message-model-perm-check (#1805)

* check if user has permissions to messages before attempting call w/ burnettk

* fixed variable typo w/ burnettk

---------

Co-authored-by: jasquat <jasquat@users.noreply.github.com>
This commit is contained in:
jasquat 2024-06-24 15:36:07 -04:00 committed by GitHub
parent 582d9325fc
commit 5e3831f4d6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 29 additions and 7 deletions

View File

@ -55,7 +55,6 @@ elif [[ "$use_local_open_id" == "true" ]]; then
export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__uri="${backend_base_url}/openid"
export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_id="spiffworkflow-backend"
export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_secret="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
export SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME="example.yml"
# else # uncomment to test multiple auths
# export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__identifier="keycloak_internal"

View File

@ -1,14 +1,19 @@
users:
admin:
service: local_open_id
email: admin@spiffworkflow.org
email: admin@example.com
password: admin
preferred_username: Admin
nelson:
service: local_open_id
email: nelson@spiffworkflow.org
email: nelson@example.com
password: nelson
preferred_username: Nelson
dan:
service: local_open_id
email: dan@example.com
password: dan
preferred_username: dan
groups:
admin:
users: [admin@spiffworkflow.org, nelson@spiffworkflow.org]

View File

@ -8,6 +8,7 @@ export const useUriListForPermissions = () => {
authenticationListPath: `/v1.0/authentications`,
statusPath: `/v1.0/status`,
messageInstanceListPath: '/v1.0/messages',
messageModelListPath: `/v1.0/message-models/${params.process_model_id}`,
dataStoreListPath: '/v1.0/data-stores',
extensionListPath: '/v1.0/extensions',
extensionPath: `/v1.0/extensions/${params.page_identifier}`,

View File

@ -47,6 +47,7 @@ import {
import {
CarbonComboBoxProcessSelection,
CorrelationProperties,
PermissionsToCheck,
ProcessFile,
ProcessModel,
ProcessReference,
@ -59,6 +60,8 @@ import useScriptAssistEnabled from '../hooks/useScriptAssistEnabled';
import useProcessScriptAssistMessage from '../hooks/useProcessScriptAssistQuery';
import SpiffTooltip from '../components/SpiffTooltip';
import { MessageEditor } from '../components/messages/MessageEditor';
import { useUriListForPermissions } from '../hooks/UriListForPermissions';
import { usePermissionFetcher } from '../hooks/PermissionService';
export default function ProcessModelEditDiagram() {
const [showFileNameEditor, setShowFileNameEditor] = useState(false);
@ -115,6 +118,12 @@ export default function ProcessModelEditDiagram() {
const { setScriptAssistQuery, scriptAssistLoading, scriptAssistResult } =
useProcessScriptAssistMessage();
const { targetUris } = useUriListForPermissions();
const permissionRequestData: PermissionsToCheck = {
[targetUris.messageModelListPath]: ['GET'],
};
const { ability } = usePermissionFetcher(permissionRequestData);
function handleEditorDidMount(editor: any, monaco: any) {
// here is the editor instance
// you can store it in `useRef` for further usage
@ -455,10 +464,18 @@ export default function ProcessModelEditDiagram() {
};
};
const onMessagesRequested = (event: any) => {
// it is perfectly reasonable to access the edit diagram page in read only mode when you actually don't have access to edit.
// this is awkward in terms of functionality like this, where we are fetching the relevant list of messages to show in the
// properties panel. since message_model_list is a different permission, you may not have access to it even though you have
// access to the read the process model. we also considered automatically giving you access to read message_model_list
// when you have read access to the process model, but this seemed easier and more in line with the current backend permission system,
// where we normally only pork barrel permissions on top of "start" and "all."
if (ability.can('GET', targetUris.messageModelListPath)) {
HttpService.makeCallToBackend({
path: `/message-models/${modifiedProcessModelId}`,
path: targetUris.messageModelListPath,
successCallback: makeMessagesRequestedHandler(event),
});
}
};
useEffect(() => {