Skip to content

[NAE-2387] Fix permission evaluation order between ActorRef and proce… #420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
machacjozef merged 4 commits into from
Mar 5, 2026
Merged

[NAE-2387] Fix permission evaluation order between ActorRef and proce… #420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6cf550e
[NAE-2387] Fix permission evaluation order between ActorRef and proce…
renczesstefan Mar 5, 2026
9874fd1
[NAE-2387] Fix permission evaluation order between ActorRef and proce…
renczesstefan Mar 5, 2026
8d5535a
- renamed variable
renczesstefan Mar 5, 2026
531a2ac
Enable view permission in task authorization tests
renczesstefan Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions ...in/java/com/netgrif/application/engine/workflow/service/AbstractAuthorizationService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,19 @@

import com.netgrif.application.engine.objects.auth.domain.AbstractUser;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.*;
import java.util.stream.Collectors;

public abstract class AbstractAuthorizationService {

protected Boolean checkPermissions(Map<String, Boolean> providedPermissions, List<String> requiredPermissions) {
if (requiredPermissions.stream().allMatch(permission -> providedPermissions.get(permission) == null)) {
return null;
}
return requiredPermissions.stream()
.anyMatch(permission -> hasPermission(providedPermissions.get(permission)));
}

protected boolean hasPermission(Boolean permissionValue) {
return permissionValue != null && permissionValue;
}
Expand Down
7 changes: 3 additions & 4 deletions ...c/main/java/com/netgrif/application/engine/workflow/service/TaskAuthorizationService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,7 @@ public Boolean userHasAtLeastOneRolePermission(AbstractUser user, Task task, Rol
}
}

return Arrays.stream(permissions)
.anyMatch(permission -> hasPermission(aggregatePermissions.get(permission.toString())));
return checkPermissions(aggregatePermissions, Arrays.stream(permissions).map(RolePermission::toString).toList());
}

@Override
Expand All @@ -62,8 +61,8 @@ public Boolean userHasUserListPermission(AbstractUser user, Task task, RolePermi
return false;
}
}
return Arrays.stream(permissions)
.anyMatch(permission -> hasPermission(userPermissions.get(permission.toString())));

return checkPermissions(userPermissions, Arrays.stream(permissions).map(RolePermission::toString).toList());
}

@Override
Expand Down
6 changes: 2 additions & 4 deletions ...in/java/com/netgrif/application/engine/workflow/service/WorkflowAuthorizationService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,7 @@ public Boolean userHasAtLeastOneRolePermission(AbstractUser user, PetriNet net,
}
}

return Arrays.stream(permissions)
.anyMatch(permission -> hasPermission(aggregatePermissions.get(permission.toString())));
return checkPermissions(aggregatePermissions, Arrays.stream(permissions).map(ProcessRolePermission::toString).toList());
}

@Override
Expand All @@ -84,8 +83,7 @@ public Boolean userHasUserListPermission(AbstractUser user, Case useCase, Proces
return false;
}
}
return Arrays.stream(permissions)
.anyMatch(permission -> hasPermission(userPermissions.get(permission.toString())));
return checkPermissions(userPermissions, Arrays.stream(permissions).map(ProcessRolePermission::toString).toList());
}

private Map<String, Boolean> findUserPermissions(Case useCase, AbstractUser user) {
Expand Down
41 changes: 41 additions & 0 deletions ...e/src/test/groovy/com/netgrif/application/engine/auth/TaskAuthorizationServiceTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -590,4 +590,45 @@ class TaskAuthorizationServiceTest {
workflowService.deleteCase(new DeleteCaseParams(case_.stringId))
}

@Test
void testCanAssignWithRoleAssignTrueAndWithActorRefAssignUndefined() {
ProcessRole positiveRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "assign_pos_role")
userService.addRole(testUser, positiveRole.get_id())
Case case_ = workflowService.createCase(CreateCaseParams.with()
.process(netWithUserRefs)
.title("Test assign")
.color("")
.author(ActorTransformer.toLoggedUser(testUser))
.build()).getCase()

String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
case_ = dataService.setData(taskId, ImportHelper.populateDataset([
"view_pos_ul": [
"value": [testUser.stringId],
"type": "actorList"
]
] as Map)).getCase()
assert taskAuthorizationService.canCallAssign(ActorTransformer.toLoggedUser(testUser), (new ArrayList<>(case_.getTasks())).get(0).task)
}

@Test
void testCanAssignWithRoleAssignUndefinedAndWithActorRefAssignTrue() {
ProcessRole positiveRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "view_pos_role")
userService.addRole(testUser, positiveRole.get_id())
Case case_ = workflowService.createCase(CreateCaseParams.with()
.process(netWithUserRefs)
.title("Test assign")
.color("")
.author(ActorTransformer.toLoggedUser(testUser))
.build()).getCase()

String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
case_ = dataService.setData(taskId, ImportHelper.populateDataset([
"assign_pos_ul": [
"value": [testUser.stringId],
"type": "actorList"
]
] as Map)).getCase()
assert taskAuthorizationService.canCallAssign(ActorTransformer.toLoggedUser(testUser), (new ArrayList<>(case_.getTasks())).get(0).task)
}
}
40 changes: 40 additions & 0 deletions ...c/test/groovy/com/netgrif/application/engine/auth/WorkflowAuthorizationServiceTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,46 @@ class WorkflowAuthorizationServiceTest {
userService.removeRole(testUser, negDeleteRole.getStringId())
}

@Test
void testCanCallDeleteWithRoleDeleteTrueAndActorRefDeleteUndefined() {
ProcessRole positiveDeleteRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "delete_pos_role")
userService.addRole(testUser, positiveDeleteRole.getStringId())
Case case_ = workflowService.createCase(CreateCaseParams.with()
.process(netWithUserRefs)
.title("Test delete")
.color("")
.author(ActorTransformer.toLoggedUser(testUser))
.build()).getCase()
String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
case_ = dataService.setData(taskId, ImportHelper.populateDataset([
"view_actor_list": [
"value": [testUser.stringId],
"type": "actorList"
]
] as Map)).getCase()
assert workflowAuthorizationService.canCallDelete(ActorTransformer.toLoggedUser(testUser), case_.getStringId())
}

@Test
void testCanCallDeleteWithRoleDeleteUndefinedAndActorRefDeleteTrue() {
ProcessRole positiveViewRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "view_pos_role")
userService.addRole(testUser, positiveViewRole.getStringId())
Case case_ = workflowService.createCase(CreateCaseParams.with()
.process(netWithUserRefs)
.title("Test delete")
.color("")
.author(ActorTransformer.toLoggedUser(testUser))
.build()).getCase()
String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
case_ = dataService.setData(taskId, ImportHelper.populateDataset([
"pos_user_list": [
"value": [testUser.stringId],
"type": "actorList"
]
] as Map)).getCase()
assert workflowAuthorizationService.canCallDelete(ActorTransformer.toLoggedUser(testUser), case_.getStringId())
}

@SuppressWarnings("GrMethodMayBeStatic")
private def parseResult(MvcResult result) {
return (new JsonSlurper()).parseText(result.response.contentAsString)
Expand Down
20 changes: 20 additions & 0 deletions application-engine/src/test/resources/task_authorization_service_test_with_userRefs.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@
<id>finish_neg_role</id>
<name>finish neg role</name>
</role>
<role>
<id>view_pos_role</id>
<name>view pos role</name>
</role>
<data type="actorList">
<id>assign_pos_ul</id>
<title/>
Expand Down Expand Up @@ -52,6 +56,10 @@
<id>finish_neg_ul</id>
<title/>
</data>
<data type="actorList">
<id>view_pos_ul</id>
<title/>
</data>
<data type="text">
<id>text</id>
<title>Text</title>
Expand Down Expand Up @@ -90,6 +98,12 @@
<finish>false</finish>
</logic>
</roleRef>
<roleRef>
<id>view_pos_role</id>
<logic>
<view>true</view>
</logic>
</roleRef>
<actorRef>
<id>assign_pos_ul</id>
<logic>
Expand Down Expand Up @@ -138,6 +152,12 @@
<finish>false</finish>
</logic>
</actorRef>
<actorRef>
<id>view_pos_ul</id>
<logic>
<view>true</view>
</logic>
</actorRef>
<dataRef>
<id>text</id>
<logic>
Expand Down
20 changes: 20 additions & 0 deletions application-engine/src/test/resources/workflow_authorization_service_test_with_userRefs.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@
<create>false</create>
</caseLogic>
</roleRef>
<roleRef>
<id>view_pos_role</id>
<caseLogic>
<view>true</view>
</caseLogic>
</roleRef>
<actorRef>
<id>neg_user_list</id>
<caseLogic>
Expand All @@ -40,6 +46,12 @@
<delete>true</delete>
</caseLogic>
</actorRef>
<actorRef>
<id>view_actor_list</id>
<caseLogic>
<view>true</view>
</caseLogic>
</actorRef>
<role>
<id>delete_pos_role</id>
<name>delete role</name>
Expand All @@ -56,6 +68,10 @@
<id>create_neg_role</id>
<name>create role</name>
</role>
<role>
<id>view_pos_role</id>
<name>view role</name>
</role>
<data type="actorList">
<id>pos_user_list</id>
<title/>
Expand All @@ -64,6 +80,10 @@
<id>neg_user_list</id>
<title/>
</data>
<data type="actorList">
<id>view_actor_list</id>
<title/>
</data>
<data type="text">
<id>text</id>
<title>Text</title>
Expand Down
Loading