WIP for user permissions

oharsta · oharsta · commit 5f7d45872147 · 2025-12-09T15:24:37.000+01:00
diff --git a/client/src/connection/Testing.jsx b/client/src/connection/Testing.jsx
@@ -789,8 +789,10 @@ export const Testing = ({
                     {iDps.map((idp, index) =>
                         <div key={index} className="idp">
                             <Checkbox name={idp.name}
+                                      readOnly={true}
                                       value={allowedEntities.includes(idp.entityid)}
-                                      onChange={e => changeAllowedTestEntity(idp, e)}/>
+                                      //onChange={e => changeAllowedTestEntity(idp, e)}
+                                 />
                             <div className="idp-info">
                                 <p dangerouslySetInnerHTML={{__html: idp.name}}/>
                                 <p dangerouslySetInnerHTML={{__html: idp[`description${I18n.locale.toUpperCase()}`]}}/>
diff --git a/client/src/locale/en.js b/client/src/locale/en.js
@@ -460,7 +460,7 @@ const en = {
             value: "Value"
         },
         testIdPs: {
-            info: "Kies met welke IdP’s je wilt testen of het federatief inloggen werkt.",
+            info: "Met de volgende IdP’s kan je testen of het federatief inloggen werkt.",
             subTitle: "Test-IdP’s van SURF",
             institutionIdPs: "Test-IdP’s van instellingen",
             institutionIdPsInfo: "Je kunt ook testen met accounts en data van instellingen. <strong>Let wel op<strong/>: Je moet zelf contact opnemen voor de test-inloggegevens voor hun test-IdP’s.",
diff --git a/client/src/pages/InvitationForm.jsx b/client/src/pages/InvitationForm.jsx
@@ -10,7 +10,7 @@ import {isEmpty} from "../utils/Utils";
 import ErrorIndicator from "../components/ErrorIndicator";
 import SelectField from "../components/SelectField";
 import EmailField from "../components/EmailField";
-import {allAuthorities, authorities, currentUserMembershipAuthority} from "../utils/Permissions.js";
+import {allAuthorities, authorities, authorityWeights, currentUserMembershipAuthority} from "../utils/Permissions.js";
 import {TabHeader} from "../components/TabHeader.jsx";
 import {mainMenuItems} from "../utils/MenuItems.js";
 
@@ -44,7 +44,7 @@ export const InvitationForm = () => {
                 useAppStore.setState({
                     breadcrumbPaths: [
                         {path: "/home", value: I18n.t("breadCrumb.access"), menuItemName: mainMenuItems.home},
-                        {path: `/organization/${organizationId}`, value: res.name, menuItemName: mainMenuItems.yourApps},
+                        {path: `/users/${organizationId}/team`, value: I18n.t("navigation.users"), menuItemName: mainMenuItems.users},
                         {value: I18n.t("breadCrumb.invitations")}
                     ]
                 });
@@ -126,7 +126,7 @@ export const InvitationForm = () => {
                 {(!initial && isEmpty(invitation.invites)) &&
                     <ErrorIndicator msg={I18n.t("invitation.requiredEmail")}/>}
 
-                {authorityOptions.length > 1 &&
+                {authorityOptions.length > 0 &&
                     <SelectField
                         value={authorityOptions.find(option => option.value === invitation.intendedAuthority)
                             || authorityOptions[authorityOptions.length - 1]}
@@ -182,8 +182,9 @@ export const InvitationForm = () => {
     const renderForm = () => {
         const disabledSubmit = !initial && !isValid();
         const authorityOptions = allAuthorities
-            .filter(authority => currentUserAuthority === authorities.ADMIN || authority !== authorities.ADMIN)
-            .map(authority => ({value: authority, label: I18n.t(`roles.${authority.toLowerCase()}`)}))
+            .filter(authority => currentUserAuthority === authorities.ADMIN ||
+                authorityWeights[currentUserAuthority] > authorityWeights[authority])
+            .map(authority => ({value: authority, label: I18n.t(`roles.${authority.toLowerCase()}`)}));
         return (
             <>
                 {renderFormElements(authorityOptions)}
diff --git a/client/src/pages/Organizations.jsx b/client/src/pages/Organizations.jsx
@@ -227,7 +227,7 @@ export const Organizations = ({pendingApproval, tab}) => {
                          tip={I18n.t("tooltips.organizationsIcon",
                              {
                                  name: org.name,
-                                 createdAt: dateFromEpoch(org.created_at, false),
+                                 createdAt: dateFromEpoch(org.created_at || org.createdAt, false),
                                  status: I18n.t(`organizations.${org.status.toLowerCase()}`)
                              })}/>
             </div>
diff --git a/client/src/utils/MenuItems.js b/client/src/utils/MenuItems.js
@@ -9,6 +9,7 @@ import ConnectedIcon from "@surfnet/sds/icons/illustrative-icons/connected.svg";
 import TeamIcon from "@surfnet/sds/icons/illustrative-icons/team.svg";
 import HeadPhonesIcon from "@surfnet/sds/icons/illustrative-icons/headphones.svg";
 import FeedbackIcon from "@surfnet/sds/icons/illustrative-icons/feedback.svg";
+import {authorities} from "./Permissions.js";
 
