From 5e3831f4d6a296741579521404ecb163eec770a7 Mon Sep 17 00:00:00 2001
From: jasquat <2487833+jasquat@users.noreply.github.com>
Date: Mon, 24 Jun 2024 15:36:07 -0400
Subject: [PATCH] message-model-perm-check (#1805)

* check if user has permissions to messages before attempting call w/ burnettk

* fixed variable typo w/ burnettk

---------

Co-authored-by: jasquat <jasquat@users.noreply.github.com>
---
 .../bin/local_development_environment_setup   |  1 -
 .../config/permissions/local_development.yml  |  9 +++++--
 .../src/hooks/UriListForPermissions.tsx       |  1 +
 .../src/routes/ProcessModelEditDiagram.tsx    | 25 ++++++++++++++++---
 4 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/spiffworkflow-backend/bin/local_development_environment_setup b/spiffworkflow-backend/bin/local_development_environment_setup
index 169193a4f..5fd3acca2 100755
--- a/spiffworkflow-backend/bin/local_development_environment_setup
+++ b/spiffworkflow-backend/bin/local_development_environment_setup
@@ -55,7 +55,6 @@ elif [[ "$use_local_open_id" == "true" ]]; then
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__uri="${backend_base_url}/openid"
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_id="spiffworkflow-backend"
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_secret="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
-  export SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME="example.yml"
 
 # else  # uncomment to test multiple auths
 #   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__identifier="keycloak_internal"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml
index ac0d7e6ee..6f47d95d2 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml
@@ -1,14 +1,19 @@
 users:
   admin:
     service: local_open_id
-    email: admin@spiffworkflow.org
+    email: admin@example.com
     password: admin
     preferred_username: Admin
   nelson:
     service: local_open_id
-    email: nelson@spiffworkflow.org
+    email: nelson@example.com
     password: nelson
     preferred_username: Nelson
+  dan:
+    service: local_open_id
+    email: dan@example.com
+    password: dan
+    preferred_username: dan
 groups:
   admin:
     users: [admin@spiffworkflow.org, nelson@spiffworkflow.org]
diff --git a/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx b/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx
index a15eeab8b..0ef121696 100644
--- a/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx
+++ b/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx
@@ -8,6 +8,7 @@ export const useUriListForPermissions = () => {
       authenticationListPath: `/v1.0/authentications`,
       statusPath: `/v1.0/status`,
       messageInstanceListPath: '/v1.0/messages',
+      messageModelListPath: `/v1.0/message-models/${params.process_model_id}`,
       dataStoreListPath: '/v1.0/data-stores',
       extensionListPath: '/v1.0/extensions',
       extensionPath: `/v1.0/extensions/${params.page_identifier}`,
diff --git a/spiffworkflow-frontend/src/routes/ProcessModelEditDiagram.tsx b/spiffworkflow-frontend/src/routes/ProcessModelEditDiagram.tsx
index 8d8f6faa3..7722f6588 100644
--- a/spiffworkflow-frontend/src/routes/ProcessModelEditDiagram.tsx
+++ b/spiffworkflow-frontend/src/routes/ProcessModelEditDiagram.tsx
@@ -47,6 +47,7 @@ import {
 import {
   CarbonComboBoxProcessSelection,
   CorrelationProperties,
+  PermissionsToCheck,
   ProcessFile,
   ProcessModel,
   ProcessReference,
@@ -59,6 +60,8 @@ import useScriptAssistEnabled from '../hooks/useScriptAssistEnabled';
 import useProcessScriptAssistMessage from '../hooks/useProcessScriptAssistQuery';
 import SpiffTooltip from '../components/SpiffTooltip';
 import { MessageEditor } from '../components/messages/MessageEditor';
+import { useUriListForPermissions } from '../hooks/UriListForPermissions';
+import { usePermissionFetcher } from '../hooks/PermissionService';
 
 export default function ProcessModelEditDiagram() {
   const [showFileNameEditor, setShowFileNameEditor] = useState(false);
@@ -115,6 +118,12 @@ export default function ProcessModelEditDiagram() {
   const { setScriptAssistQuery, scriptAssistLoading, scriptAssistResult } =
     useProcessScriptAssistMessage();
 
+  const { targetUris } = useUriListForPermissions();
+  const permissionRequestData: PermissionsToCheck = {
+    [targetUris.messageModelListPath]: ['GET'],
+  };
+  const { ability } = usePermissionFetcher(permissionRequestData);
+
   function handleEditorDidMount(editor: any, monaco: any) {
     // here is the editor instance
     // you can store it in `useRef` for further usage
@@ -455,10 +464,18 @@ export default function ProcessModelEditDiagram() {
     };
   };
   const onMessagesRequested = (event: any) => {
-    HttpService.makeCallToBackend({
-      path: `/message-models/${modifiedProcessModelId}`,
-      successCallback: makeMessagesRequestedHandler(event),
-    });
+    // it is perfectly reasonable to access the edit diagram page in read only mode when you actually don't have access to edit.
+    // this is awkward in terms of functionality like this, where we are fetching the relevant list of messages to show in the
+    // properties panel. since message_model_list is a different permission, you may not have access to it even though you have
+    // access to the read the process model. we also considered automatically giving you access to read message_model_list
+    // when you have read access to the process model, but this seemed easier and more in line with the current backend permission system,
+    // where we normally only pork barrel permissions on top of "start" and "all."
+    if (ability.can('GET', targetUris.messageModelListPath)) {
+      HttpService.makeCallToBackend({
+        path: targetUris.messageModelListPath,
+        successCallback: makeMessagesRequestedHandler(event),
+      });
+    }
   };
 
   useEffect(() => {