filter process models based on user permissions on the backend if specified w/ burnettk
This commit is contained in:
parent
ef9628d6a5
commit
5dbca5c349
|
@ -278,7 +278,13 @@ paths:
|
|||
required: false
|
||||
description: Get all sub process models recursively if true
|
||||
schema:
|
||||
type: string
|
||||
type: boolean
|
||||
- name: filter_runnable_by_user
|
||||
in: query
|
||||
required: false
|
||||
description: Get only the process models that the user can run
|
||||
schema:
|
||||
type: boolean
|
||||
- name: page
|
||||
in: query
|
||||
required: false
|
||||
|
|
|
@ -53,8 +53,8 @@ groups:
|
|||
lead,
|
||||
]
|
||||
|
||||
hr:
|
||||
users: [manuchehr]
|
||||
core-contributor:
|
||||
users: [core]
|
||||
|
||||
permissions:
|
||||
tasks-crud:
|
||||
|
@ -62,26 +62,6 @@ permissions:
|
|||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /v1.0/tasks/*
|
||||
process-model-read-all:
|
||||
groups: [everybody]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-models/*
|
||||
process-group-read-all:
|
||||
groups: [everybody]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-groups/*
|
||||
process-instance-list:
|
||||
groups: [everybody]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-instances
|
||||
process-instance-report-list:
|
||||
groups: [everybody]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-instances/reports
|
||||
|
||||
admin:
|
||||
groups: [admin]
|
||||
|
@ -90,7 +70,7 @@ permissions:
|
|||
uri: /*
|
||||
|
||||
read-all:
|
||||
groups: ["Finance Team", "Project Lead", hr, admin]
|
||||
groups: ["Finance Team", "Project Lead", admin]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /*
|
||||
|
@ -156,3 +136,39 @@ permissions:
|
|||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
|
||||
|
||||
core-admin:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management:*
|
||||
core-admin-slash:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management/*
|
||||
core-admin-models:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:*
|
||||
core-admin-models-slash:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management/*
|
||||
core-admin-models-instantiate:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:invoice-approval/process-instances
|
||||
core-admin-instances:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management:*
|
||||
core-admin-instances-slash:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
|
||||
|
|
|
@ -53,8 +53,8 @@ groups:
|
|||
lead,
|
||||
]
|
||||
|
||||
hr:
|
||||
users: [manuchehr]
|
||||
core-contributor:
|
||||
users: [core]
|
||||
|
||||
permissions:
|
||||
tasks-crud:
|
||||
|
@ -70,7 +70,7 @@ permissions:
|
|||
uri: /*
|
||||
|
||||
read-all:
|
||||
groups: ["Finance Team", "Project Lead", hr, admin]
|
||||
groups: ["Finance Team", "Project Lead", admin]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /*
|
||||
|
@ -136,3 +136,39 @@ permissions:
|
|||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
|
||||
|
||||
core-admin:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management:*
|
||||
core-admin-slash:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management/*
|
||||
core-admin-models:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:*
|
||||
core-admin-models-slash:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management/*
|
||||
core-admin-models-instantiate:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:invoice-approval/process-instances
|
||||
core-admin-instances:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management:*
|
||||
core-admin-instances-slash:
|
||||
groups: ["core-contributor"]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
|
||||
|
|
|
@ -349,12 +349,15 @@ def process_model_move(
|
|||
def process_model_list(
|
||||
process_group_identifier: Optional[str] = None,
|
||||
recursive: Optional[bool] = False,
|
||||
filter_runnable_by_user: Optional[bool] = False,
|
||||
page: int = 1,
|
||||
per_page: int = 100,
|
||||
) -> flask.wrappers.Response:
|
||||
"""Process model list!"""
|
||||
process_models = ProcessModelService().get_process_models(
|
||||
process_group_id=process_group_identifier, recursive=recursive
|
||||
process_group_id=process_group_identifier,
|
||||
recursive=recursive,
|
||||
filter_runnable_by_user=filter_runnable_by_user,
|
||||
)
|
||||
batch = ProcessModelService().get_batch(
|
||||
process_models, page=page, per_page=per_page
|
||||
|
@ -1319,7 +1322,7 @@ def task_submit(
|
|||
task_id, process_instance, processor=processor
|
||||
)
|
||||
AuthorizationService.assert_user_can_complete_spiff_task(
|
||||
processor, spiff_task, principal.user
|
||||
process_instance.id, spiff_task, principal.user
|
||||
)
|
||||
|
||||
if spiff_task.state != TaskState.READY:
|
||||
|
|
|
@ -24,9 +24,6 @@ from spiffworkflow_backend.models.user import UserModel
|
|||
from spiffworkflow_backend.models.user import UserNotFoundError
|
||||
from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
|
||||
from spiffworkflow_backend.services.group_service import GroupService
|
||||
from spiffworkflow_backend.services.process_instance_processor import (
|
||||
ProcessInstanceProcessor,
|
||||
)
|
||||
from spiffworkflow_backend.services.user_service import UserService
|
||||
|
||||
|
||||
|
@ -393,25 +390,25 @@ class AuthorizationService:
|
|||
|
||||
@staticmethod
|
||||
def assert_user_can_complete_spiff_task(
|
||||
processor: ProcessInstanceProcessor,
|
||||
process_instance_id: int,
|
||||
spiff_task: SpiffTask,
|
||||
user: UserModel,
|
||||
) -> bool:
|
||||
"""Assert_user_can_complete_spiff_task."""