 export const mainMenuItems = {
     home: "home",
@@ -24,16 +25,22 @@ export const mainMenuItems = {
 }
 
 export const menuItemsForUser = user => {
-    const hasOrganizationMemberships = !isEmpty(user.organizationMemberships);
-    const newMenuItems = [mainMenuItems.home, mainMenuItems.catalogue];
-    if (hasOrganizationMemberships) {
-        newMenuItems.push(mainMenuItems.yourApps, mainMenuItems.users, mainMenuItems.idp);
+    //Every user has access to the help menu items
+    const newMenuItems = [mainMenuItems.home, mainMenuItems.catalogue, mainMenuItems.serviceDesk, mainMenuItems.feedback];
+    const noOrganizationMemberships = isEmpty(user.organizationMemberships);
+    if (noOrganizationMemberships) {
+        return newMenuItems;
+    }
+    //Guest with no application membership
+    newMenuItems.push(mainMenuItems.idp);
+    const emptyGuests = user.organizationMemberships.every(m => m.autority === authorities.GUEST && isEmpty(m.applicationMemberships));
+    if (emptyGuests) {
+        return newMenuItems;
     }
+    newMenuItems.push(mainMenuItems.yourApps, mainMenuItems.users, mainMenuItems.accessibleApps, );
     if (!user.externalUser) {
-        newMenuItems.push(mainMenuItems.accessibleApps, mainMenuItems.invite, mainMenuItems.sram);
+        newMenuItems.push(mainMenuItems.invite, mainMenuItems.sram);
     }
-    //Every user has access to the help menu items
-    newMenuItems.push(mainMenuItems.serviceDesk, mainMenuItems.feedback);
     return newMenuItems;
 }
 
diff --git a/client/src/utils/Permissions.js b/client/src/utils/Permissions.js
@@ -7,6 +7,28 @@ export const authorities = {
     GUEST: "GUEST"
 }
 
+export const authorityWeights = {
+    [authorities.SUPER_USER]: 4,
+    [authorities.ADMIN]: 3,
+    [authorities.MEMBER]: 2,
+    [authorities.GUEST]: 1
+}
+
+export const isAllowed = (user, requiredAuthority) => {
+    if (user.superUser) {
+        return true;
+    }
+    if (isEmpty(user.organizationMemberships)) {
+        return false;
+    }
+    const mostImportantAuthority = user.organizationMemberships.reduce((max, membership) => {
+        return authorityWeights[membership.authority] > authorityWeights[max.authority]
+            ? membership : max;
+    }, {authority: authorities.GUEST})
+    return mostImportantAuthority.authority >= authorityWeights[requiredAuthority]
+}
+
+
 export const allAuthorities = [authorities.GUEST, authorities.MEMBER, authorities.ADMIN];
 
 export const getOrganizationMembership = (currentUser, organization, authority) => {
diff --git a/server/src/main/java/access/api/ApplicationController.java b/server/src/main/java/access/api/ApplicationController.java
@@ -127,6 +127,7 @@ public ResponseEntity<Application> create(User user, @Validated @RequestBody App
         confirmOrganizationMembership(user, organization, Authority.MEMBER);
         application.setCreatedAt(Instant.now());
         application.setCreatedBy(user.getName());
+        application.setOwner(user);
         Application applicationSaved = applicationRepository.save(application);
 
         Optional<OrganizationMembership> optionalOrganizationMembership = user.getOrganizationMemberships().stream()
diff --git a/server/src/main/java/access/api/InvitationController.java b/server/src/main/java/access/api/InvitationController.java
@@ -8,6 +8,7 @@
 import access.repository.ApplicationRepository;
 import access.repository.InvitationRepository;
 import access.repository.OrganizationRepository;
+import access.repository.UserRepository;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -22,6 +23,7 @@
 import java.time.temporal.ChronoUnit;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -42,15 +44,17 @@ public class InvitationController implements UserAccessRights {
     private final OrganizationRepository organizationRepository;
     private final ApplicationRepository applicationRepository;
     private final MailBox mailBox;
+    private final UserRepository userRepository;
 
     public InvitationController(InvitationRepository invitationRepository,
                                 OrganizationRepository organizationRepository,
                                 ApplicationRepository applicationRepository,
-                                MailBox mailBox) {
+                                MailBox mailBox, UserRepository userRepository) {
         this.invitationRepository = invitationRepository;
         this.organizationRepository = organizationRepository;
         this.applicationRepository = applicationRepository;
         this.mailBox = mailBox;
+        this.userRepository = userRepository;
     }
 
