filter process models based on user permissions on the backend if specified w/ burnettk

This commit is contained in:
jasquat 2022-11-22 16:21:16 -05:00
parent ef9628d6a5
commit 5dbca5c349
13 changed files with 186 additions and 91 deletions

View File

@ -278,7 +278,13 @@ paths:
required: false
description: Get all sub process models recursively if true
schema:
type: string
type: boolean
- name: filter_runnable_by_user
in: query
required: false
description: Get only the process models that the user can run
schema:
type: boolean
- name: page
in: query
required: false

View File

@ -53,8 +53,8 @@ groups:
lead,
]
hr:
users: [manuchehr]
core-contributor:
users: [core]
permissions:
tasks-crud:
@ -62,26 +62,6 @@ permissions:
users: []
allowed_permissions: [create, read, update, delete]
uri: /v1.0/tasks/*
process-model-read-all:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/*
process-group-read-all:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/*
process-instance-list:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-instances
process-instance-report-list:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-instances/reports
admin:
groups: [admin]
@ -90,7 +70,7 @@ permissions:
uri: /*
read-all:
groups: ["Finance Team", "Project Lead", hr, admin]
groups: ["Finance Team", "Project Lead", admin]
users: []
allowed_permissions: [read]
uri: /*
@ -156,3 +136,39 @@ permissions:
users: []
allowed_permissions: [create, read, update, delete]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
core-admin:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management:*
core-admin-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:*
core-admin-models-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models-instantiate:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:invoice-approval/process-instances
core-admin-instances:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management:*
core-admin-instances-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*

View File

@ -53,8 +53,8 @@ groups:
lead,
]
hr:
users: [manuchehr]
core-contributor:
users: [core]
permissions:
tasks-crud:
@ -70,7 +70,7 @@ permissions:
uri: /*
read-all:
groups: ["Finance Team", "Project Lead", hr, admin]
groups: ["Finance Team", "Project Lead", admin]
users: []
allowed_permissions: [read]
uri: /*
@ -136,3 +136,39 @@ permissions:
users: []
allowed_permissions: [create, read, update, delete]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
core-admin:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management:*
core-admin-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:*
core-admin-models-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models-instantiate:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:invoice-approval/process-instances
core-admin-instances:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management:*
core-admin-instances-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*

View File

@ -349,12 +349,15 @@ def process_model_move(
def process_model_list(
process_group_identifier: Optional[str] = None,
recursive: Optional[bool] = False,
filter_runnable_by_user: Optional[bool] = False,
page: int = 1,
per_page: int = 100,
) -> flask.wrappers.Response:
"""Process model list!"""
process_models = ProcessModelService().get_process_models(
process_group_id=process_group_identifier, recursive=recursive
process_group_id=process_group_identifier,
recursive=recursive,
filter_runnable_by_user=filter_runnable_by_user,
)
batch = ProcessModelService().get_batch(
process_models, page=page, per_page=per_page
@ -1319,7 +1322,7 @@ def task_submit(
task_id, process_instance, processor=processor
)
AuthorizationService.assert_user_can_complete_spiff_task(
processor, spiff_task, principal.user
process_instance.id, spiff_task, principal.user
)
if spiff_task.state != TaskState.READY:

View File

@ -24,9 +24,6 @@ from spiffworkflow_backend.models.user import UserModel
from spiffworkflow_backend.models.user import UserNotFoundError
from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
from spiffworkflow_backend.services.group_service import GroupService
from spiffworkflow_backend.services.process_instance_processor import (
ProcessInstanceProcessor,
)
from spiffworkflow_backend.services.user_service import UserService
@ -393,25 +390,25 @@ class AuthorizationService:
@staticmethod
def assert_user_can_complete_spiff_task(
processor: ProcessInstanceProcessor,
process_instance_id: int,
spiff_task: SpiffTask,
user: UserModel,
) -> bool:
"""Assert_user_can_complete_spiff_task."""
active_task = ActiveTaskModel.query.filter_by(
task_name=spiff_task.task_spec.name,
process_instance_id=processor.process_instance_model.id,
process_instance_id=process_instance_id,
).first()
if active_task is None:
raise ActiveTaskNotFoundError(
f"Could find an active task with task name '{spiff_task.task_spec.name}'"
f" for process instance '{processor.process_instance_model.id}'"
f" for process instance '{process_instance_id}'"
)
if user not in active_task.potential_owners:
raise UserDoesNotHaveAccessToTaskError(
f"User {user.username} does not have access to update task'{spiff_task.task_spec.name}'"
f" for process instance '{processor.process_instance_model.id}'"
f" for process instance '{process_instance_id}'"
)
return True

