Added permissions to replace calls to isAdmin() on the current user services.

Author: ocielliottc

server/src/main/java/com/objectcomputing/checkins/services/employee_hours/EmployeeHoursServicesImpl.java

@@ -39,7 +39,6 @@ public EmployeeHoursServicesImpl(CurrentUserServices currentUserServices,
     @RequiredPermission(Permission.CAN_UPLOAD_HOURS)
     public EmployeeHoursResponseDTO save(CompletedFileUpload file) {
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
         List<EmployeeHours> employeeHoursList = new ArrayList<>();
         Set<EmployeeHours> employeeHours = new HashSet<>();
         EmployeeHoursResponseDTO responseDTO = new EmployeeHoursResponseDTO();
@@ -63,17 +62,17 @@ public EmployeeHoursResponseDTO save(CompletedFileUpload file) {
     @Override
     public Set<EmployeeHours> findByFields(String employeeId) {
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
+        boolean canViewAll = currentUserServices.hasPermission(Permission.CAN_VIEW_ALL_UPLOADED_HOURS);
 
         Set<EmployeeHours> employeeHours = new HashSet<>();
         employeehourRepo.findAll().forEach(employeeHours::add);
 
         if(employeeId !=null) {
-            validate((!isAdmin && currentUser!=null&& !currentUser.getEmployeeId().equals(employeeId)),
+            validate((!canViewAll && currentUser!=null && !currentUser.getEmployeeId().equals(employeeId)),
                        NOT_AUTHORIZED_MSG);
             employeeHours.retainAll(employeehourRepo.findByEmployeeId(employeeId));
         } else {
-            validate(!isAdmin, NOT_AUTHORIZED_MSG);
+            validate(!canViewAll, NOT_AUTHORIZED_MSG);
         }
 
 

server/src/main/java/com/objectcomputing/checkins/services/feedback_template/FeedbackTemplateServicesImpl.java

@@ -1,5 +1,6 @@
 package com.objectcomputing.checkins.services.feedback_template;
 
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.exceptions.BadArgException;
 import com.objectcomputing.checkins.exceptions.NotFoundException;
 import com.objectcomputing.checkins.exceptions.PermissionException;
@@ -93,12 +94,12 @@ public FeedbackTemplate getById(UUID id) {
     @Override
     public List<FeedbackTemplate> findByFields(@Nullable UUID creatorId, @Nullable String title) {
         UUID currentUserId = currentUserServices.getCurrentUser().getId();
-        boolean isAdmin = currentUserServices.isAdmin();
+        boolean canAdminister = hasAdministerPermission();
         List <FeedbackTemplate> allTemplates =  feedbackTemplateRepository.searchByValues(Util.nullSafeUUIDToString(creatorId), title);
         return allTemplates
                 .stream()
-                .filter(template -> template.getIsPublic() || isAdmin || template.getCreatorId().equals(currentUserId))
-                .filter(template -> !template.getIsReview() || isAdmin)
+                .filter(template -> template.getIsPublic() || canAdminister || template.getCreatorId().equals(currentUserId))
+                .filter(template -> !template.getIsReview() || canAdminister)
                 .toList();
     }
 
@@ -113,12 +114,14 @@ public boolean setAdHocInactiveByCreator(@Nullable UUID creatorId) {
 
     public boolean updateIsPermitted(UUID creatorId) {
         UUID currentUserId = currentUserServices.getCurrentUser().getId();
-        boolean isAdmin = currentUserServices.isAdmin();
-        return isAdmin || currentUserId.equals(creatorId);
+        return hasAdministerPermission() || currentUserId.equals(creatorId);
     }
 
     public boolean deleteIsPermitted(UUID creatorId) {
         return updateIsPermitted(creatorId);
     }
 
+    private boolean hasAdministerPermission() {
+        return currentUserServices.hasPermission(Permission.CAN_ADMINISTER_FEEDBACK_TEMPLATES);
+    }
 }

server/src/main/java/com/objectcomputing/checkins/services/feedback_template/template_question/TemplateQuestionServicesImpl.java

@@ -1,5 +1,5 @@
 package com.objectcomputing.checkins.services.feedback_template.template_question;
-
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.exceptions.BadArgException;
 import com.objectcomputing.checkins.exceptions.NotFoundException;
 import com.objectcomputing.checkins.exceptions.PermissionException;
@@ -139,9 +139,8 @@ public List<TemplateQuestion> findByFields(UUID templateId) {
 