     @GetMapping({"/all/{organizationId}"})
@@ -117,18 +121,23 @@ public ResponseEntity<Map<String, Integer>> accept(User user, @Validated @Reques
                 .orElseThrow(() -> new NotFoundException("Invitation not found"));
         invitation.accept();
 
+        user = reinitializeUser(user, userRepository);
         invitationRepository.save(invitation);
-        //Now create organization_membership and - if any - applicationMemberships
         Organization organization = invitation.getOrganization();
-        OrganizationMembership organizationMembership = new OrganizationMembership(user, organization, invitation.getIntendedAuthority());
-
-
-        List<ApplicationMembership> applicationMemberships = invitation.getApplications().stream()
-                .map(application -> new ApplicationMembership(application, organizationMembership, Authority.ADMIN))
-                .toList();
-        applicationMemberships.forEach(applicationMembership -> organizationMembership.addApplicationMembership(applicationMembership));
+        //Internal users are already provisioned in their organization
+        Optional<OrganizationMembership> organizationMembershipOptional = user.getOrganizationMemberships().stream()
+                .filter(organizationMembership -> organizationMembership.getOrganization().getId().equals(organization.getId()))
+                .findFirst();
+        if (organizationMembershipOptional.isEmpty()) {
+            //Now create organization_membership and - if any - applicationMemberships
+            OrganizationMembership organizationMembership = new OrganizationMembership(user, organization, invitation.getIntendedAuthority());
+            List<ApplicationMembership> applicationMemberships = invitation.getApplications().stream()
+                    .map(application -> new ApplicationMembership(application, organizationMembership, Authority.ADMIN))
+                    .toList();
+            applicationMemberships.forEach(organizationMembership::addApplicationMembership);
+            organization.addOrganizationMembership(organizationMembership);
+        }
 
-        organization.addOrganizationMembership(organizationMembership);
         organizationRepository.save(organization);
 
         return createResult();
diff --git a/server/src/main/java/access/api/OrganizationController.java b/server/src/main/java/access/api/OrganizationController.java
@@ -77,10 +77,8 @@ public ResponseEntity<Organization> find(User user,
 
         Organization organization = organizationRepository.findDetailsById(id)
                 .orElseThrow(() -> new NotFoundException("Organisation not found"));
-        if (!user.isSuperUser()) {
-            User userFromDB = reinitializeUser(user, userRepository);
-            confirmOrganizationMembership(userFromDB, organization, Authority.MEMBER);
-        }
+        User userFromDB = reinitializeUser(user, userRepository);
+        confirmOrganizationMembership(userFromDB, organization, Authority.MEMBER);
 
         if (StringUtils.hasText(organization.getManageIdentifier()) && withIdp) {
             Map<String, Object> provider = manage.providerById(EntityType.saml20_idp, organization.getManageIdentifier(), Environment.PROD);
@@ -130,10 +128,8 @@ public ResponseEntity<Organization> light(User user, @PathVariable("id") Long id
         Organization organization = organizationRepository.findUsersById(id)
                 .orElseThrow(() -> new NotFoundException("Organisation not found"));
 
-        if (!user.isSuperUser()) {
-            User userFromDB = reinitializeUser(user, userRepository);
-            confirmOrganizationMembership(userFromDB, organization, Authority.GUEST);
-        }
+        User userFromDB = reinitializeUser(user, userRepository);
+        confirmOrganizationMembership(userFromDB, organization, Authority.GUEST);
 
         return ResponseEntity.ok(organization);
     }
@@ -205,10 +201,9 @@ public ResponseEntity<Organization> update(User user, @RequestBody @Validated Or
             throw new InvalidInputException("Can not update name, Organization has manage identifier. " + organization.getName());
         }
 
