message-model-perm-check (#1805)

* check if user has permissions to messages before attempting call w/ burnettk

* fixed variable typo w/ burnettk

---------

Co-authored-by: jasquat <jasquat@users.noreply.github.com>

spiffworkflow-backend/bin/local_development_environment_setup

@@ -55,7 +55,6 @@ elif [[ "$use_local_open_id" == "true" ]]; then
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__uri="${backend_base_url}/openid"
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_id="spiffworkflow-backend"
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_secret="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
-  export SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME="example.yml"
 
 # else  # uncomment to test multiple auths
 #   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__identifier="keycloak_internal"

spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml

@@ -1,14 +1,19 @@
 users:
   admin:
     service: local_open_id
-    email: admin@spiffworkflow.org
+    email: admin@example.com
     password: admin
     preferred_username: Admin
   nelson:
     service: local_open_id
-    email: nelson@spiffworkflow.org
+    email: nelson@example.com
     password: nelson
     preferred_username: Nelson
+  dan:
+    service: local_open_id
+    email: dan@example.com
+    password: dan
+    preferred_username: dan
 groups:
   admin:
     users: [admin@spiffworkflow.org, nelson@spiffworkflow.org]

spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx

@@ -8,6 +8,7 @@ export const useUriListForPermissions = () => {
       authenticationListPath: `/v1.0/authentications`,
       statusPath: `/v1.0/status`,
       messageInstanceListPath: '/v1.0/messages',
+      messageModelListPath: `/v1.0/message-models/${params.process_model_id}`,
       dataStoreListPath: '/v1.0/data-stores',
       extensionListPath: '/v1.0/extensions',
       extensionPath: `/v1.0/extensions/${params.page_identifier}`,

spiffworkflow-frontend/src/routes/ProcessModelEditDiagram.tsx

@@ -47,6 +47,7 @@ import {
 import {
   CarbonComboBoxProcessSelection,
   CorrelationProperties,
+  PermissionsToCheck,
   ProcessFile,
   ProcessModel,
   ProcessReference,
@@ -59,6 +60,8 @@ import useScriptAssistEnabled from '../hooks/useScriptAssistEnabled';
 import useProcessScriptAssistMessage from '../hooks/useProcessScriptAssistQuery';
 import SpiffTooltip from '../components/SpiffTooltip';
 import { MessageEditor } from '../components/messages/MessageEditor';
+import { useUriListForPermissions } from '../hooks/UriListForPermissions';
+import { usePermissionFetcher } from '../hooks/PermissionService';
 
 export default function ProcessModelEditDiagram() {
   const [showFileNameEditor, setShowFileNameEditor] = useState(false);
@@ -115,6 +118,12 @@ export default function ProcessModelEditDiagram() {
   const { setScriptAssistQuery, scriptAssistLoading, scriptAssistResult } =
     useProcessScriptAssistMessage();
 
+  const { targetUris } = useUriListForPermissions();
+  const permissionRequestData: PermissionsToCheck = {
+    [targetUris.messageModelListPath]: ['GET'],
+  };
+  const { ability } = usePermissionFetcher(permissionRequestData);
+
   function handleEditorDidMount(editor: any, monaco: any) {
     // here is the editor instance
     // you can store it in `useRef` for further usage
@@ -455,10 +464,18 @@ export default function ProcessModelEditDiagram() {
     };
   };
   const onMessagesRequested = (event: any) => {
-    HttpService.makeCallToBackend({
+    // it is perfectly reasonable to access the edit diagram page in read only mode when you actually don't have access to edit.
-      path: `/message-models/${modifiedProcessModelId}`,
+    // this is awkward in terms of functionality like this, where we are fetching the relevant list of messages to show in the
-      successCallback: makeMessagesRequestedHandler(event),
+    // properties panel. since message_model_list is a different permission, you may not have access to it even though you have
-    });
+    // access to the read the process model. we also considered automatically giving you access to read message_model_list
+    // when you have read access to the process model, but this seemed easier and more in line with the current backend permission system,
+    // where we normally only pork barrel permissions on top of "start" and "all."
+    if (ability.can('GET', targetUris.messageModelListPath)) {
+      HttpService.makeCallToBackend({
+        path: targetUris.messageModelListPath,
+        successCallback: makeMessagesRequestedHandler(event),
+      });
+    }
   };
 
   useEffect(() => {