|
||||
active_task = ActiveTaskModel.query.filter_by(
|
||||
task_name=spiff_task.task_spec.name,
|
||||
process_instance_id=processor.process_instance_model.id,
|
||||
process_instance_id=process_instance_id,
|
||||
).first()
|
||||
if active_task is None:
|
||||
raise ActiveTaskNotFoundError(
|
||||
f"Could find an active task with task name '{spiff_task.task_spec.name}'"
|
||||
f" for process instance '{processor.process_instance_model.id}'"
|
||||
f" for process instance '{process_instance_id}'"
|
||||
)
|
||||
|
||||
if user not in active_task.potential_owners:
|
||||
raise UserDoesNotHaveAccessToTaskError(
|
||||
f"User {user.username} does not have access to update task'{spiff_task.task_spec.name}'"
|
||||
f" for process instance '{processor.process_instance_model.id}'"
|
||||
f" for process instance '{process_instance_id}'"
|
||||
)
|
||||
return True
|
||||
|
||||
|
|
|
@ -197,7 +197,7 @@ class ProcessInstanceService:
|
|||
a multi-instance task.
|
||||
"""
|
||||
AuthorizationService.assert_user_can_complete_spiff_task(
|
||||
processor, spiff_task, user
|
||||
processor.process_instance_model.id, spiff_task, user
|
||||
)
|
||||
|
||||
dot_dct = ProcessInstanceService.create_dot_dict(data)
|
||||
|
|
|
@ -18,7 +18,9 @@ from spiffworkflow_backend.models.process_group import ProcessGroupSchema
|
|||
from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
|
||||
from spiffworkflow_backend.models.process_model import ProcessModelInfo
|
||||
from spiffworkflow_backend.models.process_model import ProcessModelInfoSchema
|
||||
from spiffworkflow_backend.services.authorization_service import AuthorizationService
|
||||
from spiffworkflow_backend.services.file_system_service import FileSystemService
|
||||
from spiffworkflow_backend.services.user_service import UserService
|
||||
|
||||
T = TypeVar("T")
|
||||
|
||||
|
@ -179,7 +181,10 @@ class ProcessModelService(FileSystemService):
|
|||
raise ProcessEntityNotFoundError("process_model_not_found")
|
||||
|
||||
def get_process_models(
|
||||
self, process_group_id: Optional[str] = None, recursive: Optional[bool] = False
|
||||
self,
|
||||
process_group_id: Optional[str] = None,
|
||||
recursive: Optional[bool] = False,
|
||||
filter_runnable_by_user: Optional[bool] = False,
|
||||
) -> List[ProcessModelInfo]:
|
||||
"""Get process models."""
|
||||
process_models = []
|
||||
|
@ -201,6 +206,19 @@ class ProcessModelService(FileSystemService):
|
|||
)
|
||||
process_models.append(process_model)
|
||||
process_models.sort()
|
||||
|
||||
if filter_runnable_by_user:
|
||||
user = UserService.current_user()
|
||||
new_process_model_list = []
|
||||
for process_model in process_models:
|
||||
uri = f"/v1.0/process-models/{process_model.id.replace('/', ':')}/process-instances"
|
||||
result = AuthorizationService.user_has_permission(
|
||||
user=user, permission="create", target_uri=uri
|
||||
)
|
||||
if result:
|
||||
new_process_model_list.append(process_model)
|
||||
return new_process_model_list
|
||||
|
||||
return process_models
|
||||
|
||||
def get_process_groups(
|
||||
|
|
|
@ -4,10 +4,16 @@ import {
|
|||
Button,
|
||||
// @ts-ignore
|
||||
} from '@carbon/react';
|
||||
import { ProcessModel, RecentProcessModel } from '../interfaces';
|
||||
import { Can } from '@casl/react';
|
||||
import {
|
||||
PermissionsToCheck,
|
||||
ProcessModel,
|
||||
RecentProcessModel,
|
||||
} from '../interfaces';
|
||||
import HttpService from '../services/HttpService';
|
||||
import ErrorContext from '../contexts/ErrorContext';
|
||||
import { modifyProcessIdentifierForPathParam } from '../helpers';
|
||||
import { usePermissionFetcher } from '../hooks/PermissionService';
|
||||
|
||||
const storeRecentProcessModelInLocalStorage = (
|
||||
processModelForStorage: ProcessModel
|
||||
|
@ -75,6 +81,12 @@ export default function ProcessInstanceRun({
