message-model-perm-check (#1805)

* check if user has permissions to messages before attempting call w/ burnettk * fixed variable typo w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com>
2024-06-24 15:36:07 -04:00 · 2024-06-24 15:36:07 -04:00 · 5e3831f4d6
parent 582d9325fc
commit 5e3831f4d6
4 changed files with 29 additions and 7 deletions
--- a/spiffworkflow-backend/bin/local_development_environment_setup
+++ b/spiffworkflow-backend/bin/local_development_environment_setup
@ -55,7 +55,6 @@ elif [[ "$use_local_open_id" == "true" ]]; then
  export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__uri="${backend_base_url}/openid"
  export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_id="spiffworkflow-backend"
  export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_secret="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
-  export SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME="example.yml"

 # else  # uncomment to test multiple auths
 #   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__identifier="keycloak_internal"
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml
@ -1,14 +1,19 @@
 users:
  admin:
    service: local_open_id
-    email: admin@spiffworkflow.org
+    email: admin@example.com
    password: admin
    preferred_username: Admin
  nelson:
    service: local_open_id
-    email: nelson@spiffworkflow.org
+    email: nelson@example.com
    password: nelson
    preferred_username: Nelson
+  dan:
+    service: local_open_id
+    email: dan@example.com
+    password: dan
+    preferred_username: dan
 groups:
  admin:
    users: [admin@spiffworkflow.org, nelson@spiffworkflow.org]
--- a/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx
+++ b/spiffworkflow-frontend/src/hooks/UriListForPermissions.tsx
@ -8,6 +8,7 @@ export const useUriListForPermissions = () => {
      authenticationListPath: `/v1.0/authentications`,
      statusPath: `/v1.0/status`,
      messageInstanceListPath: '/v1.0/messages',
+      messageModelListPath: `/v1.0/message-models/${params.process_model_id}`,
      dataStoreListPath: '/v1.0/data-stores',
      extensionListPath: '/v1.0/extensions',
      extensionPath: `/v1.0/extensions/${params.page_identifier}`,
--- a/spiffworkflow-frontend/src/routes/ProcessModelEditDiagram.tsx
+++ b/spiffworkflow-frontend/src/routes/ProcessModelEditDiagram.tsx
@ -47,6 +47,7 @@ import {
 import {
  CarbonComboBoxProcessSelection,
  CorrelationProperties,
+  PermissionsToCheck,
  ProcessFile,
  ProcessModel,
  ProcessReference,
@ -59,6 +60,8 @@ import useScriptAssistEnabled from '../hooks/useScriptAssistEnabled';
 import useProcessScriptAssistMessage from '../hooks/useProcessScriptAssistQuery';
 import SpiffTooltip from '../components/SpiffTooltip';
 import { MessageEditor } from '../components/messages/MessageEditor';
+import { useUriListForPermissions } from '../hooks/UriListForPermissions';
+import { usePermissionFetcher } from '../hooks/PermissionService';

 export default function ProcessModelEditDiagram() {
  const [showFileNameEditor, setShowFileNameEditor] = useState(false);
@ -115,6 +118,12 @@ export default function ProcessModelEditDiagram() {
  const { setScriptAssistQuery, scriptAssistLoading, scriptAssistResult } =
    useProcessScriptAssistMessage();

+  const { targetUris } = useUriListForPermissions();
+  const permissionRequestData: PermissionsToCheck = {
+    [targetUris.messageModelListPath]: ['GET'],
+  };
+  const { ability } = usePermissionFetcher(permissionRequestData);
+
  function handleEditorDidMount(editor: any, monaco: any) {
    // here is the editor instance
    // you can store it in `useRef` for further usage
@ -455,10 +464,18 @@ export default function ProcessModelEditDiagram() {
    };
  };
  const onMessagesRequested = (event: any) => {
-    HttpService.makeCallToBackend({
-      path: `/message-models/${modifiedProcessModelId}`,
-      successCallback: makeMessagesRequestedHandler(event),
-    });
+    // it is perfectly reasonable to access the edit diagram page in read only mode when you actually don't have access to edit.
+    // this is awkward in terms of functionality like this, where we are fetching the relevant list of messages to show in the
+    // properties panel. since message_model_list is a different permission, you may not have access to it even though you have
+    // access to the read the process model. we also considered automatically giving you access to read message_model_list
+    // when you have read access to the process model, but this seemed easier and more in line with the current backend permission system,
+    // where we normally only pork barrel permissions on top of "start" and "all."
+    if (ability.can('GET', targetUris.messageModelListPath)) {
+      HttpService.makeCallToBackend({
+        path: targetUris.messageModelListPath,
+        successCallback: makeMessagesRequestedHandler(event),
+      });
+    }
  };

  useEffect(() => {