     // only admins or the creator of the template can add questions to it
     public boolean createIsPermitted(UUID templateCreatorId) {
-        boolean isAdmin = currentUserServices.isAdmin();
         UUID currentUserId = currentUserServices.getCurrentUser().getId();
-        return currentUserId != null && (isAdmin || currentUserId.equals(templateCreatorId));
+        return currentUserId != null && (currentUserServices.hasPermission(Permission.CAN_ADMINISTER_FEEDBACK_TEMPLATES) || currentUserId.equals(templateCreatorId));
     }
 
     public boolean updateIsPermitted(UUID templateCreatorId) {

server/src/main/java/com/objectcomputing/checkins/services/file/FileServicesBaseImpl.java

@@ -58,12 +58,12 @@ abstract protected FileInfoDTO uploadSingleFile(
 
     @Override
     public Set<FileInfoDTO> findFiles(@Nullable UUID checkInID) {
-        boolean isAdmin = currentUserServices.isAdmin();
-        validate(checkInID == null && !isAdmin, NOT_AUTHORIZED_MSG);
+        boolean canAdminister = hasAdministerPermission();
+        validate(checkInID == null && !canAdminister, NOT_AUTHORIZED_MSG);
 
         try {
             Set<FileInfoDTO> result = new HashSet<>();
-            if (checkInID == null && isAdmin) {
+            if (checkInID == null && canAdminister) {
                 getCheckinDocuments(result, Collections.emptySet());
             } else if (checkInID != null) {
                 validate(!checkInServices.accessGranted(checkInID, currentUserServices.getCurrentUser().getId()),
@@ -89,14 +89,14 @@ public Set<FileInfoDTO> findFiles(@Nullable UUID checkInID) {
     @Override
     public java.io.File downloadFiles(@NotNull String uploadDocId) {
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
+        boolean canAdminister = hasAdministerPermission();
 
         CheckinDocument cd = checkinDocumentServices.getFindByUploadDocId(uploadDocId);
         validate(cd == null, String.format("Unable to find record with id %s", uploadDocId));
 
         CheckIn associatedCheckin = checkInServices.read(cd.getCheckinsId());
 
-        if(!isAdmin) {
+        if(!canAdminister) {
             validate((!currentUser.getId().equals(associatedCheckin.getTeamMemberId()) && !currentUser.getId().equals(associatedCheckin.getPdlId())), NOT_AUTHORIZED_MSG);
         }
         try {
@@ -120,12 +120,12 @@ public java.io.File downloadFiles(@NotNull String uploadDocId) {
     @Override
     public FileInfoDTO uploadFile(@NotNull UUID checkInID, @NotNull CompletedFileUpload file) {
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
+        boolean canAdminister = hasAdministerPermission();
         validate((file.getFilename() == null || file.getFilename().equals("")), "Please select a valid file before uploading.");
 
         CheckIn checkIn = checkInServices.read(checkInID);
         validate(checkIn == null, "Unable to find checkin record with id %s", checkInID);
-        if(!isAdmin) {
+        if(!canAdminister) {
             validate((!currentUser.getId().equals(checkIn.getTeamMemberId()) && !currentUser.getId().equals(checkIn.getPdlId())), "You are not authorized to perform this operation");
             validate(checkIn.isCompleted(), NOT_AUTHORIZED_MSG);
         }
@@ -175,4 +175,8 @@ protected void validate(boolean isError, String message, Object... args) {
             throw new FileRetrievalException(String.format(message, args));
         }
     }
+
+    protected boolean hasAdministerPermission() {
+        return currentUserServices.hasPermission(Permission.CAN_ADMINISTER_CHECKIN_DOCUMENTS);
+    }
 }

server/src/main/java/com/objectcomputing/checkins/services/file/FileServicesImpl.java

@@ -147,8 +147,7 @@ protected FileInfoDTO uploadSingleFile(CompletedFileUpload file, String director
     public FileInfoDTO uploadDocument(String directoryName, String name, String text) {
         final String GOOGLE_DOC_TYPE = "application/vnd.google-apps.document";
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
-        validate(!isAdmin, "You are not authorized to perform this operation");
+        validate(!hasAdministerPermission(), "You are not authorized to perform this operation");
 
         try {
             Drive drive = googleApiAccess.getDrive();

server/src/main/java/com/objectcomputing/checkins/services/guild/GuildServicesImpl.java

@@ -1,5 +1,6 @@
 package com.objectcomputing.checkins.services.guild;
 
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.Environments;
 import com.objectcomputing.checkins.configuration.CheckInsConfiguration;
 import com.objectcomputing.checkins.exceptions.BadArgException;
@@ -135,8 +136,8 @@ public GuildResponseDTO read(@NotNull UUID guildId) {
 
     public GuildResponseDTO update(GuildUpdateDTO guildDTO) {
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
-        if (isAdmin || (currentUser != null &&
+        boolean canAdminister = hasAdministerPermission();
+        if (canAdminister || (currentUser != null &&
                 !guildMemberServices.findByFields(guildDTO.getId(), currentUser.getId(), true).isEmpty())) {
             // Guild newGuildEntity = null;
             GuildResponseDTO updated= null;
@@ -236,9 +237,9 @@ public Set<GuildResponseDTO> findByFields(String name, UUID memberId) {
 
     public boolean delete(@NotNull UUID id) {
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
+        boolean canAdminister = hasAdministerPermission();
 
