Added the ability to check permissions on the current user and use that for the kudos services to check for administer permissions (instead of using the admin role).

ocielliottc · ocielliottc · commit a30fd252ef96 · 2025-01-17T10:49:17.000-06:00
diff --git a/server/src/main/java/com/objectcomputing/checkins/services/kudos/KudosServicesImpl.java b/server/src/main/java/com/objectcomputing/checkins/services/kudos/KudosServicesImpl.java
@@ -1,5 +1,6 @@
 package com.objectcomputing.checkins.services.kudos;
 
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.configuration.CheckInsConfiguration;
 import com.objectcomputing.checkins.notifications.email.EmailSender;
 import com.objectcomputing.checkins.notifications.email.MailJetFactory;
@@ -147,7 +148,7 @@ public KudosResponseDTO getById(UUID id) {
 
         if (kudos.getDateApproved() == null) {
             // If not yet approved, only admins and the sender can access the kudos
-            if (!currentUserServices.isAdmin() && !isSender) {
+            if (!hasAdministerKudosPermission() && !isSender) {
                 throw new PermissionException(NOT_AUTHORIZED_MSG);
             }
         } else {
@@ -158,7 +159,7 @@ public KudosResponseDTO getById(UUID id) {
                     .stream()
                     .anyMatch(recipient -> recipient.getMemberId().equals(currentUserId));
 
-            if (!currentUserServices.isAdmin() && !isSender && !isRecipient) {
+            if (!hasAdministerKudosPermission() && !isSender && !isRecipient) {
                 throw new PermissionException(NOT_AUTHORIZED_MSG);
             }
         }
@@ -188,7 +189,7 @@ public List<KudosResponseDTO> findByValues(@Nullable UUID recipientId, @Nullable
         } else if (senderId != null) {
             return findAllFromMember(senderId);
         } else {
-            if (!currentUserServices.isAdmin()) {
+            if (!hasAdministerKudosPermission()) {
                 throw new PermissionException(NOT_AUTHORIZED_MSG);
             }
 
@@ -207,7 +208,7 @@ public List<KudosResponseDTO> getRecent() {
     }
 
     private List<KudosResponseDTO> findByPending(boolean isPending) {
-        if (!currentUserServices.isAdmin()) {
+        if (!hasAdministerKudosPermission()) {
             throw new PermissionException(NOT_AUTHORIZED_MSG);
         }
 
@@ -227,10 +228,10 @@ private List<KudosResponseDTO> findByPending(boolean isPending) {
 
 
     private List<KudosResponseDTO> findAllToMember(UUID memberId) {
-        boolean isAdmin = currentUserServices.isAdmin();
         UUID currentUserId = currentUserServices.getCurrentUser().getId();
 
-        if (!currentUserId.equals(memberId) && !isAdmin) {
+        if (!currentUserId.equals(memberId) &&
+            !hasAdministerKudosPermission()) {
             throw new PermissionException("You are not authorized to retrieve the kudos another user has received");
         }
 
@@ -253,10 +254,10 @@ private List<KudosResponseDTO> findAllToMember(UUID memberId) {
 
     private List<KudosResponseDTO> findAllFromMember(UUID senderId) {
 
-        boolean isAdmin = currentUserServices.isAdmin();
         UUID currentUserId = currentUserServices.getCurrentUser().getId();
 
-        if (!currentUserId.equals(senderId) && !isAdmin) {
+        if (!currentUserId.equals(senderId) &&
+            !hasAdministerKudosPermission()) {
             throw new PermissionException("You are not authorized to retrieve the kudos another user has sent");
         }
 
@@ -378,4 +379,8 @@ private void slackApprovedKudos(Kudos kudos) {
             LOG.error("Unable to POST to Slack: " + httpResponse.reason());
         }
     }
+
+    private boolean hasAdministerKudosPermission() {
+        return currentUserServices.hasPermission(Permission.CAN_ADMINISTER_KUDOS);
+    }
 }
diff --git a/server/src/main/java/com/objectcomputing/checkins/services/memberprofile/currentuser/CurrentUserServices.java b/server/src/main/java/com/objectcomputing/checkins/services/memberprofile/currentuser/CurrentUserServices.java
@@ -1,6 +1,7 @@
 package com.objectcomputing.checkins.services.memberprofile.currentuser;
 
 import com.objectcomputing.checkins.services.memberprofile.MemberProfile;
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.services.role.RoleType;
 
 public interface CurrentUserServices {
@@ -9,6 +10,8 @@ public interface CurrentUserServices {
 
     boolean hasRole(RoleType role);
 
