[AAE-8155] Check if it is content admin only when content provider is available (#7667)

2025-07-24 17:32:15 +00:00 · 2022-06-08 15:42:41 +02:00
parent 55b68373fc
commit 4d1c729620
2 changed files with 46 additions and 4 deletions
--- a/lib/core/services/auth-guard-sso-role.service.spec.ts
+++ b/lib/core/services/auth-guard-sso-role.service.spec.ts
@@ -27,6 +27,7 @@ import { PeopleContentService } from './people-content.service';
 import { of } from 'rxjs';
 import { getFakeUserWithContentAdminCapability, getFakeUserWithContentUserCapability } from '../mock/ecm-user.service.mock';
 import { UserAccessService } from './user-access.service';
+import { AppConfigService } from '../app-config/app-config.service';

 describe('Auth Guard SSO role service', () => {

@@ -35,6 +36,7 @@ describe('Auth Guard SSO role service', () => {
    let routerService: Router;
    let peopleContentService: PeopleContentService;
    let userAccessService: UserAccessService;
+    let appConfig: AppConfigService;

    setupTestBed({
        imports: [
@@ -44,6 +46,8 @@ describe('Auth Guard SSO role service', () => {
    });

    beforeEach(() => {
+        appConfig = TestBed.inject(AppConfigService);
+        appConfig.config.provider = 'ECM';
        localStorage.clear();
        authGuard = TestBed.inject(AuthGuardSsoRoleService);
        jwtHelperService = TestBed.inject(JwtHelperService);
@@ -214,6 +218,33 @@ describe('Auth Guard SSO role service', () => {

            expect(getCurrentPersonSpy).not.toHaveBeenCalled();
        });
+
+        it('Should not retrieve the user when the provider is BPM', async () => {
+            spyUserAccess([], {});
+            spyOn(peopleContentService, 'getCurrentPerson');
+            appConfig.config.provider = 'BPM';
+
+            const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot();
+            router.data = { roles: ['ALFRESCO_ADMINISTRATORS'] };
+
+            const result = await authGuard.canActivate(router);
+
+            expect(result).toBeFalsy();
+            expect(peopleContentService.getCurrentPerson).not.toHaveBeenCalled();
+        });
+
+        it('Should not fail when the people service throws an error', async () => {
+            spyUserAccess([], {});
+            spyOn(peopleContentService, 'getCurrentPerson').and.throwError('404 Not found');
+
+            const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot();
+            router.data = { roles: ['ALFRESCO_ADMINISTRATORS'] };
+
+            const result = await authGuard.canActivate(router);
+
+            expect(result).toBeFalsy();
+            expect(peopleContentService.getCurrentPerson).toHaveBeenCalled();
+        });
    });

    describe('Excluded Roles', () => {
--- a/lib/core/services/auth-guard-sso-role.service.ts
+++ b/lib/core/services/auth-guard-sso-role.service.ts
@@ -20,6 +20,7 @@ import { ActivatedRouteSnapshot, CanActivate, Router } from '@angular/router';
 import { MatDialog } from '@angular/material/dialog';
 import { ContentGroups, PeopleContentService } from './people-content.service';
 import { UserAccessService } from './user-access.service';
+import { AppConfigService } from '../app-config/app-config.service';

@Injectable({
    providedIn: 'root'
@@ -28,7 +29,8 @@ export class AuthGuardSsoRoleService implements CanActivate {
    constructor(private userAccessService: UserAccessService,
                private router: Router,
                private dialog: MatDialog,
-                private peopleContentService: PeopleContentService) {
+                private peopleContentService: PeopleContentService,
+                private appConfig: AppConfigService) {
    }

    async canActivate(route: ActivatedRouteSnapshot): Promise<boolean> {
@@ -43,7 +45,10 @@ export class AuthGuardSsoRoleService implements CanActivate {
                    hasRealmRole = true;
                } else {
                    const excludedRoles = route.data['excludedRoles'] || [];
-                    const isContentAdmin = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) || excludedRoles.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) ? await this.peopleContentService.isContentAdmin() : false;
+                    let isContentAdmin = false;
+                    if (this.checkContentAdministratorRole(rolesToCheck, excludedRoles)) {
+                        isContentAdmin = await this.peopleContentService.isContentAdmin().catch(() => false);
+                    }
                    hasRealmRole = excludedRoles.length ? this.checkAccessWithExcludedRoles(rolesToCheck, excludedRoles, isContentAdmin) : this.hasRoles(rolesToCheck, isContentAdmin);
                }
            }
@@ -68,6 +73,12 @@ export class AuthGuardSsoRoleService implements CanActivate {
        return hasRole;
    }

+    private checkContentAdministratorRole(rolesToCheck: string[], excludedRoles: string[]): boolean {
+        const hasContentProvider = this.appConfig.config.provider === 'ECM' || this.appConfig.config.provider === 'ALL';
+        const checkAdminRole = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) || excludedRoles.includes(ContentGroups.ALFRESCO_ADMINISTRATORS);
+        return hasContentProvider && checkAdminRole;
+    }
+
    private checkAccessWithExcludedRoles(rolesToCheck: string[], excludedRoles: string[], isContentAdmin: boolean): boolean {
        return this.hasRoles(rolesToCheck, isContentAdmin) && !this.hasRoles(excludedRoles, isContentAdmin);
    }