Merge pull request #420 from netgrif/NAE-2387

machacjozef · web-flow · commit fe97154eed2b · 2026-03-05T14:41:34.000+01:00
[NAE-2387] Fix permission evaluation order between ActorRef and proce…
diff --git a/application-engine/src/main/java/com/netgrif/application/engine/workflow/service/AbstractAuthorizationService.java b/application-engine/src/main/java/com/netgrif/application/engine/workflow/service/AbstractAuthorizationService.java
@@ -2,14 +2,19 @@
 
 import com.netgrif.application.engine.objects.auth.domain.AbstractUser;
 
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 import java.util.stream.Collectors;
 
 public abstract class AbstractAuthorizationService {
 
+    protected Boolean checkPermissions(Map<String, Boolean> providedPermissions, List<String> requiredPermissions) {
+        if (requiredPermissions.stream().allMatch(permission -> providedPermissions.get(permission) == null)) {
+            return null;
+        }
+        return requiredPermissions.stream()
+                .anyMatch(permission -> hasPermission(providedPermissions.get(permission)));
+    }
+
     protected boolean hasPermission(Boolean permissionValue) {
         return permissionValue != null && permissionValue;
     }
diff --git a/application-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskAuthorizationService.java b/application-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskAuthorizationService.java
@@ -36,8 +36,7 @@ public Boolean userHasAtLeastOneRolePermission(AbstractUser user, Task task, Rol
             }
         }
 
-        return Arrays.stream(permissions)
-                .anyMatch(permission -> hasPermission(aggregatePermissions.get(permission.toString())));
+        return checkPermissions(aggregatePermissions, Arrays.stream(permissions).map(RolePermission::toString).toList());
     }
 
     @Override
@@ -62,8 +61,8 @@ public Boolean userHasUserListPermission(AbstractUser user, Task task, RolePermi
                 return false;
             }
         }
-        return Arrays.stream(permissions)
-                .anyMatch(permission -> hasPermission(userPermissions.get(permission.toString())));
+
+        return checkPermissions(userPermissions, Arrays.stream(permissions).map(RolePermission::toString).toList());
     }
 
     @Override
diff --git a/application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowAuthorizationService.java b/application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowAuthorizationService.java
@@ -63,8 +63,7 @@ public Boolean userHasAtLeastOneRolePermission(AbstractUser user, PetriNet net,
             }
         }
 
-        return Arrays.stream(permissions)
-                .anyMatch(permission -> hasPermission(aggregatePermissions.get(permission.toString())));
+        return checkPermissions(aggregatePermissions, Arrays.stream(permissions).map(ProcessRolePermission::toString).toList());
     }
 
     @Override
@@ -84,8 +83,7 @@ public Boolean userHasUserListPermission(AbstractUser user, Case useCase, Proces
                 return false;
             }
         }
-        return Arrays.stream(permissions)
-                .anyMatch(permission -> hasPermission(userPermissions.get(permission.toString())));
+        return checkPermissions(userPermissions, Arrays.stream(permissions).map(ProcessRolePermission::toString).toList());
     }
 
     private Map<String, Boolean> findUserPermissions(Case useCase, AbstractUser user) {
diff --git a/application-engine/src/test/groovy/com/netgrif/application/engine/auth/TaskAuthorizationServiceTest.groovy b/application-engine/src/test/groovy/com/netgrif/application/engine/auth/TaskAuthorizationServiceTest.groovy
@@ -590,4 +590,45 @@ class TaskAuthorizationServiceTest {
         workflowService.deleteCase(new DeleteCaseParams(case_.stringId))
     }
 
