From e8d26a04e4fcc2294e29103a2d216d959cdff3e2 Mon Sep 17 00:00:00 2001
From: amentis <amentis@cite.gr>
Date: Mon, 3 Jun 2024 15:11:10 +0300
Subject: [PATCH] notification permissions changes

---
 .../src/main/resources/config/permissions.yml | 62 ++++++++++---------
 .../censorship/InAppNotificationCensor.java   |  8 ++-
 2 files changed, 41 insertions(+), 29 deletions(-)

diff --git a/notification-service/notification-web/src/main/resources/config/permissions.yml b/notification-service/notification-web/src/main/resources/config/permissions.yml
index 1d152a075..deb2d28e9 100644
--- a/notification-service/notification-web/src/main/resources/config/permissions.yml
+++ b/notification-service/notification-web/src/main/resources/config/permissions.yml
@@ -4,20 +4,17 @@ permissions:
 
     # Tenants
     BrowseTenant:
-      roles:
-        - Admin
+      roles: []
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     EditTenant:
-      roles:
-        - Admin
+      roles: []
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: false
       allowAuthenticated: false
     DeleteTenant:
-      roles:
-        - Admin
+      roles: []
       claims: [ ]
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: false
@@ -25,6 +22,7 @@ permissions:
     AllowNoTenant:
       roles:
         - Admin
+        - InstallationAdmin
       claims: [ ]
       clients: [ ]
       allowAnonymous: false
@@ -32,19 +30,17 @@ permissions:
     # Users
     BrowseUser:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: true
       allowAuthenticated: false
     EditUser:
-      roles:
-        - TenantAdmin
+      roles: []
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: false
       allowAuthenticated: false
     DeleteUser:
-      roles:
-        - TenantAdmin
+      roles: []
       claims: [ ]
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: false
@@ -52,19 +48,22 @@ permissions:
     # UserContactInfo
     BrowseUserContactInfo:
       roles:
-        - TenantAdmin
+        - Admin
+        - InstallationAdmin
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: true
       allowAuthenticated: false
     EditUserContactInfo:
       roles:
-        - TenantAdmin
+        - Admin
+        - InstallationAdmin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     DeleteUserContactInfo:
       roles:
-        - TenantAdmin
+        - Admin
+        - InstallationAdmin
       claims: [ ]
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: false
@@ -72,25 +71,26 @@ permissions:
     #Notification
     BrowseNotification:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: true
       allowAuthenticated: false
     EditNotification:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: true
       allowAuthenticated: false
     DeleteNotification:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     # TenantConfiguration
     BrowseTenantConfiguration:
       roles:
+        - Admin
         - TenantAdmin
       claims: [ ]
       clients: [ ]
@@ -98,12 +98,14 @@ permissions:
       allowAuthenticated: false
     EditTenantConfiguration:
       roles:
+        - Admin
         - TenantAdmin
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: false
       allowAuthenticated: false
     DeleteTenantConfiguration:
       roles:
+        - Admin
         - TenantAdmin
       clients: [ "opencdmp-api-dev" ]
       allowAnonymous: false
@@ -111,13 +113,13 @@ permissions:
     #User Notification Preference
     BrowseUserNotificationPreference:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: true
       allowAuthenticated: false
     EditUserNotificationPreference:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
@@ -125,25 +127,26 @@ permissions:
     # ViewPage Permissions
     ViewNotificationPage:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     ViewNotificationEventRulePage:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     ViewInAppNotificationPage:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     ViewNotificationTemplatePage:
       roles:
-        - TenantAdmin
+        - Admin
+        - TenantConfigManager
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
@@ -151,19 +154,22 @@ permissions:
     # Notification Template Permissions
     BrowseNotificationTemplate:
       roles:
-        - TenantAdmin
+        - Admin
+        - TenantConfigManager
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     EditNotificationTemplate:
       roles:
-        - TenantAdmin
+        - Admin
+        - TenantConfigManager
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     DeleteNotificationTemplate:
       roles:
-        - TenantAdmin
+        - Admin
+        - TenantConfigManager
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
@@ -171,13 +177,13 @@ permissions:
     # In App Notification Permissions
     BrowseInAppNotification:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
     DeleteInAppNotification:
       roles:
-        - TenantAdmin
+        - Admin
       clients: [ ]
       allowAnonymous: false
       allowAuthenticated: false
\ No newline at end of file
diff --git a/notification-service/notification/src/main/java/gr/cite/notification/model/censorship/InAppNotificationCensor.java b/notification-service/notification/src/main/java/gr/cite/notification/model/censorship/InAppNotificationCensor.java
index 20b4ad8cf..0bc1c06be 100644
--- a/notification-service/notification/src/main/java/gr/cite/notification/model/censorship/InAppNotificationCensor.java
+++ b/notification-service/notification/src/main/java/gr/cite/notification/model/censorship/InAppNotificationCensor.java
@@ -4,6 +4,8 @@ import gr.cite.commons.web.authz.service.AuthorizationService;
 import gr.cite.notification.authorization.OwnedResource;
 import gr.cite.notification.authorization.Permission;
 import gr.cite.notification.convention.ConventionService;
+import gr.cite.notification.model.InAppNotification;
+import gr.cite.tools.data.censor.CensorFactory;
 import gr.cite.tools.fieldset.FieldSet;
 import gr.cite.tools.logging.DataLogEntry;
 import gr.cite.tools.logging.LoggerService;
@@ -21,16 +23,20 @@ import java.util.UUID;
 public class InAppNotificationCensor extends BaseCensor {
 	private static final LoggerService logger = new LoggerService(LoggerFactory.getLogger(InAppNotificationCensor.class));
 	private final AuthorizationService authService;
+	protected final CensorFactory censorFactory;
 
 	@Autowired
-	public InAppNotificationCensor(ConventionService conventionService, AuthorizationService authService) {
+	public InAppNotificationCensor(ConventionService conventionService, AuthorizationService authService, CensorFactory censorFactory) {
 		super(conventionService);
 		this.authService = authService;
+		this.censorFactory = censorFactory;
 	}
 
 	public void censor(FieldSet fields, UUID userId) {
 		logger.debug(new DataLogEntry("censoring fields", fields));
 		if (this.isEmpty(fields)) return;
 		this.authService.authorizeAtLeastOneForce(userId != null ? List.of(new OwnedResource(userId)) : null, Permission.BrowseInAppNotification);
+		FieldSet userFields = fields.extractPrefixed(this.asIndexerPrefix(InAppNotification.Field.USER));
+		this.censorFactory.censor(UserCensor.class).censor(userFields, userId);
 	}
 }