New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(projects): add default set of permissions when creating new project (DSP-1347) #1822
Changes from 10 commits
feb8d48
08a6e35
d9e9af5
756930d
1ac476b
107d302
0b76619
68dcb47
4b88079
9c36ac9
a8b4359
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,13 +31,16 @@ import org.knora.webapi.exceptions._ | |
import org.knora.webapi.feature.FeatureFactoryConfig | ||
import org.knora.webapi.instrumentation.InstrumentationSupport | ||
import org.knora.webapi.messages.IriConversions._ | ||
import org.knora.webapi.messages.StringFormatter.IriDomain | ||
import org.knora.webapi.messages.admin.responder.projectsmessages._ | ||
import org.knora.webapi.messages.admin.responder.usersmessages.{ | ||
UserADM, | ||
UserGetADM, | ||
UserIdentifierADM, | ||
UserInformationTypeADM | ||
} | ||
import org.knora.webapi.messages.admin.responder.permissionsmessages._ | ||
|
||
import org.knora.webapi.messages.store.cacheservicemessages.{ | ||
CacheServiceGetProjectADM, | ||
CacheServicePutProjectADM, | ||
|
@@ -968,6 +971,84 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo | |
requestingUser: UserADM, | ||
apiRequestID: UUID): Future[ProjectOperationResponseADM] = { | ||
|
||
/** | ||
* Creates following permissions for the new project | ||
* 1. Permissions for project admins to do all operations on project level and to create, modify, delete, change rights, | ||
* view, and restricted view of all new resources and values that belong to this project. | ||
* 2. Permissions for project members to create, modify, view and restricted view of all new resources and values that belong to this project. | ||
* | ||
* @param projectIri the IRI of the new project. | ||
* @throws BadRequestException if a permission is not created. | ||
*/ | ||
def createPermissionsForAdminsAndMembersOfNewProject(projectIri: IRI, projectShortCode: String): Future[Unit] = | ||
for { | ||
baseIri: String <- Future.successful(s"http://$IriDomain/permissions/$projectShortCode/") | ||
// Give the admins of the new project rights for any operation in project level, and rights to create resources. | ||
apPermissionForProjectAdmin: AdministrativePermissionCreateResponseADM <- (responderManager ? AdministrativePermissionCreateRequestADM( | ||
createRequest = CreateAdministrativePermissionAPIRequestADM( | ||
id = Some(baseIri + "defaultApForAdmin"), | ||
forProject = projectIri, | ||
forGroup = OntologyConstants.KnoraAdmin.ProjectAdmin, | ||
hasPermissions = | ||
Set(PermissionADM.ProjectAdminAllPermission, PermissionADM.ProjectResourceCreateAllPermission) | ||
), | ||
featureFactoryConfig = featureFactoryConfig, | ||
requestingUser = requestingUser, | ||
apiRequestID = UUID.randomUUID() | ||
)).mapTo[AdministrativePermissionCreateResponseADM] | ||
|
||
// Give the members of the new project rights to create resources. | ||
apPermissionForProjectAdmin: AdministrativePermissionCreateResponseADM <- (responderManager ? AdministrativePermissionCreateRequestADM( | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. apPermissionsForProjectAdmin -> apPermissionsForProjectMember |
||
createRequest = CreateAdministrativePermissionAPIRequestADM( | ||
id = Some(baseIri + "defaultApForMember"), | ||
forProject = projectIri, | ||
forGroup = OntologyConstants.KnoraAdmin.ProjectMember, | ||
hasPermissions = Set(PermissionADM.ProjectResourceCreateAllPermission) | ||
), | ||
featureFactoryConfig = featureFactoryConfig, | ||
requestingUser = requestingUser, | ||
apiRequestID = UUID.randomUUID() | ||
)).mapTo[AdministrativePermissionCreateResponseADM] | ||
|
||
// Give the admins of the new project rights to change rights, modify, delete, view, | ||
// and restricted view of all resources and values that belong to the project. | ||
doapForProjctAdmin <- (responderManager ? DefaultObjectAccessPermissionCreateRequestADM( | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. typo: doapForProjectAdmin |
||
createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( | ||
id = Some(baseIri + "defaultDoapForAdmin"), | ||
forProject = projectIri, | ||
forGroup = Some(OntologyConstants.KnoraAdmin.ProjectAdmin), | ||
hasPermissions = Set( | ||
PermissionADM.changeRightsPermission(OntologyConstants.KnoraAdmin.ProjectAdmin), | ||
PermissionADM.deletePermission(OntologyConstants.KnoraAdmin.ProjectAdmin), | ||
PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectAdmin), | ||
PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin), | ||
PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectAdmin) | ||
) | ||
), | ||
featureFactoryConfig = featureFactoryConfig, | ||
requestingUser = requestingUser, | ||
apiRequestID = UUID.randomUUID() | ||
)).mapTo[DefaultObjectAccessPermissionCreateResponseADM] | ||
|
||
// Give the members of the new project rights to modify, view, and restricted view of all resources and values | ||
// that belong to the project. | ||
doapForProjctAdmin <- (responderManager ? DefaultObjectAccessPermissionCreateRequestADM( | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't this be named |
||
createRequest = CreateDefaultObjectAccessPermissionAPIRequestADM( | ||
id = Some(baseIri + "defaultDoapForMember"), | ||
forProject = projectIri, | ||
forGroup = Some(OntologyConstants.KnoraAdmin.ProjectMember), | ||
hasPermissions = Set( | ||
PermissionADM.modifyPermission(OntologyConstants.KnoraAdmin.ProjectMember), | ||
PermissionADM.viewPermission(OntologyConstants.KnoraAdmin.ProjectMember), | ||
PermissionADM.restrictedViewPermission(OntologyConstants.KnoraAdmin.ProjectMember) | ||
) | ||
), | ||
featureFactoryConfig = featureFactoryConfig, | ||
requestingUser = requestingUser, | ||
apiRequestID = UUID.randomUUID() | ||
)).mapTo[DefaultObjectAccessPermissionCreateResponseADM] | ||
} yield () | ||
|
||
def projectCreateTask(createProjectRequest: CreateProjectApiRequestADM, | ||
requestingUser: UserADM): Future[ProjectOperationResponseADM] = | ||
for { | ||
|
@@ -1044,6 +1125,8 @@ class ProjectsResponderADM(responderData: ResponderData) extends Responder(respo | |
throw UpdateNotPerformedException( | ||
s"Project $newProjectIRI was not created. Please report this as a possible bug.") | ||
) | ||
// create permissions for admins and members of the new group | ||
_ <- createPermissionsForAdminsAndMembersOfNewProject(newProjectIRI, newProjectADM.shortcode) | ||
|
||
} yield ProjectOperationResponseADM(project = newProjectADM) | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch!