From 83f7849685439cfbc7d2546d5c604dcb041b429d Mon Sep 17 00:00:00 2001 From: jasquat Date: Fri, 19 May 2023 12:26:16 -0400 Subject: [PATCH] changed publish endpoint to precede model id so we can grant publish access but read only to a model otherwise w/ burnettk --- .../src/spiffworkflow_backend/api.yml | 2 +- ...ml => example_process_model_read_only.yml} | 0 ...e_process_model_read_only_with_publish.yml | 21 +++++++++++++++++++ .../services/authorization_service.py | 6 ++++-- .../integration/test_process_api.py | 2 +- .../unit/test_authorization_service.py | 4 +++- .../src/hooks/UriListForPermissions.tsx | 2 +- .../src/routes/ProcessModelShow.tsx | 2 +- 8 files changed, 32 insertions(+), 7 deletions(-) rename spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/{example_read_only.yml => example_process_model_read_only.yml} (100%) create mode 100644 spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_process_model_read_only_with_publish.yml diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/api.yml b/spiffworkflow-backend/src/spiffworkflow_backend/api.yml index a4483f6b5..413608534 100755 --- a/spiffworkflow-backend/src/spiffworkflow_backend/api.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/api.yml @@ -564,7 +564,7 @@ paths: schema: $ref: "#/components/schemas/ProcessModel" - /process-models/{modified_process_model_identifier}/publish: + /process-model-publish/{modified_process_model_identifier}: parameters: - name: modified_process_model_identifier in: path diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_read_only.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_process_model_read_only.yml similarity index 100% rename from spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_read_only.yml rename to spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_process_model_read_only.yml diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_process_model_read_only_with_publish.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_process_model_read_only_with_publish.yml new file mode 100644 index 000000000..626dea4d8 --- /dev/null +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_process_model_read_only_with_publish.yml @@ -0,0 +1,21 @@ +groups: + admin: + users: [admin@spiffworkflow.org] + +permissions: + process-groups-ro: + groups: [admin] + allowed_permissions: [read] + uri: PG:ALL + basic: + groups: [admin] + allowed_permissions: [ALL] + uri: BASIC + elevated-operations: + groups: [admin] + allowed_permissions: [ALL] + uri: ELEVATED + process-model-publish: + groups: [admin] + allowed_permissions: [create] + uri: /process-model-publish/* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py index 0f63531c1..79f431661 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py @@ -75,10 +75,11 @@ PATH_SEGMENTS_FOR_PERMISSION_ALL = [ "path": "/process-instances", "relevant_permissions": ["create", "read", "delete"], }, - {"path": "/process-instance-suspend", "relevant_permissions": ["create"]}, - {"path": "/process-instance-terminate", "relevant_permissions": ["create"]}, {"path": "/process-data", "relevant_permissions": ["read"]}, {"path": "/process-data-file-download", "relevant_permissions": ["read"]}, + {"path": "/process-instance-suspend", "relevant_permissions": ["create"]}, + {"path": "/process-instance-terminate", "relevant_permissions": ["create"]}, + {"path": "/process-model-publish", "relevant_permissions": ["create"]}, {"path": "/task-data", "relevant_permissions": ["read", "update"]}, ] @@ -524,6 +525,7 @@ class AuthorizationService: permissions_to_assign.append(PermissionToAssign(permission="create", target_uri="/send-event/*")) permissions_to_assign.append(PermissionToAssign(permission="create", target_uri="/task-complete/*")) + permissions_to_assign.append(PermissionToAssign(permission="read", target_uri="/users/search")) # read comes from PG and PM permissions permissions_to_assign.append(PermissionToAssign(permission="update", target_uri="/task-data/*")) diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py index 54d678486..533bd9a4b 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py @@ -3033,7 +3033,7 @@ class TestProcessApi(BaseTest): # # # modified_process_model_id = process_model_identifier.replace("/", ":") # # response = client.post( - # # f"/v1.0/process-models/{modified_process_model_id}/publish?branch_to_update=staging", + # # f"/v1.0/process-model-publish/{modified_process_model_id}?branch_to_update=staging", # # headers=self.logged_in_headers(with_super_admin_user), # # ) # diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py index a96b3017b..928da5f12 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py @@ -141,6 +141,7 @@ class TestAuthorizationService(BaseTest): "delete", ), ("/process-instances/some-process-group:some-process-model:*", "read"), + ("/process-model-publish/some-process-group:some-process-model:*", "create"), ("/process-models/some-process-group:some-process-model:*", "create"), ("/process-models/some-process-group:some-process-model:*", "delete"), ("/process-models/some-process-group:some-process-model:*", "read"), @@ -194,7 +195,6 @@ class TestAuthorizationService(BaseTest): client: FlaskClient, with_db_and_bpmn_file_cleanup: None, ) -> None: - """Test_explode_permissions_all_on_process_model.""" expected_permissions = sorted( [ ("/event-error-details/some-process-group:some-process-model/*", "read"), @@ -222,6 +222,7 @@ class TestAuthorizationService(BaseTest): "delete", ), ("/process-instances/some-process-group:some-process-model/*", "read"), + ("/process-model-publish/some-process-group:some-process-model/*", "create"), ("/process-models/some-process-group:some-process-model/*", "create"), ("/process-models/some-process-group:some-process-model/*", "delete"), ("/process-models/some-process-group:some-process-model/*", "read"), @@ -324,6 +325,7 @@ class TestAuthorizationService(BaseTest): ("/send-event/*", "create"), ("/task-complete/*", "create"), ("/task-data/*", "update"), + ("/users/search", "read"), ] permissions_to_assign = AuthorizationService.explode_permissions("all", "ELEVATED") permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign]) diff --git a/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx b/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx index ae663541b..e51d961d2 100644 --- a/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx +++ b/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx @@ -27,7 +27,7 @@ export const useUriListForPermissions = () => { processModelCreatePath: `/v1.0/process-models/${params.process_group_id}`, processModelFileCreatePath: `/v1.0/process-models/${params.process_model_id}/files`, processModelFileShowPath: `/v1.0/process-models/${params.process_model_id}/files/${params.file_name}`, - processModelPublishPath: `/v1.0/process-models/${params.process_model_id}/publish`, + processModelPublishPath: `/v1.0/process-model-publish/${params.process_model_id}`, processModelShowPath: `/v1.0/process-models/${params.process_model_id}`, secretListPath: `/v1.0/secrets`, userSearch: `/v1.0/users/search`, diff --git a/spiffworkflow-frontend/src/routes/ProcessModelShow.tsx b/spiffworkflow-frontend/src/routes/ProcessModelShow.tsx index 3b105dde2..f50ee6a34 100644 --- a/spiffworkflow-frontend/src/routes/ProcessModelShow.tsx +++ b/spiffworkflow-frontend/src/routes/ProcessModelShow.tsx @@ -214,7 +214,7 @@ export default function ProcessModelShow() { setPublishDisabled(true); setProcessModelPublished(null); HttpService.makeCallToBackend({ - path: `/process-models/${modifiedProcessModelId}/publish`, + path: targetUris.processModelPublishPath, successCallback: postPublish, httpMethod: 'POST', });