View File

@ -197,7 +197,7 @@ class ProcessInstanceService:
a multi-instance task.
"""
AuthorizationService.assert_user_can_complete_spiff_task(
processor, spiff_task, user
processor.process_instance_model.id, spiff_task, user
)
dot_dct = ProcessInstanceService.create_dot_dict(data)

View File

@ -18,7 +18,9 @@ from spiffworkflow_backend.models.process_group import ProcessGroupSchema
from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
from spiffworkflow_backend.models.process_model import ProcessModelInfo
from spiffworkflow_backend.models.process_model import ProcessModelInfoSchema
from spiffworkflow_backend.services.authorization_service import AuthorizationService
from spiffworkflow_backend.services.file_system_service import FileSystemService
from spiffworkflow_backend.services.user_service import UserService
T = TypeVar("T")
@ -179,7 +181,10 @@ class ProcessModelService(FileSystemService):
raise ProcessEntityNotFoundError("process_model_not_found")
def get_process_models(
self, process_group_id: Optional[str] = None, recursive: Optional[bool] = False
self,
process_group_id: Optional[str] = None,
recursive: Optional[bool] = False,
filter_runnable_by_user: Optional[bool] = False,
) -> List[ProcessModelInfo]:
"""Get process models."""
process_models = []
@ -201,6 +206,19 @@ class ProcessModelService(FileSystemService):
)
process_models.append(process_model)
process_models.sort()
if filter_runnable_by_user:
user = UserService.current_user()
new_process_model_list = []
for process_model in process_models:
uri = f"/v1.0/process-models/{process_model.id.replace('/', ':')}/process-instances"
result = AuthorizationService.user_has_permission(
user=user, permission="create", target_uri=uri
)
if result:
new_process_model_list.append(process_model)
return new_process_model_list
return process_models
def get_process_groups(

View File

@ -4,10 +4,16 @@ import {
Button,
// @ts-ignore
} from '@carbon/react';
import { ProcessModel, RecentProcessModel } from '../interfaces';
import { Can } from '@casl/react';
import {
PermissionsToCheck,
ProcessModel,
RecentProcessModel,
} from '../interfaces';
import HttpService from '../services/HttpService';
import ErrorContext from '../contexts/ErrorContext';
import { modifyProcessIdentifierForPathParam } from '../helpers';
import { usePermissionFetcher } from '../hooks/PermissionService';
const storeRecentProcessModelInLocalStorage = (
processModelForStorage: ProcessModel
@ -75,6 +81,12 @@ export default function ProcessInstanceRun({
processModel.id
);
const processInstanceActionPath = `/v1.0/process-models/${modifiedProcessModelId}/process-instances`;
const permissionRequestData: PermissionsToCheck = {
[processInstanceActionPath]: ['POST'],
};
const { ability } = usePermissionFetcher(permissionRequestData);
const onProcessInstanceRun = (processInstance: any) => {
// FIXME: ensure that the task is actually for the current user as well
const processInstanceId = (processInstance as any).id;
@ -98,15 +110,17 @@ export default function ProcessInstanceRun({
const processInstanceCreateAndRun = () => {
HttpService.makeCallToBackend({
path: `/process-models/${modifiedProcessModelId}/process-instances`,
path: processInstanceActionPath,
successCallback: processModelRun,
httpMethod: 'POST',
});
};
return (
<Button onClick={processInstanceCreateAndRun} className={className}>
Run
</Button>
<Can I="POST" a={processInstanceActionPath} ability={ability}>
<Button onClick={processInstanceCreateAndRun} className={className}>
Run
</Button>
</Can>
);
}

View File

@ -33,11 +33,11 @@ export default function ProcessModelListTiles({
setProcessModels(result.results);
};
// only allow 10 for now until we get the backend only returning certain models for user execution
let queryParams = '?per_page=1000';
let queryParams = '?per_page=20';
if (processGroup) {
queryParams = `${queryParams}&process_group_identifier=${processGroup.id}`;
} else {
queryParams = `${queryParams}&recursive=true`;
queryParams = `${queryParams}&recursive=true&filter_runnable_by_user=true`;
}
HttpService.makeCallToBackend({
path: `/process-models${queryParams}`,

View File

@ -256,3 +256,7 @@ in on this with the react-jsonschema-form repo. This is just a patch fix to allo
.clear-left {
clear: left;
}
td.actions-cell {
width: 1em;
}

