From 4d1c729620b628406597de35065e09465a64f258 Mon Sep 17 00:00:00 2001 From: Pablo Martinez Garcia Date: Wed, 8 Jun 2022 15:42:41 +0200 Subject: [PATCH] [AAE-8155] Check if it is content admin only when content provider is available (#7667) --- .../auth-guard-sso-role.service.spec.ts | 33 ++++++++++++++++++- .../services/auth-guard-sso-role.service.ts | 17 ++++++++-- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/lib/core/services/auth-guard-sso-role.service.spec.ts b/lib/core/services/auth-guard-sso-role.service.spec.ts index 74f42ecde2..e02cef7b2f 100644 --- a/lib/core/services/auth-guard-sso-role.service.spec.ts +++ b/lib/core/services/auth-guard-sso-role.service.spec.ts @@ -27,6 +27,7 @@ import { PeopleContentService } from './people-content.service'; import { of } from 'rxjs'; import { getFakeUserWithContentAdminCapability, getFakeUserWithContentUserCapability } from '../mock/ecm-user.service.mock'; import { UserAccessService } from './user-access.service'; +import { AppConfigService } from '../app-config/app-config.service'; describe('Auth Guard SSO role service', () => { @@ -35,6 +36,7 @@ describe('Auth Guard SSO role service', () => { let routerService: Router; let peopleContentService: PeopleContentService; let userAccessService: UserAccessService; + let appConfig: AppConfigService; setupTestBed({ imports: [ @@ -44,6 +46,8 @@ describe('Auth Guard SSO role service', () => { }); beforeEach(() => { + appConfig = TestBed.inject(AppConfigService); + appConfig.config.provider = 'ECM'; localStorage.clear(); authGuard = TestBed.inject(AuthGuardSsoRoleService); jwtHelperService = TestBed.inject(JwtHelperService); @@ -183,7 +187,7 @@ describe('Auth Guard SSO role service', () => { describe('Content Admin', () => { afterEach(() => { - peopleContentService.hasCheckedIsContentAdmin = false; + peopleContentService.hasCheckedIsContentAdmin = false; }); it('Should give access to a content section (ALFRESCO_ADMINISTRATORS) when the user has content admin capability', async () => { @@ -214,6 +218,33 @@ describe('Auth Guard SSO role service', () => { expect(getCurrentPersonSpy).not.toHaveBeenCalled(); }); + + it('Should not retrieve the user when the provider is BPM', async () => { + spyUserAccess([], {}); + spyOn(peopleContentService, 'getCurrentPerson'); + appConfig.config.provider = 'BPM'; + + const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot(); + router.data = { roles: ['ALFRESCO_ADMINISTRATORS'] }; + + const result = await authGuard.canActivate(router); + + expect(result).toBeFalsy(); + expect(peopleContentService.getCurrentPerson).not.toHaveBeenCalled(); + }); + + it('Should not fail when the people service throws an error', async () => { + spyUserAccess([], {}); + spyOn(peopleContentService, 'getCurrentPerson').and.throwError('404 Not found'); + + const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot(); + router.data = { roles: ['ALFRESCO_ADMINISTRATORS'] }; + + const result = await authGuard.canActivate(router); + + expect(result).toBeFalsy(); + expect(peopleContentService.getCurrentPerson).toHaveBeenCalled(); + }); }); describe('Excluded Roles', () => { diff --git a/lib/core/services/auth-guard-sso-role.service.ts b/lib/core/services/auth-guard-sso-role.service.ts index c2669404f3..49bc01151c 100644 --- a/lib/core/services/auth-guard-sso-role.service.ts +++ b/lib/core/services/auth-guard-sso-role.service.ts @@ -20,6 +20,7 @@ import { ActivatedRouteSnapshot, CanActivate, Router } from '@angular/router'; import { MatDialog } from '@angular/material/dialog'; import { ContentGroups, PeopleContentService } from './people-content.service'; import { UserAccessService } from './user-access.service'; +import { AppConfigService } from '../app-config/app-config.service'; @Injectable({ providedIn: 'root' @@ -28,7 +29,8 @@ export class AuthGuardSsoRoleService implements CanActivate { constructor(private userAccessService: UserAccessService, private router: Router, private dialog: MatDialog, - private peopleContentService: PeopleContentService) { + private peopleContentService: PeopleContentService, + private appConfig: AppConfigService) { } async canActivate(route: ActivatedRouteSnapshot): Promise { @@ -43,8 +45,11 @@ export class AuthGuardSsoRoleService implements CanActivate { hasRealmRole = true; } else { const excludedRoles = route.data['excludedRoles'] || []; - const isContentAdmin = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) || excludedRoles.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) ? await this.peopleContentService.isContentAdmin() : false; - hasRealmRole = excludedRoles.length ? this.checkAccessWithExcludedRoles(rolesToCheck, excludedRoles, isContentAdmin) : this.hasRoles(rolesToCheck, isContentAdmin); + let isContentAdmin = false; + if (this.checkContentAdministratorRole(rolesToCheck, excludedRoles)) { + isContentAdmin = await this.peopleContentService.isContentAdmin().catch(() => false); + } + hasRealmRole = excludedRoles.length ? this.checkAccessWithExcludedRoles(rolesToCheck, excludedRoles, isContentAdmin) : this.hasRoles(rolesToCheck, isContentAdmin); } } @@ -68,6 +73,12 @@ export class AuthGuardSsoRoleService implements CanActivate { return hasRole; } + private checkContentAdministratorRole(rolesToCheck: string[], excludedRoles: string[]): boolean { + const hasContentProvider = this.appConfig.config.provider === 'ECM' || this.appConfig.config.provider === 'ALL'; + const checkAdminRole = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) || excludedRoles.includes(ContentGroups.ALFRESCO_ADMINISTRATORS); + return hasContentProvider && checkAdminRole; + } + private checkAccessWithExcludedRoles(rolesToCheck: string[], excludedRoles: string[], isContentAdmin: boolean): boolean { return this.hasRoles(rolesToCheck, isContentAdmin) && !this.hasRoles(excludedRoles, isContentAdmin); }