+    @Test
+    void testCanAssignWithRoleAssignTrueAndWithActorRefAssignUndefined() {
+        ProcessRole positiveRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "assign_pos_role")
+        userService.addRole(testUser, positiveRole.get_id())
+        Case case_ = workflowService.createCase(CreateCaseParams.with()
+                .process(netWithUserRefs)
+                .title("Test assign")
+                .color("")
+                .author(ActorTransformer.toLoggedUser(testUser))
+                .build()).getCase()
+
+        String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
+        case_ = dataService.setData(taskId, ImportHelper.populateDataset([
+                "view_pos_ul": [
+                        "value": [testUser.stringId],
+                        "type": "actorList"
+                ]
+        ] as Map)).getCase()
+        assert taskAuthorizationService.canCallAssign(ActorTransformer.toLoggedUser(testUser), (new ArrayList<>(case_.getTasks())).get(0).task)
+    }
+
+    @Test
+    void testCanAssignWithRoleAssignUndefinedAndWithActorRefAssignTrue() {
+        ProcessRole positiveRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "view_pos_role")
+        userService.addRole(testUser, positiveRole.get_id())
+        Case case_ = workflowService.createCase(CreateCaseParams.with()
+                .process(netWithUserRefs)
+                .title("Test assign")
+                .color("")
+                .author(ActorTransformer.toLoggedUser(testUser))
+                .build()).getCase()
+
+        String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
+        case_ = dataService.setData(taskId, ImportHelper.populateDataset([
+                "assign_pos_ul": [
+                        "value": [testUser.stringId],
+                        "type": "actorList"
+                ]
+        ] as Map)).getCase()
+        assert taskAuthorizationService.canCallAssign(ActorTransformer.toLoggedUser(testUser), (new ArrayList<>(case_.getTasks())).get(0).task)
+    }
 }
diff --git a/application-engine/src/test/groovy/com/netgrif/application/engine/auth/WorkflowAuthorizationServiceTest.groovy b/application-engine/src/test/groovy/com/netgrif/application/engine/auth/WorkflowAuthorizationServiceTest.groovy
@@ -311,6 +311,46 @@ class WorkflowAuthorizationServiceTest {
         userService.removeRole(testUser, negDeleteRole.getStringId())
     }
 
+    @Test
+    void testCanCallDeleteWithRoleDeleteTrueAndActorRefDeleteUndefined() {
+        ProcessRole positiveDeleteRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "delete_pos_role")
+        userService.addRole(testUser, positiveDeleteRole.getStringId())
+        Case case_ = workflowService.createCase(CreateCaseParams.with()
+                .process(netWithUserRefs)
+                .title("Test delete")
+                .color("")
+                .author(ActorTransformer.toLoggedUser(testUser))
+                .build()).getCase()
+        String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
+        case_ = dataService.setData(taskId, ImportHelper.populateDataset([
+                "view_actor_list": [
+                        "value": [testUser.stringId],
+                        "type": "actorList"
+                ]
+        ] as Map)).getCase()
+        assert workflowAuthorizationService.canCallDelete(ActorTransformer.toLoggedUser(testUser), case_.getStringId())
+    }
+
+    @Test
+    void testCanCallDeleteWithRoleDeleteUndefinedAndActorRefDeleteTrue() {
+        ProcessRole positiveViewRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "view_pos_role")
+        userService.addRole(testUser, positiveViewRole.getStringId())
+        Case case_ = workflowService.createCase(CreateCaseParams.with()
+                .process(netWithUserRefs)
+                .title("Test delete")
+                .color("")
+                .author(ActorTransformer.toLoggedUser(testUser))
+                .build()).getCase()
+        String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
+        case_ = dataService.setData(taskId, ImportHelper.populateDataset([
+                "pos_user_list": [
+                        "value": [testUser.stringId],
+                        "type": "actorList"
+                ]
+        ] as Map)).getCase()
+        assert workflowAuthorizationService.canCallDelete(ActorTransformer.toLoggedUser(testUser), case_.getStringId())
+    }
+
     @SuppressWarnings("GrMethodMayBeStatic")
     private def parseResult(MvcResult result) {
         return (new JsonSlurper()).parseText(result.response.contentAsString)
diff --git a/application-engine/src/test/resources/task_authorization_service_test_with_userRefs.xml b/application-engine/src/test/resources/task_authorization_service_test_with_userRefs.xml
@@ -20,6 +20,10 @@
         <id>finish_neg_role</id>
         <name>finish neg role</name>
     </role>
+    <role>
+        <id>view_pos_role</id>
+        <name>view pos role</name>
+    </role>
     <data type="actorList">
         <id>assign_pos_ul</id>
         <title/>
@@ -52,6 +56,10 @@
         <id>finish_neg_ul</id>
         <title/>
     </data>
+    <data type="actorList">
+        <id>view_pos_ul</id>
+        <title/>
+    </data>
     <data type="text">
         <id>text</id>
         <title>Text</title>
@@ -90,6 +98,12 @@
                 <finish>false</finish>
             </logic>
         </roleRef>
+        <roleRef>
+            <id>view_pos_role</id>
+            <logic>
+                <view>true</view>
+            </logic>
+        </roleRef>
         <actorRef>
             <id>assign_pos_ul</id>
             <logic>
@@ -138,6 +152,12 @@
                 <finish>false</finish>
             </logic>
         </actorRef>
+        <actorRef>
+            <id>view_pos_ul</id>
+            <logic>
+                <view>true</view>
+            </logic>
+        </actorRef>
         <dataRef>
             <id>text</id>
             <logic>
diff --git a/application-engine/src/test/resources/workflow_authorization_service_test_with_userRefs.xml b/application-engine/src/test/resources/workflow_authorization_service_test_with_userRefs.xml
@@ -28,6 +28,12 @@
             <create>false</create>
         </caseLogic>
     </roleRef>
+    <roleRef>
+        <id>view_pos_role</id>
+        <caseLogic>
+            <view>true</view>
+        </caseLogic>
+    </roleRef>
     <actorRef>
         <id>neg_user_list</id>
         <caseLogic>
@@ -40,6 +46,12 @@
             <delete>true</delete>
         </caseLogic>
     </actorRef>
+    <actorRef>
+        <id>view_actor_list</id>
+        <caseLogic>
+            <view>true</view>
+        </caseLogic>
+    </actorRef>
     <role>
         <id>delete_pos_role</id>
         <name>delete role</name>
@@ -56,6 +68,10 @@
         <id>create_neg_role</id>
         <name>create role</name>
     </role>
+    <role>
+        <id>view_pos_role</id>
+        <name>view role</name>
+    </role>
     <data type="actorList">
         <id>pos_user_list</id>
         <title/>
@@ -64,6 +80,10 @@
         <id>neg_user_list</id>
         <title/>
     </data>
+    <data type="actorList">
+        <id>view_actor_list</id>
+        <title/>
+    </data>
     <data type="text">
         <id>text</id>
         <title>Text</title>

