Merge pull request #11801 from IQSS/11796-list-dataset-templates

Fix permissions on ListDataverseTemplatesCommand

Author: ofahimIQSS

doc/release-notes/11796-fix-list-dataverse-templates-api-permissions.md

@@ -0,0 +1,10 @@
+### Fixed: Permissions for `/{identifier}/templates` endpoint
+
+The `/{identifier}/templates` endpoint previously required **`editDataverse`** permissions to retrieve the list of dataverse templates.
+
+This has been corrected: the endpoint now requires **`addDataset`** permissions instead.
+
+**Impact:**
+- The endpoint now works in scenarios such as the **Create Dataset form** in the SPA UI, without needing unnecessary elevated permissions.  
+
+Related issues: #11796

src/main/java/edu/harvard/iq/dataverse/engine/command/impl/ListDataverseTemplatesCommand.java

@@ -14,7 +14,7 @@
 /**
  * Lists the templates {@link Template} of a {@link Dataverse}.
  */
-@RequiredPermissions(Permission.EditDataverse)
+@RequiredPermissions(Permission.AddDataset)
 public class ListDataverseTemplatesCommand extends AbstractCommand<List<Template>> {
 
     private final Dataverse dataverse;

src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java

@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.api;
 
+import edu.harvard.iq.dataverse.authorization.DataverseRole;
 import edu.harvard.iq.dataverse.dataaccess.DataAccess;
 import edu.harvard.iq.dataverse.util.json.JsonParseException;
 import edu.harvard.iq.dataverse.util.json.JsonParser;
@@ -2596,9 +2597,12 @@ public void testUpdateInputLevelDisplayOnCreateOverride() {
     public void testCreateAndGetTemplates() throws JsonParseException  {
         Response createUserResponse = UtilIT.createRandomUser();
         String apiToken = UtilIT.getApiTokenFromResponse(createUserResponse);
+        String username = UtilIT.getUsernameFromResponse(createUserResponse);
 
         Response createSecondUserResponse = UtilIT.createRandomUser();
         String secondApiToken = UtilIT.getApiTokenFromResponse(createSecondUserResponse);
+        String secondUsername = UtilIT.getUsernameFromResponse(createSecondUserResponse);
+
 
         /*
         We need to make this a non-inherited metadatablocks so the get template will only get templates from current dv
@@ -2699,9 +2703,19 @@ public void testCreateAndGetTemplates() throws JsonParseException  {
                 .body("data[0].instructions[0].instructionText", equalTo("The author data"))
                 .body("data[0].dataverseAlias", equalTo(dataverseAlias));
 
-        // Templates retrieval should fail if the user lacks dataverse edit permissions
+        // Templates retrieval should fail if a secondary user lacks dataset creation permissions
+
         getTemplateResponse = UtilIT.getTemplates(dataverseAlias, secondApiToken);
         getTemplateResponse.then().assertThat().statusCode(UNAUTHORIZED.getStatusCode());
+
+        // Templates retrieval should succeed if the secondary user has dataset creation permissions
+
+        UtilIT.setSuperuserStatus(username, true);
+        Response grantRoleResponse = UtilIT.grantRoleOnDataverse(dataverseAlias, DataverseRole.DS_CONTRIBUTOR, "@" + secondUsername, apiToken);
+        grantRoleResponse.then().assertThat().statusCode(OK.getStatusCode());
+
+        getTemplateResponse = UtilIT.getTemplates(dataverseAlias, secondApiToken);
+        getTemplateResponse.then().assertThat().statusCode(OK.getStatusCode());
     }
 
     @Test