-        if (!user.isSuperUser()) {
-            User userFromDB = reinitializeUser(user, userRepository);
-            confirmOrganizationMembership(userFromDB, organization, Authority.ADMIN);
-        }
+        User userFromDB = reinitializeUser(user, userRepository);
+        confirmOrganizationMembership(userFromDB, organization, Authority.ADMIN);
+
         organization.setName(organizationForm.getName());
         Organization savedOrganization = organizationRepository.save(organization);
         return ResponseEntity.status(HttpStatus.CREATED).body(savedOrganization);
@@ -238,11 +233,8 @@ public ResponseEntity<Organization> updateMetaData(User user,
         if (!StringUtils.hasText(organization.getManageIdentifier())) {
             throw new InvalidInputException("Can not update metadata. Organization has no manage identifier: " + organization.getName());
         }
-
-        if (!user.isSuperUser()) {
-            User userFromDB = reinitializeUser(user, userRepository);
-            confirmOrganizationMembership(userFromDB, organization, Authority.ADMIN);
-        }
+        User userFromDB = reinitializeUser(user, userRepository);
+        confirmOrganizationMembership(userFromDB, organization, Authority.ADMIN);
 
         organization.setMetaData(metaData);
         manage.saveIdentityProvider(organization);
@@ -256,10 +248,9 @@ public ResponseEntity<Map<String, Integer>> delete(User user, @PathVariable("org
 
         Organization organization = organizationRepository.findById(organizationId)
                 .orElseThrow(() -> new NotFoundException("Organization not found"));
-        if (!user.isSuperUser()) {
-            user = this.reinitializeUser(user, userRepository);
-            confirmOrganizationMembership(user, organization, Authority.ADMIN);
-        }
+
+        user = this.reinitializeUser(user, userRepository);
+        confirmOrganizationMembership(user, organization, Authority.ADMIN);
 
         organizationRepository.deleteOrganizationById(organizationId);
 
diff --git a/server/src/main/java/access/model/Application.java b/server/src/main/java/access/model/Application.java
@@ -72,7 +72,7 @@ public class Application implements NameHolder {
 
     @ManyToOne(fetch = FetchType.LAZY)
     @JoinColumn(name = "owner_id")
-    @JsonProperty(access = JsonProperty.Access.READ_ONLY)
+    @JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
     private User owner;
 
     @Enumerated(EnumType.STRING)
@@ -101,6 +101,16 @@ public Map<String, Serializable> getOrganizationInfo() {
         return organizationInfo;
     }
 
+    //We need info, about the owner
+    @JsonProperty(access = JsonProperty.Access.READ_ONLY, value = "ownerIdentifier")
+    public Long getOwnerInfo() {
+        User appOwner = getOwner();
+        if (appOwner != null && Hibernate.isInitialized(appOwner)) {
+            return appOwner.getId();
+        }
+        return null;
+    }
+
     @JsonIgnore
     public void removeConnection(Connection connection) {
         //This is required by Hibernate - children can't be dereferenced
diff --git a/server/src/main/java/access/security/SecurityConfig.java b/server/src/main/java/access/security/SecurityConfig.java
@@ -135,7 +135,7 @@ SecurityFilterChain sessionSecurityFilterChain(HttpSecurity http,
                 //We need a reference to the securityContextRepository to update the authentication after an InstitutionAdmin accepts an invitation
                 .securityContext(securityContextConfigurer ->
                         securityContextConfigurer.securityContextRepository(this.securityContextRepository()));
-        if (environment.acceptsProfiles(Profiles.of("local"))) {
+        if (environment.acceptsProfiles(Profiles.of("dev"))) {
             //Thus avoiding an oauth2 login for local development
             http.addFilterBefore(new LocalDevelopmentAuthenticationFilter(), AnonymousAuthenticationFilter.class);
         }
diff --git a/server/src/main/resources/logback-spring.xml b/server/src/main/resources/logback-spring.xml
@@ -9,7 +9,7 @@
     <logger name="access" level="DEBUG"/>
     <logger name="org.hibernate.SQL" level="WARN"/>
     <logger name="org.springframework.security.web.csrf" level="DEBUG"/>
-    <logger name="org.springframework.security" level="WARN"/>
+    <logger name="org.springframework.security" level="TRACE"/>
     <logger name="org.mariadb.jdbc.message.server" level="ERROR"/>
     <logger name="com.zaxxer.hikari" level="ERROR"/>
     <logger name="ch.qos.logback" level="ERROR"/>

Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ export const Organizations = ({pendingApproval, tab}) => {`
`227`	`227`	`tip={I18n.t("tooltips.organizationsIcon",`
`228`	`228`	`{`
`229`	`229`	`name: org.name,`
`230`		`- createdAt: dateFromEpoch(org.created_at, false),`
	`230`	`+ createdAt: dateFromEpoch(org.created_at \|\| org.createdAt, false),`
`231`	`231`	status: I18n.t(`organizations.${org.status.toLowerCase()}`)
`232`	`232`	`})}/>`
`233`	`233`	`</div>`