+    boolean hasPermission(Permission permission);
+
     boolean isAdmin();
 
     MemberProfile getCurrentUser();
diff --git a/server/src/main/java/com/objectcomputing/checkins/services/memberprofile/currentuser/CurrentUserServicesImpl.java b/server/src/main/java/com/objectcomputing/checkins/services/memberprofile/currentuser/CurrentUserServicesImpl.java
@@ -2,19 +2,22 @@
 
 import com.objectcomputing.checkins.exceptions.AlreadyExistsException;
 import com.objectcomputing.checkins.exceptions.NotFoundException;
+import com.objectcomputing.checkins.services.permissions.Permission;
 import com.objectcomputing.checkins.services.memberprofile.MemberProfile;
 import com.objectcomputing.checkins.services.memberprofile.MemberProfileRepository;
 import com.objectcomputing.checkins.services.role.Role;
 import com.objectcomputing.checkins.services.role.RoleServices;
 import com.objectcomputing.checkins.services.role.RoleType;
 import com.objectcomputing.checkins.services.role.member_roles.MemberRoleServices;
+import com.objectcomputing.checkins.services.role.role_permissions.RolePermissionServices;
 import io.micronaut.security.authentication.Authentication;
 import io.micronaut.security.utils.SecurityService;
 import jakarta.inject.Singleton;
 import jakarta.validation.constraints.NotNull;
 
 import java.time.LocalDate;
 import java.util.Optional;
+import java.util.List;
 
 @Singleton
 public class CurrentUserServicesImpl implements CurrentUserServices {
@@ -23,14 +26,18 @@ public class CurrentUserServicesImpl implements CurrentUserServices {
     private final SecurityService securityService;
     private final RoleServices roleServices;
     private final MemberRoleServices memberRoleServices;
+    private final RolePermissionServices rolePermissionServices;
 
     public CurrentUserServicesImpl(MemberProfileRepository memberProfileRepository,
                                    RoleServices roleServices,
-                                   SecurityService securityService, MemberRoleServices memberRoleServices) {
+                                   SecurityService securityService,
+                                   MemberRoleServices memberRoleServices,
+                                   RolePermissionServices rolePermissionServices) {
         this.memberProfileRepo = memberProfileRepository;
         this.roleServices = roleServices;
         this.securityService = securityService;
         this.memberRoleServices = memberRoleServices;
+        this.rolePermissionServices = rolePermissionServices;
     }
 
     @Override
@@ -48,6 +55,14 @@ public boolean hasRole(RoleType role) {
         return securityService.hasRole(role.toString());
     }
 
+    @Override
+    public boolean hasPermission(Permission permission) {
+        List<Permission> userPermissions =
+            rolePermissionServices.findUserPermissions(getCurrentUser().getId());
+        return userPermissions.stream().map(Permission::name)
+                              .anyMatch(str -> str.equals(permission.name()));
+    }
+
     @Override
     public boolean isAdmin() {
         return hasRole(RoleType.ADMIN);

