Restrict non-staff users accessing compliance data (#621)

* updated_date timestamp issue

* Restrict non-staff users accesss to data

Author: dinesh-aot

compliance-api/src/compliance_api/models/staff_user.py

@@ -92,7 +92,7 @@ def update_staff(cls, user_id, user_dict, session=None) -> Optional[StaffUser]:
     def get_by_auth_guid(cls, auth_guid: str) -> StaffUser:
         """Retrieve the staff user by auth_guid."""
         staff_user = StaffUser.query.filter_by(
-            auth_user_guid=auth_guid, is_deleted=False
+            auth_user_guid=auth_guid, is_deleted=False, is_active=True
         ).first()
         return staff_user
 

compliance-api/src/compliance_api/resources/staff_user.py

@@ -121,6 +121,25 @@ def delete(user_id):
         return StaffUserSchema().dump(deleted_user), HTTPStatus.OK
 
 
+@cors_preflight("GET")
+@API.route("/by-auth-user-guid/<string:auth_user_guid>", methods=["GET"])
+@API.doc(params={"auth_user_guid": "The auth user GUID"})
+class StaffUserByAuthGuid(Resource):
+    """Resource for getting staff user by auth_user_guid."""
+
+    @staticmethod
+    @auth.require
+    @ApiHelper.swagger_decorators(API, endpoint_description="Fetch a user by auth_user_guid")
+    @API.response(code=200, model=user_list_model, description="Success")
+    @API.response(404, "Not Found")
+    def get(auth_user_guid):
+        """Fetch a user by auth_user_guid."""
+        user = StaffUserService.get_user_by_auth_guid(auth_user_guid)
+        if not user:
+            raise ResourceNotFoundError(f"User with auth_user_guid {auth_user_guid} not found")
+        return StaffUserSchema().dump(user), HTTPStatus.OK
+
+
 @cors_preflight("GET")
 @API.route("/permissions", methods=["GET"])
 class StaffUserPermissions(Resource):

compliance-api/src/compliance_api/services/staff_user.py

@@ -23,6 +23,17 @@ def get_user_by_id(cls, user_id):
             )
         return staff_user
 
+    @classmethod
+    def get_user_by_auth_guid(cls, auth_user_guid: str):
+        """Get user by auth_user_guid."""
+        staff_user = StaffUserModel.get_by_auth_guid(auth_user_guid)
+        if staff_user:
+            auth_user = AuthService.get_epic_user_by_guid(staff_user.auth_user_guid)
+            staff_user = _set_permission_level_in_compliance_user_obj(
+                staff_user, auth_user
+            )
+        return staff_user
+
     @classmethod
     def get_all_staff_users(cls):
         """Get all users."""

compliance-web/src/hooks/useAuthorization.tsx

@@ -1,6 +1,8 @@
 import { StaffUser } from "@/models/Staff";
 import { jwtDecode, JwtPayload } from "jwt-decode";
 import { useAuth } from "react-oidc-context";
+import { useQuery } from "@tanstack/react-query";
+import { request } from "@/utils/axiosUtils";
 import { OidcConfig } from "@/utils/config";
 
 interface CustomJwtPayload extends JwtPayload {
@@ -51,3 +53,53 @@ export const useCurrentLoggedInUser = () => {
   const { user } = useAuth();
   return user?.profile;
 };
+
+export const useStaffUserValidation = () => {
+  const { user, isAuthenticated } = useAuth();
+  const preferredUsername = user?.profile?.preferred_username;
+
+  const {
+    data: staffUser,
+    isLoading,
+    error,
+    isError,
+  } = useQuery({
+    queryKey: ["staff-user-validation", preferredUsername],
+    queryFn: async (): Promise<StaffUser | null> => {
+      if (!preferredUsername) {
+        throw new Error("No preferred_username found in token");
+      }
+
+      try {
+        const response = await request({
+          url: `/staff-users/by-auth-user-guid/${preferredUsername}`,
+          method: "get"
+        });
+        return response;
+      } catch (error: unknown) {
+        // If user not found (404), return null instead of throwing
+        if (error && typeof error === 'object' && 'response' in error && 
+            error.response && typeof error.response === 'object' && 'status' in error.response &&
+            error.response.status === 404) {
+          return null;
+        }
+        throw error;
+      }
+    },
+    enabled: isAuthenticated && !!preferredUsername,
+    retry: false, // Don't retry if staff user doesn't exist
+    staleTime: 5 * 60 * 1000, // Cache for 5 minutes
+  });
+
+  const isValidStaffUser = !!staffUser;
+  const isAccessDenied = !isLoading && !isError && !isValidStaffUser;
+
+  return {
+    staffUser,
+    isLoading,
+    error,
+    isValidStaffUser,
+    isAccessDenied,
+    preferredUsername,
+  };
+};