|
|||
processModel.id
|
||||
);
|
||||
|
||||
const processInstanceActionPath = `/v1.0/process-models/${modifiedProcessModelId}/process-instances`;
|
||||
const permissionRequestData: PermissionsToCheck = {
|
||||
[processInstanceActionPath]: ['POST'],
|
||||
};
|
||||
const { ability } = usePermissionFetcher(permissionRequestData);
|
||||
|
||||
const onProcessInstanceRun = (processInstance: any) => {
|
||||
// FIXME: ensure that the task is actually for the current user as well
|
||||
const processInstanceId = (processInstance as any).id;
|
||||
|
@ -98,15 +110,17 @@ export default function ProcessInstanceRun({
|
|||
|
||||
const processInstanceCreateAndRun = () => {
|
||||
HttpService.makeCallToBackend({
|
||||
path: `/process-models/${modifiedProcessModelId}/process-instances`,
|
||||
path: processInstanceActionPath,
|
||||
successCallback: processModelRun,
|
||||
httpMethod: 'POST',
|
||||
});
|
||||
};
|
||||
|
||||
return (
|
||||
<Button onClick={processInstanceCreateAndRun} className={className}>
|
||||
Run
|
||||
</Button>
|
||||
<Can I="POST" a={processInstanceActionPath} ability={ability}>
|
||||
<Button onClick={processInstanceCreateAndRun} className={className}>
|
||||
Run
|
||||
</Button>
|
||||
</Can>
|
||||
);
|
||||
}
|
||||
|
|
|
@ -33,11 +33,11 @@ export default function ProcessModelListTiles({
|
|||
setProcessModels(result.results);
|
||||
};
|
||||
// only allow 10 for now until we get the backend only returning certain models for user execution
|
||||
let queryParams = '?per_page=1000';
|
||||
let queryParams = '?per_page=20';
|
||||
if (processGroup) {
|
||||
queryParams = `${queryParams}&process_group_identifier=${processGroup.id}`;
|
||||
} else {
|
||||
queryParams = `${queryParams}&recursive=true`;
|
||||
queryParams = `${queryParams}&recursive=true&filter_runnable_by_user=true`;
|
||||
}
|
||||
HttpService.makeCallToBackend({
|
||||
path: `/process-models${queryParams}`,
|
||||
|
|
|
@ -256,3 +256,7 @@ in on this with the react-jsonschema-form repo. This is just a patch fix to allo
|
|||
.clear-left {
|
||||
clear: left;
|
||||
}
|
||||
|
||||
td.actions-cell {
|
||||
width: 1em;
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@ import {
|
|||
import ProcessInstanceRun from '../components/ProcessInstanceRun';
|
||||
|
||||
const PER_PAGE_FOR_TASKS_ON_HOME_PAGE = 5;
|
||||
const REFRESH_INTERVAL = 10;
|
||||
const REFRESH_INTERVAL = 5;
|
||||
const REFRESH_TIMEOUT = 600;
|
||||
|
||||
export default function MyTasks() {
|
||||
|
@ -158,7 +158,7 @@ export default function MyTasks() {
|
|||
{row.processModelDisplayName}
|
||||
</Link>
|
||||
</td>
|
||||
<td>
|
||||
<td className="actions-cell">
|
||||
<ProcessInstanceRun
|
||||
processModel={processModel}
|
||||
onSuccessCallback={setProcessInstance}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
import { useEffect, useState } from 'react';
|
||||
import {
|
||||
Link,
|
||||
// Link,
|
||||
useSearchParams,
|
||||
useParams,
|
||||
useNavigate,
|
||||
|
@ -11,10 +11,9 @@ import {
|
|||
// @ts-ignore
|
||||
} from '@carbon/icons-react';
|
||||
// @ts-ignore
|
||||
import { Button, Table, Stack } from '@carbon/react';
|
||||
import { Button, Stack } from '@carbon/react';
|
||||
import { Can } from '@casl/react';
|
||||
import ProcessBreadcrumb from '../components/ProcessBreadcrumb';
|
||||
import PaginationForTable from '../components/PaginationForTable';
|
||||
import HttpService from '../services/HttpService';
|
||||
import {
|
||||
getPageInfoFromSearchParams,
|
||||
|
@ -25,7 +24,7 @@ import {
|
|||
PaginationObject,
|
||||
PermissionsToCheck,
|
||||
ProcessGroup,
|
||||
ProcessModel,
|
||||
// ProcessModel,
|
||||
} from '../interfaces';
|
||||
import { useUriListForPermissions } from '../hooks/UriListForPermissions';
|
||||
