refactor(app-workflows): permissions (#4787)

Author: brunozoric

eslint.config.mjs

@@ -183,10 +183,18 @@ export default defineConfig([
     }
   },
   globalIgnores([
+    //".github/**/*",
     ".idea/**/*",
     ".nx/**/*",
-    ".yarn/**/*",
+    ".pulumi/**/*",
+    ".stormTests/**/*",
+    ".swc/**/*",
     ".webiny/**/*",
+    ".yarn/**/*",
+    "ai-context/**/*",
+    "coverage/**/*",
+    //"cypress-tests/**/*",
+    "docs/**/*",
     "**/node_modules/",
     "**/dist/",
     "**/lib/",

packages/api-workflows/src/constants.ts

@@ -1,2 +1,3 @@
 export const WORKFLOW_MODEL_ID = "workflow";
 export const WORKFLOW_STATE_MODEL_ID = "workflowState";
+export const WORKFLOWS_PERMISSION = "workflows";

packages/api-workflows/src/context/WorkflowsContext.ts

@@ -1,4 +1,8 @@
-import type { Context } from "~/types.js";
+import {
+    type Context,
+    type IWorkflowsSecurityPermission,
+    WorkflowsSecurityPermissionAccessLevel
+} from "~/types.js";
 import type { CmsModel } from "@webiny/api-headless-cms/types/index.js";
 import { NotFoundError } from "@webiny/handler-graphql";
 import { createIdentifier } from "@webiny/utils";
@@ -14,6 +18,7 @@ import type { IWorkflowsTransformer } from "./transformer/abstractions/Workflows
 import type { IWorkflow } from "~/context/abstractions/Workflow.js";
 import { parseIdentifier } from "@webiny/utils/parseIdentifier.js";
 import { NotAuthorizedError } from "./errors.js";
+import { WORKFLOWS_PERMISSION } from "~/constants.js";
 
 export interface IWorkflowsContextParams {
     context: Pick<Context, "cms" | "security">;
@@ -89,6 +94,7 @@ export class WorkflowsContext implements IWorkflowsContext {
     }
 
     public async getWorkflow(params: IWorkflowsContextGetParams): Promise<IWorkflow | null> {
+        this.ensureReadAccess();
         try {
             const id = createIdentifier({
                 id: params.id,
@@ -113,6 +119,7 @@ export class WorkflowsContext implements IWorkflowsContext {
     public async listWorkflows(
         params: IWorkflowsContextListParams
     ): Promise<IWorkflowsContextListResponse> {
+        this.ensureReadAccess();
         return this.context.security.withoutAuthorization(async () => {
             const where = {
                 ...this.convertListWhere(params.where)
@@ -136,12 +143,27 @@ export class WorkflowsContext implements IWorkflowsContext {
         });
     }
 
-    private async ensureManageAccess(): Promise<void> {
-        const permissions = await this.context.security.getPermissions("workflows");
-        if (permissions?.length) {
+    private ensureReadAccess(): void {
+        const identity = this.context.security.getIdentity();
+        if (identity?.id) {
             return;
         }
-        throw new NotAuthorizedError("You have no access to workflows.");
+        throw new NotAuthorizedError("You cannot read workflows.");
+    }
+
+    private async ensureManageAccess(): Promise<void> {
+        const permissions =
+            await this.context.security.getPermissions<IWorkflowsSecurityPermission>(
+                WORKFLOWS_PERMISSION
+            );
+        for (const permission of permissions) {
+            if (permission.name === "*") {
+                return;
+            } else if (permission.editor === WorkflowsSecurityPermissionAccessLevel.YES) {
+                return;
+            }
+        }
+        throw new NotAuthorizedError("You cannot manage workflows.");
     }
 
     private async createWorkflow(params: ICreateWorkflowParams): Promise<IWorkflow> {

packages/api-workflows/src/types.ts

@@ -3,8 +3,18 @@ import type { Context as TasksContext } from "@webiny/tasks/types.js";
 import type { IWorkflowsContext } from "~/context/abstractions/WorkflowsContext.js";
 import type { IWorkflowStateContext } from "~/context/abstractions/WorkflowStateContext.js";
 import type { ApiCoreContext } from "@webiny/api-core/types/core.js";
+import type { SecurityPermission } from "@webiny/api-core/types/security.js";
 
 export interface Context extends ApiCoreContext, CmsContext, TasksContext {
     workflows: IWorkflowsContext;
     workflowState: IWorkflowStateContext;
 }
+
+export enum WorkflowsSecurityPermissionAccessLevel {
+    NO = "no",
+    YES = "yes"
+}
+
+export interface IWorkflowsSecurityPermission extends SecurityPermission {
+    editor: WorkflowsSecurityPermissionAccessLevel;
+}

packages/app-headless-cms-workflows/src/Components/CmsWorkflows/CmsWorkflowsEditorView.tsx