View File

@ -18,7 +18,7 @@ import {
import ProcessInstanceRun from '../components/ProcessInstanceRun';
const PER_PAGE_FOR_TASKS_ON_HOME_PAGE = 5;
const REFRESH_INTERVAL = 10;
const REFRESH_INTERVAL = 5;
const REFRESH_TIMEOUT = 600;
export default function MyTasks() {
@ -158,7 +158,7 @@ export default function MyTasks() {
{row.processModelDisplayName}
</Link>
</td>
<td>
<td className="actions-cell">
<ProcessInstanceRun
processModel={processModel}
onSuccessCallback={setProcessInstance}

View File

@ -1,6 +1,6 @@
import { useEffect, useState } from 'react';
import {
Link,
// Link,
useSearchParams,
useParams,
useNavigate,
@ -11,10 +11,9 @@ import {
// @ts-ignore
} from '@carbon/icons-react';
// @ts-ignore
import { Button, Table, Stack } from '@carbon/react';
import { Button, Stack } from '@carbon/react';
import { Can } from '@casl/react';
import ProcessBreadcrumb from '../components/ProcessBreadcrumb';
import PaginationForTable from '../components/PaginationForTable';
import HttpService from '../services/HttpService';
import {
getPageInfoFromSearchParams,
@ -25,7 +24,7 @@ import {
PaginationObject,
PermissionsToCheck,
ProcessGroup,
ProcessModel,
// ProcessModel,
} from '../interfaces';
import { useUriListForPermissions } from '../hooks/UriListForPermissions';
import { usePermissionFetcher } from '../hooks/PermissionService';
@ -39,7 +38,7 @@ export default function ProcessGroupShow() {
const navigate = useNavigate();
const [processGroup, setProcessGroup] = useState<ProcessGroup | null>(null);
const [processModels, setProcessModels] = useState([]);
// const [processModels, setProcessModels] = useState([]);
const [modelPagination, setModelPagination] =
useState<PaginationObject | null>(null);
@ -55,7 +54,7 @@ export default function ProcessGroupShow() {
const { page, perPage } = getPageInfoFromSearchParams(searchParams);
const setProcessModelFromResult = (result: any) => {
setProcessModels(result.results);
// setProcessModels(result.results);
setModelPagination(result.pagination);
};
const processResult = (result: any) => {
@ -74,42 +73,42 @@ export default function ProcessGroupShow() {
});
}, [params, searchParams]);
const buildModelTable = () => {
if (processGroup === null) {
return null;
}
const rows = processModels.map((row: ProcessModel) => {
const modifiedProcessModelId: String =
modifyProcessIdentifierForPathParam((row as any).id);
return (
<tr key={row.id}>
<td>
<Link
to={`/admin/process-models/${modifiedProcessModelId}`}
data-qa="process-model-show-link"
>
{row.id}
</Link>
</td>
<td>{row.display_name}</td>
</tr>
);
});
return (
<div>
<h2>Process Models</h2>
<Table striped bordered>
<thead>
<tr>
<th>Process Model Id</th>
<th>Display Name</th>
</tr>
</thead>
<tbody>{rows}</tbody>
</Table>
</div>
);
};
// const buildModelTable = () => {
// if (processGroup === null) {
// return null;
// }
// const rows = processModels.map((row: ProcessModel) => {
// const modifiedProcessModelId: String =
// modifyProcessIdentifierForPathParam((row as any).id);
// return (
// <tr key={row.id}>
// <td>
// <Link
// to={`/admin/process-models/${modifiedProcessModelId}`}
// data-qa="process-model-show-link"
// >
// {row.id}
// </Link>
// </td>
// <td>{row.display_name}</td>
// </tr>
// );
// });
// return (
// <div>
// <h2>Process Models</h2>
// <Table striped bordered>
// <thead>
// <tr>
// <th>Process Model Id</th>
// <th>Display Name</th>
// </tr>
// </thead>
// <tbody>{rows}</tbody>
// </Table>
// </div>
// );
// };
const navigateToProcessGroups = (_result: any) => {
navigate(`/admin/process-groups`);
@ -128,7 +127,7 @@ export default function ProcessGroupShow() {
};
if (processGroup && modelPagination) {
const { page, perPage } = getPageInfoFromSearchParams(searchParams);
// const { page, perPage } = getPageInfoFromSearchParams(searchParams);
const modifiedProcessGroupId = modifyProcessIdentifierForPathParam(
processGroup.id
);

View File

@ -66,9 +66,11 @@ backendCallProps) => {
method: httpMethod,
});
const updatedPath = path.replace(/^\/v1\.0/, '');
let isSuccessful = true;
let is403 = false;
fetch(`${BACKEND_BASE_URL}${path}`, httpArgs)
fetch(`${BACKEND_BASE_URL}${updatedPath}`, httpArgs)
.then((response) => {
if (response.status === 401) {
UserService.doLogin();