adding permissions for send-event

2023-05-04 10:23:52 -04:00 · 2023-05-04 10:23:52 -04:00 · 81a2a5d383
parent f65b301635
commit 81a2a5d383
2 changed files with 7 additions and 2 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@ -84,6 +84,7 @@ PATH_SEGMENTS_FOR_PERMISSION_ALL = [
    {"path": "/process-instance-terminate", "relevant_permissions": ["create"]},
    {"path": "/process-data", "relevant_permissions": ["read"]},
    {"path": "/process-data-file-download", "relevant_permissions": ["read"]},
+    {"path": "/send-event", "relevant_permissions": ["create"]},
    {"path": "/task-data", "relevant_permissions": ["read", "update"]},
 ]

@ -531,9 +532,12 @@ class AuthorizationService:
        # we were thinking that if you can start an instance, you ought to be able to:
        #   1. view your own instances.
        #   2. view the logs for these instances.
+        #   3. click on buttons in user tasks that sends signal events to these instances
        if permission_set == "start":
-            target_uri = f"/process-instances/{process_related_path_segment}"
-            permissions_to_assign.append(PermissionToAssign(permission="create", target_uri=target_uri))
+            path_prefixes_that_allow_create_access = ["process-instances", "send-event"]
+            for path_prefix in path_prefixes_that_allow_create_access:
+                target_uri = f"/{path_prefix}/{process_related_path_segment}"
+                permissions_to_assign.append(PermissionToAssign(permission="create", target_uri=target_uri))

            # giving people access to all logs for an instance actually gives them a little bit more access
            # than would be optimal. ideally, you would only be able to view the logs for instances that you started
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py
@ -125,6 +125,7 @@ class TestAuthorizationService(BaseTest):
        expected_permissions = sorted(
            [
                ("/event-error-details/some-process-group:some-process-model:*", "read"),
+                ("/send-event/some-process-group:some-process-model:*", "create"),
                ("/logs/some-process-group:some-process-model:*", "read"),
                ("/logs/typeahead-filter-values/some-process-group:some-process-model:*", "read"),
                ("/process-data/some-process-group:some-process-model:*", "read"),