-        if (isAdmin || (currentUser != null && !guildMemberRepo.search(nullSafeUUIDToString(id), nullSafeUUIDToString(currentUser.getId()), true).isEmpty())) {
+        if (canAdminister || (currentUser != null && !guildMemberRepo.search(nullSafeUUIDToString(id), nullSafeUUIDToString(currentUser.getId()), true).isEmpty())) {
             guildMemberHistoryRepository.deleteByGuildId(id);
             guildMemberRepo.deleteByGuildId(id.toString());
             guildsRepo.deleteById(id);
@@ -341,4 +342,8 @@ public void emailGuildLeaders(Set<String> guildLeadersEmails, Guild guild) {
        String body = "Congratulations, you have been assigned as a guild leader of " + guild.getName();
        emailSender.sendEmail(null, null, subject, body, guildLeadersEmails.toArray(new String[0]));
     }
+
+    private boolean hasAdministerPermission() {
+        return currentUserServices.hasPermission(Permission.CAN_ADMINISTER_GUILDS);
+    }
 }

server/src/main/java/com/objectcomputing/checkins/services/guild/member/GuildMemberServicesImpl.java

@@ -1,5 +1,6 @@
 package com.objectcomputing.checkins.services.guild.member;
 
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.configuration.CheckInsConfiguration;
 import com.objectcomputing.checkins.exceptions.BadArgException;
 import com.objectcomputing.checkins.exceptions.NotFoundException;
@@ -76,11 +77,11 @@ public GuildMember save(@Valid @NotNull GuildMember guildMember, boolean sendEma
             throw new BadArgException(String.format("Member %s already exists in guild %s", memberId, guildId));
         }
         // only allow admins to create guild leads
-        else if (!currentUserServices.isAdmin() && Boolean.TRUE.equals(guildMember.getLead())) {
+        else if (!hasAdministerPermission() && Boolean.TRUE.equals(guildMember.getLead())) {
             throw new BadArgException(NOT_AUTHORIZED_MSG);
         }
         // only admins and leads can add members to guilds unless a user adds themself
-        else if (!currentUserServices.isAdmin() && !guildMember.getMemberId().equals(currentUser.getId()) && !isLead){
+        else if (!hasAdministerPermission() && !guildMember.getMemberId().equals(currentUser.getId()) && !isLead){
             throw new PermissionException(NOT_AUTHORIZED_MSG);
         }
 
@@ -103,7 +104,7 @@ public GuildMember read(@NotNull UUID id) {
 
     public GuildMember update(@NotNull @Valid GuildMember guildMember) {
         MemberProfile currentUser = currentUserServices.getCurrentUser();
-        boolean isAdmin = currentUserServices.isAdmin();
+        boolean canAdminister = hasAdministerPermission();
 
         final UUID id = guildMember.getId();
         final UUID guildId = guildMember.getGuildId();
@@ -122,7 +123,7 @@ public GuildMember update(@NotNull @Valid GuildMember guildMember) {
             throw new BadArgException(String.format("Member %s doesn't exist", memberId));
         } else if (guildMemberRepo.findByGuildIdAndMemberId(guildMember.getGuildId(), guildMember.getMemberId()).isEmpty()) {
             throw new BadArgException(String.format("Member %s is not part of guild %s", memberId, guildId));
-        } else if (!isAdmin && guildLeads.stream().noneMatch(o -> o.getMemberId().equals(currentUser.getId()))) {
+        } else if (!canAdminister && guildLeads.stream().noneMatch(o -> o.getMemberId().equals(currentUser.getId()))) {
             throw new BadArgException(NOT_AUTHORIZED_MSG);
         }
         GuildMember guildMemberUpdate = guildMemberRepo.update(guildMember);
@@ -161,7 +162,7 @@ public void delete(@NotNull UUID id, boolean sendEmail) {
             throw new BadArgException("At least one guild lead must be present in the guild at all times");
         }
         // if the current user is not an admin, is not the same as the member in the request, and is not a lead in the guild -> don't delete
-        if (!currentUserServices.isAdmin() && !guildMember.getMemberId().equals(currentUser.getId()) && !currentUserIsLead) {
+        if (!hasAdministerPermission() && !guildMember.getMemberId().equals(currentUser.getId()) && !currentUserIsLead) {
             throw new PermissionException(NOT_AUTHORIZED_MSG);
         }
 
