changed publish endpoint to precede model id so we can grant publish access but read only to a model otherwise w/ burnettk

This commit is contained in:
jasquat 2023-05-19 12:26:16 -04:00
parent 9ff0169fd3
commit 83f7849685
8 changed files with 32 additions and 7 deletions

View File

@ -564,7 +564,7 @@ paths:
schema: schema:
$ref: "#/components/schemas/ProcessModel" $ref: "#/components/schemas/ProcessModel"
/process-models/{modified_process_model_identifier}/publish: /process-model-publish/{modified_process_model_identifier}:
parameters: parameters:
- name: modified_process_model_identifier - name: modified_process_model_identifier
in: path in: path

View File

@ -0,0 +1,21 @@
groups:
admin:
users: [admin@spiffworkflow.org]
permissions:
process-groups-ro:
groups: [admin]
allowed_permissions: [read]
uri: PG:ALL
basic:
groups: [admin]
allowed_permissions: [ALL]
uri: BASIC
elevated-operations:
groups: [admin]
allowed_permissions: [ALL]
uri: ELEVATED
process-model-publish:
groups: [admin]
allowed_permissions: [create]
uri: /process-model-publish/*

View File

@ -75,10 +75,11 @@ PATH_SEGMENTS_FOR_PERMISSION_ALL = [
"path": "/process-instances", "path": "/process-instances",
"relevant_permissions": ["create", "read", "delete"], "relevant_permissions": ["create", "read", "delete"],
}, },
{"path": "/process-instance-suspend", "relevant_permissions": ["create"]},
{"path": "/process-instance-terminate", "relevant_permissions": ["create"]},
{"path": "/process-data", "relevant_permissions": ["read"]}, {"path": "/process-data", "relevant_permissions": ["read"]},
{"path": "/process-data-file-download", "relevant_permissions": ["read"]}, {"path": "/process-data-file-download", "relevant_permissions": ["read"]},
{"path": "/process-instance-suspend", "relevant_permissions": ["create"]},
{"path": "/process-instance-terminate", "relevant_permissions": ["create"]},
{"path": "/process-model-publish", "relevant_permissions": ["create"]},
{"path": "/task-data", "relevant_permissions": ["read", "update"]}, {"path": "/task-data", "relevant_permissions": ["read", "update"]},
] ]
@ -524,6 +525,7 @@ class AuthorizationService:
permissions_to_assign.append(PermissionToAssign(permission="create", target_uri="/send-event/*")) permissions_to_assign.append(PermissionToAssign(permission="create", target_uri="/send-event/*"))
permissions_to_assign.append(PermissionToAssign(permission="create", target_uri="/task-complete/*")) permissions_to_assign.append(PermissionToAssign(permission="create", target_uri="/task-complete/*"))
permissions_to_assign.append(PermissionToAssign(permission="read", target_uri="/users/search"))
# read comes from PG and PM permissions # read comes from PG and PM permissions
permissions_to_assign.append(PermissionToAssign(permission="update", target_uri="/task-data/*")) permissions_to_assign.append(PermissionToAssign(permission="update", target_uri="/task-data/*"))

View File

@ -3033,7 +3033,7 @@ class TestProcessApi(BaseTest):
# #
# # modified_process_model_id = process_model_identifier.replace("/", ":") # # modified_process_model_id = process_model_identifier.replace("/", ":")
# # response = client.post( # # response = client.post(
# # f"/v1.0/process-models/{modified_process_model_id}/publish?branch_to_update=staging", # # f"/v1.0/process-model-publish/{modified_process_model_id}?branch_to_update=staging",
# # headers=self.logged_in_headers(with_super_admin_user), # # headers=self.logged_in_headers(with_super_admin_user),
# # ) # # )
# #

