Merge branch 'feature/shibui-2393' of bitbucket.org:unicon/shib-idp-u…

…i into feature/shibui-2393
TIER · Dec 5, 2022 · 634feb5 · 634feb5
2 parents 91ff7e8 + 8f4e249
commit 634feb5
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/.../edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegate.java b/.../edu/internet2/tier/shibboleth/admin/ui/security/permission/ShibUiPermissionDelegate.java
@@ -59,20 +59,24 @@ public Collection getPersistentEntities(Authentication ignored, ShibUiPermissibl
             case approve:
                 return getAllDynamicRegistrationInfoObjectsNeedingApprovalBasedOnUserAccess();
             case enable:
-                if (!hasPermission(ignored, null, PermissionType.enable)) {
-                    throw new ForbiddenException("User has no access rights to get a list of : " + shibUiType);
-                }
-                return dynamicRegistrationInfoRepository.getDynamicRegistrationsNeedingEnabling();
+                return getAllDynamicRegistrationNeedingEnabledByUserAccess();
             case fetch:
-                if (!hasPermission(ignored, null, PermissionType.fetch)) {
-                    throw new ForbiddenException("User has no access rights to get a list of : " + shibUiType);
-                }
                 return getAllDynamicRegistrationInfoObjectsBasedOnUserAccess();
             }
         }
         return null;
     }
 
+    private Collection getAllDynamicRegistrationNeedingEnabledByUserAccess() throws ForbiddenException {
+        if (userService.currentUserIsAdmin()) {
+            return dynamicRegistrationInfoRepository.getDynamicRegistrationsNeedingEnabling();
+        } else if (userService.currentUserCanEnable()) {
+            return dynamicRegistrationInfoRepository.getDynamicRegistrationsNeedingEnabling(userService.getCurrentUser().getGroupId());
+        }
+        throw new ForbiddenException("User has no access rights to enable");
+
+    }
+
     private List<DynamicRegistrationInfo> getAllDynamicRegistrationInfoObjectsNeedingApprovalBasedOnUserAccess() {
         List<String> groupsToApprove = userService.getGroupsCurrentUserCanApprove();
         return dynamicRegistrationInfoRepository.getAllNeedingApproval(groupsToApprove);
@@ -110,7 +114,7 @@ public boolean hasPermission(Authentication ignored, Object targetDomainObject,
             return targetDomainObject instanceof IApprovable ? userService.getGroupsCurrentUserCanApprove().contains(((IApprovable)targetDomainObject).getIdOfOwner()) : false;
         case enable:
             return targetDomainObject instanceof IActivatable ? currentUserCanEnable((IActivatable) targetDomainObject) : false;
-        case fetch:
+        case fetch: // we don't care about one object, just the user's ability to fetch data
             return userService.currentUserIsAdmin() || userService.getCurrentUserAccess().equals(UserAccess.GROUP);
         case viewOrEdit:
             return userService.canViewOrEditTarget((Ownable) targetDomainObject);

diff --git a/...rnet2/tier/shibboleth/admin/ui/security/repository/DynamicRegistrationInfoRepository.java b/...rnet2/tier/shibboleth/admin/ui/security/repository/DynamicRegistrationInfoRepository.java
@@ -1,6 +1,7 @@
 package edu.internet2.tier.shibboleth.admin.ui.security.repository;
 
 import edu.internet2.tier.shibboleth.admin.ui.domain.oidc.DynamicRegistrationInfo;
+import edu.internet2.tier.shibboleth.admin.ui.security.model.Group;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
@@ -20,4 +21,10 @@ public interface DynamicRegistrationInfoRepository extends JpaRepository<Dynamic
 
     @Query(value = "SELECT dri FROM DynamicRegistrationInfo dri WHERE dri.enabled = false")
     List<DynamicRegistrationInfo> getDynamicRegistrationsNeedingEnabling();
+
+    @Query(value = "SELECT dri FROM DynamicRegistrationInfo dri " +
+                   " WHERE dri.idOfOwner = :groupId" +
+                   "   AND dri.enabled = false" +
+                   "   AND dri.approved = true")
+    List<DynamicRegistrationInfo> getDynamicRegistrationsNeedingEnabling(@Param("groupId") String groupId);
 }
diff --git a/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
@@ -232,4 +232,8 @@ public void updateUserRole(User user) {
             throw new RuntimeException(String.format("User with username [%s] has no role defined and therefore cannot be updated!", user.getUsername()));
         }
     }
+
+    public boolean currentUserCanEnable() {
+        return getCurrentUser().getRole().equals("ROLE_ENABLE");
+    }
 }