[AAE-8155] Check if it is content admin only when content provider is available (#7667)

lib/core/services/auth-guard-sso-role.service.spec.ts

@@ -27,6 +27,7 @@ import { PeopleContentService } from './people-content.service';
 import { of } from 'rxjs';
 import { getFakeUserWithContentAdminCapability, getFakeUserWithContentUserCapability } from '../mock/ecm-user.service.mock';
 import { UserAccessService } from './user-access.service';
+import { AppConfigService } from '../app-config/app-config.service';
 
 describe('Auth Guard SSO role service', () => {
 
@@ -35,6 +36,7 @@ describe('Auth Guard SSO role service', () => {
     let routerService: Router;
     let peopleContentService: PeopleContentService;
     let userAccessService: UserAccessService;
+    let appConfig: AppConfigService;
 
     setupTestBed({
         imports: [
@@ -44,6 +46,8 @@ describe('Auth Guard SSO role service', () => {
     });
 
     beforeEach(() => {
+        appConfig = TestBed.inject(AppConfigService);
+        appConfig.config.provider = 'ECM';
         localStorage.clear();
         authGuard = TestBed.inject(AuthGuardSsoRoleService);
         jwtHelperService = TestBed.inject(JwtHelperService);
@@ -183,7 +187,7 @@ describe('Auth Guard SSO role service', () => {
     describe('Content Admin', () => {
 
         afterEach(() => {
-           peopleContentService.hasCheckedIsContentAdmin = false;
+            peopleContentService.hasCheckedIsContentAdmin = false;
         });
 
         it('Should give access to a content section (ALFRESCO_ADMINISTRATORS) when the user has content admin capability', async () => {
@@ -214,6 +218,33 @@ describe('Auth Guard SSO role service', () => {
 
             expect(getCurrentPersonSpy).not.toHaveBeenCalled();
         });
+
+        it('Should not retrieve the user when the provider is BPM', async () => {
+            spyUserAccess([], {});
+            spyOn(peopleContentService, 'getCurrentPerson');
+            appConfig.config.provider = 'BPM';
+
+            const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot();
+            router.data = { roles: ['ALFRESCO_ADMINISTRATORS'] };
+
+            const result = await authGuard.canActivate(router);
+
+            expect(result).toBeFalsy();
+            expect(peopleContentService.getCurrentPerson).not.toHaveBeenCalled();
+        });
+
+        it('Should not fail when the people service throws an error', async () => {
+            spyUserAccess([], {});
+            spyOn(peopleContentService, 'getCurrentPerson').and.throwError('404 Not found');
+
+            const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot();
+            router.data = { roles: ['ALFRESCO_ADMINISTRATORS'] };
+
+            const result = await authGuard.canActivate(router);
+
+            expect(result).toBeFalsy();
+            expect(peopleContentService.getCurrentPerson).toHaveBeenCalled();
+        });
     });
 
     describe('Excluded Roles', () => {

lib/core/services/auth-guard-sso-role.service.ts

@@ -20,6 +20,7 @@ import { ActivatedRouteSnapshot, CanActivate, Router } from '@angular/router';
 import { MatDialog } from '@angular/material/dialog';
 import { ContentGroups, PeopleContentService } from './people-content.service';
 import { UserAccessService } from './user-access.service';
+import { AppConfigService } from '../app-config/app-config.service';
 
 @Injectable({
     providedIn: 'root'
@@ -28,7 +29,8 @@ export class AuthGuardSsoRoleService implements CanActivate {
     constructor(private userAccessService: UserAccessService,
                 private router: Router,
                 private dialog: MatDialog,
-                private peopleContentService: PeopleContentService) {
+                private peopleContentService: PeopleContentService,
+                private appConfig: AppConfigService) {
     }
 
     async canActivate(route: ActivatedRouteSnapshot): Promise<boolean> {
@@ -43,8 +45,11 @@ export class AuthGuardSsoRoleService implements CanActivate {
                     hasRealmRole = true;
                 } else {
                     const excludedRoles = route.data['excludedRoles'] || [];
-                    const isContentAdmin = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) || excludedRoles.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) ? await this.peopleContentService.isContentAdmin() : false;
+                    let isContentAdmin = false;
-                    hasRealmRole = excludedRoles.length ?  this.checkAccessWithExcludedRoles(rolesToCheck, excludedRoles, isContentAdmin) : this.hasRoles(rolesToCheck, isContentAdmin);
+                    if (this.checkContentAdministratorRole(rolesToCheck, excludedRoles)) {
+                        isContentAdmin = await this.peopleContentService.isContentAdmin().catch(() => false);
+                    }
+                    hasRealmRole = excludedRoles.length ? this.checkAccessWithExcludedRoles(rolesToCheck, excludedRoles, isContentAdmin) : this.hasRoles(rolesToCheck, isContentAdmin);
                 }
             }
 
@@ -68,6 +73,12 @@ export class AuthGuardSsoRoleService implements CanActivate {
         return hasRole;
     }
 
+    private checkContentAdministratorRole(rolesToCheck: string[], excludedRoles: string[]): boolean {
+        const hasContentProvider = this.appConfig.config.provider === 'ECM' || this.appConfig.config.provider === 'ALL';
+        const checkAdminRole = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) || excludedRoles.includes(ContentGroups.ALFRESCO_ADMINISTRATORS);
+        return hasContentProvider && checkAdminRole;
+    }
+
     private checkAccessWithExcludedRoles(rolesToCheck: string[], excludedRoles: string[], isContentAdmin: boolean): boolean {
         return this.hasRoles(rolesToCheck, isContentAdmin) && !this.hasRoles(excludedRoles, isContentAdmin);
     }