View File

@ -141,6 +141,7 @@ class TestAuthorizationService(BaseTest):
"delete", "delete",
), ),
("/process-instances/some-process-group:some-process-model:*", "read"), ("/process-instances/some-process-group:some-process-model:*", "read"),
("/process-model-publish/some-process-group:some-process-model:*", "create"),
("/process-models/some-process-group:some-process-model:*", "create"), ("/process-models/some-process-group:some-process-model:*", "create"),
("/process-models/some-process-group:some-process-model:*", "delete"), ("/process-models/some-process-group:some-process-model:*", "delete"),
("/process-models/some-process-group:some-process-model:*", "read"), ("/process-models/some-process-group:some-process-model:*", "read"),
@ -194,7 +195,6 @@ class TestAuthorizationService(BaseTest):
client: FlaskClient, client: FlaskClient,
with_db_and_bpmn_file_cleanup: None, with_db_and_bpmn_file_cleanup: None,
) -> None: ) -> None:
"""Test_explode_permissions_all_on_process_model."""
expected_permissions = sorted( expected_permissions = sorted(
[ [
("/event-error-details/some-process-group:some-process-model/*", "read"), ("/event-error-details/some-process-group:some-process-model/*", "read"),
@ -222,6 +222,7 @@ class TestAuthorizationService(BaseTest):
"delete", "delete",
), ),
("/process-instances/some-process-group:some-process-model/*", "read"), ("/process-instances/some-process-group:some-process-model/*", "read"),
("/process-model-publish/some-process-group:some-process-model/*", "create"),
("/process-models/some-process-group:some-process-model/*", "create"), ("/process-models/some-process-group:some-process-model/*", "create"),
("/process-models/some-process-group:some-process-model/*", "delete"), ("/process-models/some-process-group:some-process-model/*", "delete"),
("/process-models/some-process-group:some-process-model/*", "read"), ("/process-models/some-process-group:some-process-model/*", "read"),
@ -324,6 +325,7 @@ class TestAuthorizationService(BaseTest):
("/send-event/*", "create"), ("/send-event/*", "create"),
("/task-complete/*", "create"), ("/task-complete/*", "create"),
("/task-data/*", "update"), ("/task-data/*", "update"),
("/users/search", "read"),
] ]
permissions_to_assign = AuthorizationService.explode_permissions("all", "ELEVATED") permissions_to_assign = AuthorizationService.explode_permissions("all", "ELEVATED")
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign]) permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])

View File

@ -27,7 +27,7 @@ export const useUriListForPermissions = () => {
processModelCreatePath: `/v1.0/process-models/${params.process_group_id}`, processModelCreatePath: `/v1.0/process-models/${params.process_group_id}`,
processModelFileCreatePath: `/v1.0/process-models/${params.process_model_id}/files`, processModelFileCreatePath: `/v1.0/process-models/${params.process_model_id}/files`,
processModelFileShowPath: `/v1.0/process-models/${params.process_model_id}/files/${params.file_name}`, processModelFileShowPath: `/v1.0/process-models/${params.process_model_id}/files/${params.file_name}`,
processModelPublishPath: `/v1.0/process-models/${params.process_model_id}/publish`, processModelPublishPath: `/v1.0/process-model-publish/${params.process_model_id}`,
processModelShowPath: `/v1.0/process-models/${params.process_model_id}`, processModelShowPath: `/v1.0/process-models/${params.process_model_id}`,
secretListPath: `/v1.0/secrets`, secretListPath: `/v1.0/secrets`,
userSearch: `/v1.0/users/search`, userSearch: `/v1.0/users/search`,

View File

@ -214,7 +214,7 @@ export default function ProcessModelShow() {
setPublishDisabled(true); setPublishDisabled(true);
setProcessModelPublished(null); setProcessModelPublished(null);
HttpService.makeCallToBackend({ HttpService.makeCallToBackend({
path: `/process-models/${modifiedProcessModelId}/publish`, path: targetUris.processModelPublishPath,
successCallback: postPublish, successCallback: postPublish,
httpMethod: 'POST', httpMethod: 'POST',
}); });