
                ("/process-instances/some-process-group:some-process-model/*", "read"),
                ("/process-model-natural-language/some-process-group:some-process-model/*", "create"),
                ("/process-model-publish/some-process-group:some-process-model/*", "create"),
+                ("/process-model-tests/some-process-group:some-process-model/*", "create"),
                ("/process-models/some-process-group:some-process-model/*", "create"),
                ("/process-models/some-process-group:some-process-model/*", "delete"),
                ("/process-models/some-process-group:some-process-model/*", "read"),
@ -311,6 +313,8 @@ class TestAuthorizationService(BaseTest):
                ("/debug/*", "create"),
                ("/messages", "read"),
                ("/messages/*", "create"),
+                ("/process-data-file-download/*", "read"),
+                ("/process-data/*", "read"),
                ("/process-instance-reset/*", "create"),
                ("/process-instance-resume/*", "create"),
                ("/process-instance-suspend/*", "create"),
@ -326,6 +330,7 @@ class TestAuthorizationService(BaseTest):
                ("/send-event/*", "create"),
                ("/task-complete/*", "create"),
                ("/task-data/*", "update"),
+                ("/task-data/*", "read"),
            ]
        )
        permissions_to_assign = AuthorizationService.explode_permissions("all", "ELEVATED")
--- a/spiffworkflow-frontend/src/components/ReactDiagramEditor.tsx
+++ b/spiffworkflow-frontend/src/components/ReactDiagramEditor.tsx
@ -124,10 +124,18 @@ export default function ReactDiagramEditor({
  const alreadyImportedXmlRef = useRef(false);

  const { targetUris } = useUriListForPermissions();
-  const permissionRequestData: PermissionsToCheck = {
-    [targetUris.processModelShowPath]: ['PUT'],
-    [targetUris.processModelFileShowPath]: ['POST', 'GET', 'PUT', 'DELETE'],
-  };
+  const permissionRequestData: PermissionsToCheck = {};
+
+  if (diagramType !== 'readonly') {
+    permissionRequestData[targetUris.processModelShowPath] = ['PUT'];
+    permissionRequestData[targetUris.processModelFileShowPath] = [
+      'POST',
+      'GET',
+      'PUT',
+      'DELETE',
+    ];
+  }
+
  const { ability } = usePermissionFetcher(permissionRequestData);
  const navigate = useNavigate();

--- a/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx
+++ b/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx
@ -10,7 +10,7 @@ export const useUriListForPermissions = () => {
      processGroupListPath: '/v1.0/process-groups',
      processGroupShowPath: `/v1.0/process-groups/${params.process_group_id}`,
      processInstanceActionPath: `/v1.0/process-instances/${params.process_model_id}/${params.process_instance_id}`,
-      processInstanceCompleteTaskPath: `/v1.0/complete-task/${params.process_model_id}/${params.process_instance_id}`,
+      processInstanceCompleteTaskPath: `/v1.0/task-complete/${params.process_model_id}/${params.process_instance_id}`,
      processInstanceCreatePath: `/v1.0/process-instances/${params.process_model_id}`,
      processInstanceErrorEventDetails: `/v1.0/event-error-details/${params.process_model_id}/${params.process_instance_id}`,
      processInstanceListPath: '/v1.0/process-instances',