sartography/spiffworkflow-backend
1
0
Fork 0
mirror of https://github.com/sartography/spiffworkflow-backend.git synced 2025-02-23 21:08:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

filter process models based on user permissions on the backend if specified w/ burnettk

Browse Source
This commit is contained in:
jasquat 2022-11-22 16:21:16 -05:00
parent acc88b9a9c
commit 75d3c0ceae
7 changed files with 114 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/spiffworkflow_backend/api.yml
View File

@ -278,7 +278,13 @@ paths:
required: false
description: Get all sub process models recursively if true
schema:
type: string
type: boolean
- name: filter_runnable_by_user
in: query
required: false
description: Get only the process models that the user can run
schema:
type: boolean
- name: page
in: query
required: false

62
src/spiffworkflow_backend/config/permissions/development.yml
View File

@ -53,8 +53,8 @@ groups:
lead,
]
hr:
users: [manuchehr]
core-contributor:
users: [core]
permissions:
tasks-crud:
@ -62,26 +62,6 @@ permissions:
users: []
allowed_permissions: [create, read, update, delete]
uri: /v1.0/tasks/*
process-model-read-all:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/*
process-group-read-all:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/*
process-instance-list:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-instances
process-instance-report-list:
groups: [everybody]
users: []
allowed_permissions: [read]
uri: /v1.0/process-instances/reports
admin:
groups: [admin]
@ -90,7 +70,7 @@ permissions:
uri: /*
read-all:
groups: ["Finance Team", "Project Lead", hr, admin]
groups: ["Finance Team", "Project Lead", admin]
users: []
allowed_permissions: [read]
uri: /*
@ -156,3 +136,39 @@ permissions:
users: []
allowed_permissions: [create, read, update, delete]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
core-admin:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management:*
core-admin-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:*
core-admin-models-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models-instantiate:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:invoice-approval/process-instances
core-admin-instances:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management:*
core-admin-instances-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*

42
src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml
View File

@ -53,8 +53,8 @@ groups:
lead,
]
hr:
users: [manuchehr]
core-contributor:
users: [core]
permissions:
tasks-crud:
@ -70,7 +70,7 @@ permissions:
uri: /*
read-all:
groups: ["Finance Team", "Project Lead", hr, admin]
groups: ["Finance Team", "Project Lead", admin]
users: []
allowed_permissions: [read]
uri: /*
@ -136,3 +136,39 @@ permissions:
users: []
allowed_permissions: [create, read, update, delete]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*
core-admin:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management:*
core-admin-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-groups/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:*
core-admin-models-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [read]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management/*
core-admin-models-instantiate:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-models/manage-procurement:procurement:vendor-invoice-management:invoice-approval/process-instances
core-admin-instances:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management:*
core-admin-instances-slash:
groups: ["core-contributor"]
users: []
allowed_permissions: [create]
uri: /v1.0/process-instances/manage-procurement:procurement:vendor-invoice-management/*

7
src/spiffworkflow_backend/routes/process_api_blueprint.py
View File

@ -349,12 +349,15 @@ def process_model_move(
def process_model_list(
process_group_identifier: Optional[str] = None,
recursive: Optional[bool] = False,
filter_runnable_by_user: Optional[bool] = False,
page: int = 1,
per_page: int = 100,
) -> flask.wrappers.Response:
"""Process model list!"""
process_models = ProcessModelService().get_process_models(
process_group_id=process_group_identifier, recursive=recursive
process_group_id=process_group_identifier,
recursive=recursive,
filter_runnable_by_user=filter_runnable_by_user,
)
batch = ProcessModelService().get_batch(
process_models, page=page, per_page=per_page
@ -1319,7 +1322,7 @@ def task_submit(
task_id, process_instance, processor=processor
)
AuthorizationService.assert_user_can_complete_spiff_task(
processor, spiff_task, principal.user
process_instance.id, spiff_task, principal.user
)
if spiff_task.state != TaskState.READY:

11
src/spiffworkflow_backend/services/authorization_service.py
View File

@ -24,9 +24,6 @@ from spiffworkflow_backend.models.user import UserModel
from spiffworkflow_backend.models.user import UserNotFoundError
from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
from spiffworkflow_backend.services.group_service import GroupService
from spiffworkflow_backend.services.process_instance_processor import (
ProcessInstanceProcessor,
)
from spiffworkflow_backend.services.user_service import UserService
@ -393,25 +390,25 @@ class AuthorizationService:
@staticmethod
def assert_user_can_complete_spiff_task(
processor: ProcessInstanceProcessor,
process_instance_id: int,
spiff_task: SpiffTask,
user: UserModel,
) -> bool:
"""Assert_user_can_complete_spiff_task."""
active_task = ActiveTaskModel.query.filter_by(
task_name=spiff_task.task_spec.name,
process_instance_id=processor.process_instance_model.id,
process_instance_id=process_instance_id,
).first()
if active_task is None:
raise ActiveTaskNotFoundError(
f"Could find an active task with task name '{spiff_task.task_spec.name}'"
f" for process instance '{processor.process_instance_model.id}'"
f" for process instance '{process_instance_id}'"
)
if user not in active_task.potential_owners:
raise UserDoesNotHaveAccessToTaskError(
f"User {user.username} does not have access to update task'{spiff_task.task_spec.name}'"
f" for process instance '{processor.process_instance_model.id}'"
f" for process instance '{process_instance_id}'"
)
return True

2
src/spiffworkflow_backend/services/process_instance_service.py
View File

@ -197,7 +197,7 @@ class ProcessInstanceService:
a multi-instance task.
"""
AuthorizationService.assert_user_can_complete_spiff_task(
processor, spiff_task, user
processor.process_instance_model.id, spiff_task, user
)
dot_dct = ProcessInstanceService.create_dot_dict(data)

20
src/spiffworkflow_backend/services/process_model_service.py
View File

@ -18,7 +18,9 @@ from spiffworkflow_backend.models.process_group import ProcessGroupSchema
from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
from spiffworkflow_backend.models.process_model import ProcessModelInfo
from spiffworkflow_backend.models.process_model import ProcessModelInfoSchema
from spiffworkflow_backend.services.authorization_service import AuthorizationService
from spiffworkflow_backend.services.file_system_service import FileSystemService
from spiffworkflow_backend.services.user_service import UserService
T = TypeVar("T")
@ -179,7 +181,10 @@ class ProcessModelService(FileSystemService):
raise ProcessEntityNotFoundError("process_model_not_found")
def get_process_models(
self, process_group_id: Optional[str] = None, recursive: Optional[bool] = False
self,
process_group_id: Optional[str] = None,
recursive: Optional[bool] = False,
filter_runnable_by_user: Optional[bool] = False,
) -> List[ProcessModelInfo]:
"""Get process models."""
process_models = []
@ -201,6 +206,19 @@ class ProcessModelService(FileSystemService):
)
process_models.append(process_model)
process_models.sort()
if filter_runnable_by_user:
user = UserService.current_user()
new_process_model_list = []
for process_model in process_models:
uri = f"/v1.0/process-models/{process_model.id.replace('/', ':')}/process-instances"
result = AuthorizationService.user_has_permission(
user=user, permission="create", target_uri=uri
)
if result:
new_process_model_list.append(process_model)
return new_process_model_list
return process_models
def get_process_groups(