@@ -211,4 +212,8 @@ private String constructEmailContent (GuildMember guildMember, boolean isAdded){
     private static GuildMemberHistory buildGuildMemberHistory(UUID guildId, UUID memberId, String change, LocalDateTime date) {
         return new GuildMemberHistory(guildId,memberId,change,date);
     }
+
+    private boolean hasAdministerPermission() {
+        return currentUserServices.hasPermission(Permission.CAN_ADMINISTER_GUILDS);
+    }
 }

server/src/main/java/com/objectcomputing/checkins/services/kudos/kudos_recipient/KudosRecipientServicesImpl.java

@@ -1,5 +1,6 @@
 package com.objectcomputing.checkins.services.kudos.kudos_recipient;
 
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.notifications.email.EmailSender;
 import com.objectcomputing.checkins.notifications.email.MailJetFactory;
 import com.objectcomputing.checkins.exceptions.BadArgException;
@@ -54,8 +55,7 @@ public KudosRecipient save(KudosRecipient kudosRecipient) {
                 new NotFoundException("No kudos with id %s"));
 
         boolean isKudosCreator = currentUserServices.getCurrentUser().getId().equals(kudos.getSenderId());
-        boolean isAdmin = currentUserServices.isAdmin();
-        if (!isAdmin && !isKudosCreator) {
+        if (!currentUserServices.hasPermission(Permission.CAN_ADMINISTER_KUDOS) && !isKudosCreator) {
             throw new PermissionException(NOT_AUTHORIZED_MSG);
         }
 

server/src/main/java/com/objectcomputing/checkins/services/memberprofile/MemberProfileServicesImpl.java

@@ -67,7 +67,7 @@ public MemberProfile getById(@NotNull UUID id) {
             throw new NotFoundException("No member profile for id " + id);
         }
         MemberProfile memberProfile = optional.get();
-        if (!currentUserServices.isAdmin()) {
+        if (!hasAdministerPermission()) {
             memberProfile.clearBirthYear();
         }
         return memberProfile;
@@ -91,7 +91,7 @@ public Set<MemberProfile> findByValues(@Nullable String firstName,
                                            @Nullable Boolean terminated) {
         Set<MemberProfile> memberProfiles = new HashSet<>(memberProfileRepository.search(firstName, null, lastName, null, title,
                 nullSafeUUIDToString(pdlId), workEmail, nullSafeUUIDToString(supervisorId), terminated));
-        if (!currentUserServices.isAdmin()) {
+        if (!hasAdministerPermission()) {
             for (MemberProfile memberProfile : memberProfiles) {
                 memberProfile.clearBirthYear();
             }
@@ -199,7 +199,7 @@ public List<MemberProfile> findAll() {
     @Cacheable
     public List<MemberProfile> getSupervisorsForId(UUID id) {
         List<MemberProfile> supervisorsForId = memberProfileRepository.findSupervisorsForId(id);
-        if (!currentUserServices.isAdmin()) {
+        if (!hasAdministerPermission()) {
             for (MemberProfile memberProfile : supervisorsForId) {
                 memberProfile.clearBirthYear();
             }
@@ -211,7 +211,7 @@ public List<MemberProfile> getSupervisorsForId(UUID id) {
     @Cacheable
     public List<MemberProfile> getSubordinatesForId(UUID id) {
         List<MemberProfile> subordinatesForId = memberProfileRepository.findSubordinatesForId(id);
-        if (!currentUserServices.isAdmin()) {
+        if (!hasAdministerPermission()) {
             for (MemberProfile memberProfile : subordinatesForId) {
                 memberProfile.clearBirthYear();
             }
@@ -270,4 +270,8 @@ public void updateLastSeen(UUID id) {
           memberProfileRepository.update(memberProfile);
         }
     }
+
+    private boolean hasAdministerPermission() {
+        return currentUserServices.hasPermission(Permission.CAN_EDIT_ALL_ORGANIZATION_MEMBERS);
+    }
 }

server/src/main/java/com/objectcomputing/checkins/services/memberprofile/retentionreport/RetentionReportServicesImpl.java

@@ -27,10 +27,6 @@ public RetentionReportServicesImpl(MemberProfileServices memberProfileServices,
     @Override
     @RequiredPermission(Permission.CAN_VIEW_RETENTION_REPORT)
     public RetentionReportResponseDTO report(RetentionReportDTO request) {
-        if (!currentUserServices.isAdmin()) {
-            throw new PermissionException("Requires admin privileges");
-        }
-
         RetentionReportResponseDTO response;
         List<MemberProfile> memberProfiles = memberProfileServices.findAll();
         LocalDate periodStartDate = getIntervalStartDate(request.getStartDate(), request.getFrequency());