import { usePermissionFetcher } from '../hooks/PermissionService';
|
||||
|
@ -39,7 +38,7 @@ export default function ProcessGroupShow() {
|
|||
const navigate = useNavigate();
|
||||
|
||||
const [processGroup, setProcessGroup] = useState<ProcessGroup | null>(null);
|
||||
const [processModels, setProcessModels] = useState([]);
|
||||
// const [processModels, setProcessModels] = useState([]);
|
||||
const [modelPagination, setModelPagination] =
|
||||
useState<PaginationObject | null>(null);
|
||||
|
||||
|
@ -55,7 +54,7 @@ export default function ProcessGroupShow() {
|
|||
const { page, perPage } = getPageInfoFromSearchParams(searchParams);
|
||||
|
||||
const setProcessModelFromResult = (result: any) => {
|
||||
setProcessModels(result.results);
|
||||
// setProcessModels(result.results);
|
||||
setModelPagination(result.pagination);
|
||||
};
|
||||
const processResult = (result: any) => {
|
||||
|
@ -74,42 +73,42 @@ export default function ProcessGroupShow() {
|
|||
});
|
||||
}, [params, searchParams]);
|
||||
|
||||
const buildModelTable = () => {
|
||||
if (processGroup === null) {
|
||||
return null;
|
||||
}
|
||||
const rows = processModels.map((row: ProcessModel) => {
|
||||
const modifiedProcessModelId: String =
|
||||
modifyProcessIdentifierForPathParam((row as any).id);
|
||||
return (
|
||||
<tr key={row.id}>
|
||||
<td>
|
||||
<Link
|
||||
to={`/admin/process-models/${modifiedProcessModelId}`}
|
||||
data-qa="process-model-show-link"
|
||||
>
|
||||
{row.id}
|
||||
</Link>
|
||||
</td>
|
||||
<td>{row.display_name}</td>
|
||||
</tr>
|
||||
);
|
||||
});
|
||||
return (
|
||||
<div>
|
||||
<h2>Process Models</h2>
|
||||
<Table striped bordered>
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Process Model Id</th>
|
||||
<th>Display Name</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>{rows}</tbody>
|
||||
</Table>
|
||||
</div>
|
||||
);
|
||||
};
|
||||
// const buildModelTable = () => {
|
||||
// if (processGroup === null) {
|
||||
// return null;
|
||||
// }
|
||||
// const rows = processModels.map((row: ProcessModel) => {
|
||||
// const modifiedProcessModelId: String =
|
||||
// modifyProcessIdentifierForPathParam((row as any).id);
|
||||
// return (
|
||||
// <tr key={row.id}>
|
||||
// <td>
|
||||
// <Link
|
||||
// to={`/admin/process-models/${modifiedProcessModelId}`}
|
||||
// data-qa="process-model-show-link"
|
||||
// >
|
||||
// {row.id}
|
||||
// </Link>
|
||||
// </td>
|
||||
// <td>{row.display_name}</td>
|
||||
// </tr>
|
||||
// );
|
||||
// });
|
||||
// return (
|
||||
// <div>
|
||||
// <h2>Process Models</h2>
|
||||
// <Table striped bordered>
|
||||
// <thead>
|
||||
// <tr>
|
||||
// <th>Process Model Id</th>
|
||||
// <th>Display Name</th>
|
||||
// </tr>
|
||||
// </thead>
|
||||
// <tbody>{rows}</tbody>
|
||||
// </Table>
|
||||
// </div>
|
||||
// );
|
||||
// };
|
||||
|
||||
const navigateToProcessGroups = (_result: any) => {
|
||||
navigate(`/admin/process-groups`);
|
||||
|
@ -128,7 +127,7 @@ export default function ProcessGroupShow() {
|
|||
};
|
||||
|
||||
if (processGroup && modelPagination) {
|
||||
const { page, perPage } = getPageInfoFromSearchParams(searchParams);
|
||||
// const { page, perPage } = getPageInfoFromSearchParams(searchParams);
|
||||
const modifiedProcessGroupId = modifyProcessIdentifierForPathParam(
|
||||
processGroup.id
|
||||
);
|
||||
|
|
|
@ -66,9 +66,11 @@ backendCallProps) => {
|
|||
method: httpMethod,
|
||||
});
|
||||
|
||||
const updatedPath = path.replace(/^\/v1\.0/, '');
|
||||
|
||||
let isSuccessful = true;
|
||||
let is403 = false;
|
||||
fetch(`${BACKEND_BASE_URL}${path}`, httpArgs)
|
||||
fetch(`${BACKEND_BASE_URL}${updatedPath}`, httpArgs)
|
||||
.then((response) => {
|
||||
if (response.status === 401) {
|
||||
UserService.doLogin();
|
||||
|
|
Loading…
Reference in New Issue