compliance-web/src/router/RouterProviderWithAuthContext.tsx

@@ -2,6 +2,7 @@ import { RouterProvider } from "@tanstack/react-router";
 import { useAuth } from "react-oidc-context";
 import router from "./router";
 import { useEffect } from "react";
+import { useStaffUserValidation } from "@/hooks/useAuthorization";
 
 // Register the router instance for type safety
 declare module "@tanstack/react-router" {
@@ -12,6 +13,7 @@ declare module "@tanstack/react-router" {
 
 export default function RouterProviderWithAuthContext() {
   const authentication = useAuth();
+  const { isAccessDenied, preferredUsername } = useStaffUserValidation();
 
   useEffect(() => {
     // the `return` is important - addAccessTokenExpiring() returns a cleanup function
@@ -22,5 +24,31 @@ export default function RouterProviderWithAuthContext() {
     });
   }, [authentication, authentication.events, authentication.signinSilent]);
 
+  // Show access denied if user is authenticated but not a valid staff user
+  if (authentication.isAuthenticated && isAccessDenied) {
+    return (
+      <div style={{ padding: "2rem", textAlign: "center" }}>
+        <h1>Access Denied</h1>
+        <p>You are not authorized to access this application.</p>
+        <p>User ID: {preferredUsername}</p>
+        <p>Please contact your administrator to get access.</p>
+        <button 
+          onClick={() => authentication.signoutRedirect()}
+          style={{
+            padding: "0.5rem 1rem",
+            marginTop: "1rem",
+            backgroundColor: "#dc3545",
+            color: "white",
+            border: "none",
+            borderRadius: "4px",
+            cursor: "pointer"
+          }}
+        >
+          Sign Out
+        </button>
+      </div>
+    );
+  }
+
   return <RouterProvider router={router} context={{ authentication }} />;
 }

compliance-web/src/routes/_authenticated/admin/staff.tsx

@@ -100,6 +100,7 @@ export function Staff() {
 
   const onDeleteSuccess = () => {
     queryClient.invalidateQueries({ queryKey: ["staff-users"] });
+    queryClient.invalidateQueries({ queryKey: ["staff-user-validation"] });
     setClose();
     notify.success("Staff deleted successfully!");
   };

compliance-web/src/routes/oidc-callback.tsx

@@ -1,22 +1,42 @@
 import { createFileRoute, Navigate } from "@tanstack/react-router";
 import { useAuth } from "react-oidc-context";
+import { useStaffUserValidation } from "@/hooks/useAuthorization";
+import { notify } from "@/store/snackbarStore";
 
 export const Route = createFileRoute("/oidc-callback")({
   component: OidcCallback,
 });
 
 function OidcCallback() {
   const { isAuthenticated, isLoading, error } = useAuth();
+  const {
+    isLoading: isValidatingStaff,
+    isValidStaffUser,
+    isAccessDenied,
+    preferredUsername,
+    error: staffValidationError
+  } = useStaffUserValidation();
 
-  if (isLoading) {
+  if (isLoading || isValidatingStaff) {
     return <h1>Redirecting, Please wait...</h1>;
   }
 
   if (error?.message) {
     return <h1>Error: {error.message}</h1>;
   }
 
-  if(!isLoading && isAuthenticated) {
-    return <Navigate to="/ce-database/case-files"></Navigate>
+  if (staffValidationError && staffValidationError.message !== "No preferred_username found in token") {
+    return <h1>Error validating user: {staffValidationError.message}</h1>;
   }
+
+  if (isAccessDenied) {
+    notify.error(`Access Denied: User ${preferredUsername} is not authorized to access this application. Please contact your administrator.`);
+    return <h1>Access denied. Redirecting...</h1>;
+  }
+
+  if (!isLoading && isAuthenticated && isValidStaffUser) {
+    return <Navigate to="/ce-database/case-files"></Navigate>;
+  }
+
+  return <h1>Authentication in progress...</h1>;
 }