@@ -11,7 +11,8 @@ import type { IconProp } from "@fortawesome/fontawesome-svg-core";
 import { createAppName } from "~/utils/appName.js";
 
 const {
-    Admin: { WorkflowsEditor }
+    Admin: { WorkflowsEditor },
+    Permissions: { HasWorkflowsEditorPermission }
 } = Components;
 
 const { Menu } = AdminConfig;
@@ -25,14 +26,19 @@ export const CmsWorkflowsEditorMenu = () => {
     }
 
     return (
-        <Menu
-            name={"headlessCMS.contentModels.workflows"}
-            pinnable={true}
-            parent={"headlessCMS"}
-            element={
-                <Menu.Link text={"Workflows"} to={router.getLink(Routes.ContentModels.Workflows)} />
-            }
-        />
+        <HasWorkflowsEditorPermission>
+            <Menu
+                name={"headlessCMS.contentModels.workflows"}
+                pinnable={true}
+                parent={"headlessCMS"}
+                element={
+                    <Menu.Link
+                        text={"Workflows"}
+                        to={router.getLink(Routes.ContentModels.Workflows)}
+                    />
+                }
+            />
+        </HasWorkflowsEditorPermission>
     );
 };
 
@@ -72,6 +78,13 @@ export const CmsWorkflowsEditorView = () => {
             });
     }, [models, canEdit]);
 
+    const app = useMemo(() => {
+        if (!route.params.app) {
+            return apps.find(() => true);
+        }
+        return apps.find(a => a.id === route.params.app) || null;
+    }, [route.params.app]);
+
     const onAppClick = useCallback(
         (id: string) => {
             goToRoute(Routes.ContentModels.Workflows, {
@@ -87,5 +100,5 @@ export const CmsWorkflowsEditorView = () => {
         return <Loader size="lg" variant="accent" indeterminate={true} text="Loading..." />;
     }
 
-    return <WorkflowsEditor apps={apps} onAppClick={onAppClick} app={route.params.app} />;
+    return <WorkflowsEditor apps={apps} onAppClick={onAppClick} app={app?.id} />;
 };

packages/app-workflows/src/Components/App/ContentReviews.tsx

@@ -9,7 +9,6 @@ import {
     WorkflowStatesOwnWidget,
     WorkflowStatesRequestedWidget
 } from "~/Components/WorkflowStatesWidget/index.js";
-import { HasPermission } from "@webiny/app-security/components/index.js";
 
 const { Route } = AdminConfig;
 
@@ -30,18 +29,16 @@ export const ContentReviews = () => {
             />
             <WorkflowsMenu />
 
-            <HasPermission name={"workflows.contentReviews"}>
-                <AdminConfig.Dashboard.Widget
-                    name="workflows.requested"
-                    column="right"
-                    element={<WorkflowStatesRequestedWidget client={client} />}
-                />
-                <AdminConfig.Dashboard.Widget
-                    name="workflows.assigned"
-                    column="right"
-                    element={<WorkflowStatesOwnWidget client={client} />}
-                />
-            </HasPermission>
+            <AdminConfig.Dashboard.Widget
+                name="workflows.requested"
+                column="right"
+                element={<WorkflowStatesRequestedWidget client={client} />}
+            />
+            <AdminConfig.Dashboard.Widget
+                name="workflows.own"
+                column="right"
+                element={<WorkflowStatesOwnWidget client={client} />}
+            />
         </AdminConfig>
     );
 };

packages/app-workflows/src/Components/WorkflowsEditor/WorkflowsEditor.tsx

@@ -1,65 +1,11 @@
-import React, { useMemo } from "react";
-import { Alert } from "@webiny/admin-ui";
-import { useCanUseWorkflows } from "~/hooks/canUseWorkflows.js";
-import {
-    LeftPanel,
-    RightPanel,
-    SimpleForm,
-    SimpleFormContent,
-    SimpleFormFooter,
-    SimpleFormHeader,
-    SplitView
-} from "@webiny/app-admin";
-import { WorkflowsDataList } from "~/Components/WorkflowsEditor/DataList/WorkflowsDataList.js";
-import { WorkflowEditor } from "./Editor/WorkflowEditor.js";
-import type { IWorkflowApplication } from "~/types.js";
+import { HasWorkflowsEditorPermission } from "../WorkflowsPermissions/HasWorkflowsEditorPermission.js";
+import { type IWorkflowsEditorProps, WorkflowsEditorBase } from "./WorkflowsEditorBase.js";
+import React from "react";
 