Original file line number	Diff line number	Diff line change
`@@ -36,8 +36,7 @@ public Boolean userHasAtLeastOneRolePermission(AbstractUser user, Task task, Rol`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`
`39`		`- return Arrays.stream(permissions)`
`40`		`- .anyMatch(permission -> hasPermission(aggregatePermissions.get(permission.toString())));`
	`39`	`+ return checkPermissions(aggregatePermissions, Arrays.stream(permissions).map(RolePermission::toString).toList());`
`41`	`40`	`}`
`42`	`41`
`43`	`42`	`@Override`
`@@ -62,8 +61,8 @@ public Boolean userHasUserListPermission(AbstractUser user, Task task, RolePermi`
`62`	`61`	`return false;`
`63`	`62`	`}`
`64`	`63`	`}`
`65`		`- return Arrays.stream(permissions)`
`66`		`- .anyMatch(permission -> hasPermission(userPermissions.get(permission.toString())));`
	`64`	`+`
	`65`	`+ return checkPermissions(userPermissions, Arrays.stream(permissions).map(RolePermission::toString).toList());`
`67`	`66`	`}`
`68`	`67`
`69`	`68`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -63,8 +63,7 @@ public Boolean userHasAtLeastOneRolePermission(AbstractUser user, PetriNet net,`
`63`	`63`	`}`
`64`	`64`	`}`
`65`	`65`
`66`		`- return Arrays.stream(permissions)`
`67`		`- .anyMatch(permission -> hasPermission(aggregatePermissions.get(permission.toString())));`
	`66`	`+ return checkPermissions(aggregatePermissions, Arrays.stream(permissions).map(ProcessRolePermission::toString).toList());`
`68`	`67`	`}`
`69`	`68`
`70`	`69`	`@Override`
`@@ -84,8 +83,7 @@ public Boolean userHasUserListPermission(AbstractUser user, Case useCase, Proces`
`84`	`83`	`return false;`
`85`	`84`	`}`
`86`	`85`	`}`
`87`		`- return Arrays.stream(permissions)`
`88`		`- .anyMatch(permission -> hasPermission(userPermissions.get(permission.toString())));`
	`86`	`+ return checkPermissions(userPermissions, Arrays.stream(permissions).map(ProcessRolePermission::toString).toList());`
`89`	`87`	`}`
`90`	`88`
`91`	`89`	`private Map<String, Boolean> findUserPermissions(Case useCase, AbstractUser user) {`