Merge pull request #9956 from vera/9926-list-role-assignments-permiss…

…ions

9926: list role assignments permissions

doc/release-notes/9926-list-role-assignments-permissions.md

@@ -0,0 +1 @@
+Listing collction/dataverse role assignments via API still requires ManageDataversePermissions, but listing dataset role assignments via API now requires only ManageDatasetPermissions.

src/main/java/edu/harvard/iq/dataverse/engine/command/impl/ListRoleAssignments.java

@@ -6,16 +6,18 @@
 import edu.harvard.iq.dataverse.engine.command.AbstractCommand;
 import edu.harvard.iq.dataverse.engine.command.CommandContext;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
-import edu.harvard.iq.dataverse.engine.command.RequiredPermissions;
 import edu.harvard.iq.dataverse.engine.command.exception.CommandException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.Collections;
 
 /**
  * 
  * @author michael
  */
-@RequiredPermissions( Permission.ManageDataversePermissions )
+// no annotations here, since permissions are dynamically decided
 public class ListRoleAssignments extends AbstractCommand<List<RoleAssignment>> {
 
 	private final DvObject definitionPoint;
@@ -34,5 +36,12 @@ public List<RoleAssignment> execute(CommandContext ctxt) throws CommandException
             }
 		return ctxt.permissions().assignmentsOn(definitionPoint);
 	}
+
+	@Override
+	public Map<String, Set<Permission>> getRequiredPermissions() {
+		return Collections.singletonMap("",
+				definitionPoint.isInstanceofDataset() ? Collections.singleton(Permission.ManageDatasetPermissions)
+						: Collections.singleton(Permission.ManageDataversePermissions));
+	}
 
 }

src/test/java/edu/harvard/iq/dataverse/api/DatasetsIT.java

@@ -1511,6 +1511,79 @@ public void testAddRoles(){
 
     }
 
+    @Test
+    public void testListRoleAssignments() {
+        Response createAdminUser = UtilIT.createRandomUser();
+        String adminUsername = UtilIT.getUsernameFromResponse(createAdminUser);
+        String adminApiToken = UtilIT.getApiTokenFromResponse(createAdminUser);
+        UtilIT.makeSuperUser(adminUsername);
+
+        Response createDataverseResponse = UtilIT.createRandomDataverse(adminApiToken);
+        createDataverseResponse.prettyPrint();
+        String dataverseAlias = UtilIT.getAliasFromResponse(createDataverseResponse);
+
+        // Now, let's allow anyone with a Dataverse account (any "random user")
+        // to create datasets in this dataverse:
+
+        Response grantRole = UtilIT.grantRoleOnDataverse(dataverseAlias, DataverseRole.DS_CONTRIBUTOR, AuthenticatedUsers.get().getIdentifier(), adminApiToken);
+        grantRole.prettyPrint();
+        assertEquals(OK.getStatusCode(), grantRole.getStatusCode());
+
+        Response createContributorUser = UtilIT.createRandomUser();
+        String contributorUsername = UtilIT.getUsernameFromResponse(createContributorUser);
+        String contributorApiToken = UtilIT.getApiTokenFromResponse(createContributorUser);
+
+        // First, we test listing role assignments on a dataverse which requires "ManageDataversePermissions"
+
+        Response notPermittedToListRoleAssignmentOnDataverse = UtilIT.getRoleAssignmentsOnDataverse(dataverseAlias, contributorApiToken);
+        assertEquals(UNAUTHORIZED.getStatusCode(), notPermittedToListRoleAssignmentOnDataverse.getStatusCode());
+
+        Response roleAssignmentsOnDataverse = UtilIT.getRoleAssignmentsOnDataverse(dataverseAlias, adminApiToken);
+        roleAssignmentsOnDataverse.prettyPrint();
+        assertEquals(OK.getStatusCode(), roleAssignmentsOnDataverse.getStatusCode());
+
+        // Second, we test listing role assignments on a dataset which requires "ManageDatasetPermissions"
+
+        Response createDatasetResponse = UtilIT.createRandomDatasetViaNativeApi(dataverseAlias, contributorApiToken);
+        createDatasetResponse.prettyPrint();
+        Integer datasetId = JsonPath.from(createDatasetResponse.body().asString()).getInt("data.id");
+        logger.info("dataset id: " + datasetId);
+
+        Response datasetAsJson = UtilIT.nativeGet(datasetId, adminApiToken);
+        datasetAsJson.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        String identifier = JsonPath.from(datasetAsJson.getBody().asString()).getString("data.identifier");
+        assertEquals(10, identifier.length());
+
+        String protocol1 = JsonPath.from(datasetAsJson.getBody().asString()).getString("data.protocol");
+        String authority1 = JsonPath.from(datasetAsJson.getBody().asString()).getString("data.authority");
+        String identifier1 = JsonPath.from(datasetAsJson.getBody().asString()).getString("data.identifier");
+        String datasetPersistentId = protocol1 + ":" + authority1 + "/" + identifier1;
+
+        Response notPermittedToListRoleAssignmentOnDataset = UtilIT.getRoleAssignmentsOnDataset(datasetId.toString(), null, contributorApiToken);
+        assertEquals(UNAUTHORIZED.getStatusCode(), notPermittedToListRoleAssignmentOnDataset.getStatusCode());
+
+        // We assign the curator role to the contributor user
+        // (includes "ManageDatasetPermissions" which are required for listing role assignments of a dataset, but not
+        // "ManageDataversePermissions")
+
+        Response giveRandoPermission = UtilIT.grantRoleOnDataset(datasetPersistentId, "curator", "@" + contributorUsername, adminApiToken);
+        giveRandoPermission.prettyPrint();
+        assertEquals(200, giveRandoPermission.getStatusCode());
+
+        // Contributor user should now be able to list dataset role assignments as well
+
+        Response roleAssignmentsOnDataset = UtilIT.getRoleAssignmentsOnDataset(datasetId.toString(), null, contributorApiToken);
+        roleAssignmentsOnDataset.prettyPrint();
+        assertEquals(OK.getStatusCode(), roleAssignmentsOnDataset.getStatusCode());
+
+        // ...but not dataverse role assignments
+
+        notPermittedToListRoleAssignmentOnDataverse = UtilIT.getRoleAssignmentsOnDataverse(dataverseAlias, contributorApiToken);
+        assertEquals(UNAUTHORIZED.getStatusCode(), notPermittedToListRoleAssignmentOnDataverse.getStatusCode());
+    }
+
     @Test
     public void testFileChecksum() {