-export interface IWorkflowsEditorProps {
-    apps: IWorkflowApplication[];
-    app: string | null | undefined;
-    onAppClick: (id: string) => void;
-}
-/**
- * Main component which should get used to render Workflows Admin UI.
- */
 export const WorkflowsEditor = (props: IWorkflowsEditorProps) => {
-    const { apps, onAppClick, app: initialApp } = props;
-
-    const canUseWorkflows = useCanUseWorkflows();
-
-    const app = useMemo(() => {
-        if (!initialApp) {
-            return null;
-        }
-        return apps.find(a => a.id === initialApp);
-    }, [initialApp, apps]);
-
-    if (!canUseWorkflows) {
-        return (
-            <Alert type={"danger"} title={"You don't have access to Workflows."}>
-                You do not have access to Workflows. Please contact your system administrator.
-            </Alert>
-        );
-    }
-    // return <WorkflowsAdminView apps={apps} onAppClick={onAppClick} app={app} />;
     return (
-        <SplitView>
-            <LeftPanel>
-                <WorkflowsDataList apps={apps} activeId={app?.id} onSelectApp={onAppClick} />
-            </LeftPanel>
-            <RightPanel>
-                {app ? (
-                    <SimpleForm size={"lg"}>
-                        <SimpleFormHeader title={app.name} />
-                        <SimpleFormContent>
-                            <WorkflowEditor app={app} />
-                        </SimpleFormContent>
-                        <SimpleFormFooter>
-                            <></>
-                        </SimpleFormFooter>
-                    </SimpleForm>
-                ) : null}
-            </RightPanel>
-        </SplitView>
+        <HasWorkflowsEditorPermission>
+            <WorkflowsEditorBase {...props} />
+        </HasWorkflowsEditorPermission>
     );
 };

packages/app-workflows/src/Components/WorkflowsEditor/WorkflowsEditorBase.tsx

@@ -0,0 +1,65 @@
+import React, { useMemo } from "react";
+import { Alert } from "@webiny/admin-ui";
+import { useCanUseWorkflows } from "~/hooks/canUseWorkflows.js";
+import {
+    LeftPanel,
+    RightPanel,
+    SimpleForm,
+    SimpleFormContent,
+    SimpleFormFooter,
+    SimpleFormHeader,
+    SplitView
+} from "@webiny/app-admin";
+import { WorkflowsDataList } from "~/Components/WorkflowsEditor/DataList/WorkflowsDataList.js";
+import { WorkflowEditor } from "./Editor/WorkflowEditor.js";
+import type { IWorkflowApplication } from "~/types.js";
+
+export interface IWorkflowsEditorProps {
+    apps: IWorkflowApplication[];
+    app: string | null | undefined;
+    onAppClick: (id: string) => void;
+}
+/**
+ * Main component which should get used to render Workflows Admin UI.
+ */
+export const WorkflowsEditorBase = (props: IWorkflowsEditorProps) => {
+    const { apps, onAppClick, app: initialApp } = props;
+
+    const canUseWorkflows = useCanUseWorkflows();
+
+    const app = useMemo(() => {
+        if (!initialApp) {
+            return null;
+        }
+        return apps.find(a => a.id === initialApp);
+    }, [initialApp, apps]);
+
+    if (!canUseWorkflows) {
+        return (
+            <Alert type={"danger"} title={"You don't have access to Workflows."}>
+                You do not have access to Workflows. Please contact your system administrator.
+            </Alert>
+        );
+    }
+
+    return (
+        <SplitView>
+            <LeftPanel>
+                <WorkflowsDataList apps={apps} activeId={app?.id} onSelectApp={onAppClick} />
+            </LeftPanel>
+            <RightPanel>
+                {app ? (
+                    <SimpleForm size={"lg"}>
+                        <SimpleFormHeader title={app.name} />
+                        <SimpleFormContent>
+                            <WorkflowEditor app={app} />
+                        </SimpleFormContent>
+                        <SimpleFormFooter>
+                            <></>
+                        </SimpleFormFooter>
+                    </SimpleForm>
+                ) : null}
+            </RightPanel>
+        </SplitView>
+    );
+};

packages/app-workflows/src/Components/WorkflowsPermissions/HasWorkflowsEditorPermission.tsx

@@ -0,0 +1,15 @@
+import React from "react";
+import { useWorkflowsPermission } from "~/Components/WorkflowsPermissions/useWorkflowsPermission.js";
+
+export interface IHasWorkflowsSecurityPermissionProps {
+    children: React.ReactElement | React.ReactElement[];
+}
+
+export const HasWorkflowsEditorPermission = (props: IHasWorkflowsSecurityPermissionProps) => {
+    const hasPermission = useWorkflowsPermission();
+
+    if (!hasPermission.editor) {
+        return null;
+    }
+    return props.children;
+};