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`package com.objectcomputing.checkins.services.kudos;`
`2`	`2`
	`3`	`+import com.objectcomputing.checkins.services.permissions.Permission;`
`3`	`4`	`import com.objectcomputing.checkins.configuration.CheckInsConfiguration;`
`4`	`5`	`import com.objectcomputing.checkins.notifications.email.EmailSender;`
`5`	`6`	`import com.objectcomputing.checkins.notifications.email.MailJetFactory;`
`@@ -147,7 +148,7 @@ public KudosResponseDTO getById(UUID id) {`
`147`	`148`
`148`	`149`	`if (kudos.getDateApproved() == null) {`
`149`	`150`	`// If not yet approved, only admins and the sender can access the kudos`
`150`		`- if (!currentUserServices.isAdmin() && !isSender) {`
	`151`	`+ if (!hasAdministerKudosPermission() && !isSender) {`
`151`	`152`	`throw new PermissionException(NOT_AUTHORIZED_MSG);`
`152`	`153`	`}`
`153`	`154`	`} else {`
`@@ -158,7 +159,7 @@ public KudosResponseDTO getById(UUID id) {`
`158`	`159`	`.stream()`
`159`	`160`	`.anyMatch(recipient -> recipient.getMemberId().equals(currentUserId));`
`160`	`161`
`161`		`- if (!currentUserServices.isAdmin() && !isSender && !isRecipient) {`
	`162`	`+ if (!hasAdministerKudosPermission() && !isSender && !isRecipient) {`
`162`	`163`	`throw new PermissionException(NOT_AUTHORIZED_MSG);`
`163`	`164`	`}`
`164`	`165`	`}`
`@@ -188,7 +189,7 @@ public List<KudosResponseDTO> findByValues(@Nullable UUID recipientId, @Nullable`
`188`	`189`	`} else if (senderId != null) {`
`189`	`190`	`return findAllFromMember(senderId);`
`190`	`191`	`} else {`
`191`		`- if (!currentUserServices.isAdmin()) {`
	`192`	`+ if (!hasAdministerKudosPermission()) {`
`192`	`193`	`throw new PermissionException(NOT_AUTHORIZED_MSG);`
`193`	`194`	`}`
`194`	`195`
`@@ -207,7 +208,7 @@ public List<KudosResponseDTO> getRecent() {`
`207`	`208`	`}`
`208`	`209`
`209`	`210`	`private List<KudosResponseDTO> findByPending(boolean isPending) {`
`210`		`- if (!currentUserServices.isAdmin()) {`
	`211`	`+ if (!hasAdministerKudosPermission()) {`
`211`	`212`	`throw new PermissionException(NOT_AUTHORIZED_MSG);`
`212`	`213`	`}`
`213`	`214`
`@@ -227,10 +228,10 @@ private List<KudosResponseDTO> findByPending(boolean isPending) {`
`227`	`228`
`228`	`229`
`229`	`230`	`private List<KudosResponseDTO> findAllToMember(UUID memberId) {`
`230`		`- boolean isAdmin = currentUserServices.isAdmin();`
`231`	`231`	`UUID currentUserId = currentUserServices.getCurrentUser().getId();`
`232`	`232`
`233`		`- if (!currentUserId.equals(memberId) && !isAdmin) {`
	`233`	`+ if (!currentUserId.equals(memberId) &&`
	`234`	`+ !hasAdministerKudosPermission()) {`
`234`	`235`	`throw new PermissionException("You are not authorized to retrieve the kudos another user has received");`
`235`	`236`	`}`
`236`	`237`
`@@ -253,10 +254,10 @@ private List<KudosResponseDTO> findAllToMember(UUID memberId) {`
`253`	`254`
`254`	`255`	`private List<KudosResponseDTO> findAllFromMember(UUID senderId) {`
`255`	`256`
`256`		`- boolean isAdmin = currentUserServices.isAdmin();`
`257`	`257`	`UUID currentUserId = currentUserServices.getCurrentUser().getId();`
`258`	`258`
`259`		`- if (!currentUserId.equals(senderId) && !isAdmin) {`
	`259`	`+ if (!currentUserId.equals(senderId) &&`
	`260`	`+ !hasAdministerKudosPermission()) {`
`260`	`261`	`throw new PermissionException("You are not authorized to retrieve the kudos another user has sent");`
`261`	`262`	`}`
`262`	`263`
`@@ -378,4 +379,8 @@ private void slackApprovedKudos(Kudos kudos) {`
`378`	`379`	`LOG.error("Unable to POST to Slack: " + httpResponse.reason());`
`379`	`380`	`}`
`380`	`381`	`}`
	`382`	`+`
	`383`	`+ private boolean hasAdministerKudosPermission() {`
	`384`	`+ return currentUserServices.hasPermission(Permission.CAN_ADMINISTER_KUDOS);`
	`385`	`+ }`
`381`	`386`	`}`