Add endpoints for effective permissions #88

Defaults for permission type have been removed. Wildcard permissions are returned instead.

modules/rest-api/src/com/haulmont/addon/restapi/api/service/PermissionsControllerManager.java

@@ -116,40 +116,21 @@ public EffectiveRoleInfo getEffectiveRole(EffectiveRoleRequestParams params) {
 
     public EffectiveRoleInfo createEffectiveRoleInfo(RoleDefinition role, EffectiveRoleRequestParams params) {
         EffectiveRoleInfo roleInfo = new EffectiveRoleInfo();
-        DefaultValuesInfo defaultValues = roleInfo.getDefaultValues();
         ExplicitPermissionsInfo explicitPermissionsInfo = roleInfo.getExplicitPermissions();
         if (params.isEntities()) {
             explicitPermissionsInfo.setEntities(new ArrayList<>());
             role.entityPermissions().getExplicitPermissions().forEach((key, value) ->
                     explicitPermissionsInfo.getEntities().add(new ShortPermissionInfo(key, value)));
-            defaultValues.setEntityCreate(role.entityPermissions().getDefaultEntityCreateAccess() != null ?
-                    role.entityPermissions().getDefaultEntityCreateAccess().getId() :
-                    null);
-            defaultValues.setEntityRead(role.entityPermissions().getDefaultEntityReadAccess() != null ?
-                    role.entityPermissions().getDefaultEntityReadAccess().getId() :
-                    null);
-            defaultValues.setEntityUpdate(role.entityPermissions().getDefaultEntityUpdateAccess() != null ?
-                    role.entityPermissions().getDefaultEntityUpdateAccess().getId() :
-                    null);
-            defaultValues.setEntityDelete(role.entityPermissions().getDefaultEntityDeleteAccess() != null ?
-                    role.entityPermissions().getDefaultEntityDeleteAccess().getId() :
-                    null);
         }
         if (params.isEntityAttributes()) {
             explicitPermissionsInfo.setEntityAttributes(new ArrayList<>());
             role.entityAttributePermissions().getExplicitPermissions().forEach((key, value) ->
                     explicitPermissionsInfo.getEntityAttributes().add(new ShortPermissionInfo(key, value)));
-            defaultValues.setEntityAttribute(role.entityAttributePermissions().getDefaultEntityAttributeAccess() != null ?
-                    role.entityAttributePermissions().getDefaultEntityAttributeAccess().getId() :
-                    null);
         }
         if (params.isSpecific()) {
             explicitPermissionsInfo.setSpecific(new ArrayList<>());
             role.specificPermissions().getExplicitPermissions().forEach((key, value) ->
                     explicitPermissionsInfo.getSpecific().add(new ShortPermissionInfo(key, value)));
-            defaultValues.setSpecific(role.specificPermissions().getDefaultSpecificAccess() != null ?
-                    role.specificPermissions().getDefaultSpecificAccess().getId() :
-                    null);
         }
 
         roleInfo.setUndefinedPermissionPolicy(rolesService.getPermissionUndefinedAccessPolicy().name());

modules/rest-api/src/com/haulmont/addon/restapi/api/service/filter/data/EffectiveRoleInfo.java

@@ -21,8 +21,6 @@ public class EffectiveRoleInfo {
 
     private ExplicitPermissionsInfo explicitPermissions = new ExplicitPermissionsInfo();
 
-    private DefaultValuesInfo defaultValues = new DefaultValuesInfo();
-
     private String undefinedPermissionPolicy = "DENY";
 
     public EffectiveRoleInfo() {
@@ -36,14 +34,6 @@ public void setExplicitPermissions(ExplicitPermissionsInfo explicitPermissions)
         this.explicitPermissions = explicitPermissions;
     }
 
-    public DefaultValuesInfo getDefaultValues() {
-        return defaultValues;
-    }
-
-    public void setDefaultValues(DefaultValuesInfo defaultValues) {
-        this.defaultValues = defaultValues;
-    }
-
     public String getUndefinedPermissionPolicy() {
         return undefinedPermissionPolicy;
     }

test/restapi-demo/modules/core/src/com/haulmont/rest/demo/core/roles/RestFullAccessRole.java

@@ -10,31 +10,27 @@
 /**
  * Role grants full access for REST API
  */
-@Role(name = RestFullAccessRole.NAME, securityScope = "REST")
+@Role(name = RestFullAccessRole.NAME, securityScope = "REST", isSuper = true)
 public class RestFullAccessRole extends AnnotatedRoleDefinition {
 
     public static final String NAME = "rest-full-access";
 
     @Override
-    @DefaultEntityAccess(allow = {EntityOp.CREATE, EntityOp.READ, EntityOp.UPDATE, EntityOp.DELETE})
     public EntityPermissionsContainer entityPermissions() {
         return super.entityPermissions();
     }
 
     @Override
-    @DefaultEntityAttributeAccess(EntityAttrAccess.MODIFY)
     public EntityAttributePermissionsContainer entityAttributePermissions() {
         return super.entityAttributePermissions();
     }
 
     @Override
-    @DefaultSpecificAccess(Access.ALLOW)
     public SpecificPermissionsContainer specificPermissions() {
         return super.specificPermissions();
     }
 
     @Override
-    @DefaultScreenAccess(Access.ALLOW)
     public ScreenPermissionsContainer screenPermissions() {
         return super.screenPermissions();
     }

test/restapi-demo/modules/core/src/com/haulmont/rest/demo/core/roles/RestTestAnonymousRole.java

@@ -18,8 +18,8 @@
 package com.haulmont.rest.demo.core.roles;
 
 import com.haulmont.cuba.security.app.role.AnnotatedRoleDefinition;
-import com.haulmont.cuba.security.app.role.annotation.DefaultEntityAttributeAccess;
 import com.haulmont.cuba.security.app.role.annotation.EntityAccess;
+import com.haulmont.cuba.security.app.role.annotation.EntityAttributeAccess;
 import com.haulmont.cuba.security.app.role.annotation.Role;
 import com.haulmont.cuba.security.entity.EntityAttrAccess;
 import com.haulmont.cuba.security.entity.EntityOp;
@@ -36,13 +36,13 @@ public class RestTestAnonymousRole extends AnnotatedRoleDefinition {
 
 
     @Override
-    @EntityAccess(target = User.class, allow = {EntityOp.READ})
+    @EntityAccess(entityClass = User.class, operations = {EntityOp.READ})
     public EntityPermissionsContainer entityPermissions() {
         return super.entityPermissions();
     }
 
     @Override
-    @DefaultEntityAttributeAccess(value = EntityAttrAccess.VIEW)
+    @EntityAttributeAccess(entityName = "*", view = "*")
     public EntityAttributePermissionsContainer entityAttributePermissions() {
         return super.entityAttributePermissions();
     }

test/restapi-demo/modules/portal/test/com/haulmont/rest/demo/http/rest/EntitiesControllerSecurityFT.java

@@ -482,63 +482,105 @@ private void createDbUserRoles() throws SQLException {
     private void createDbRoles() throws SQLException {
         //read-only role. can read colours, can't read cars
         colorReadRoleId = dirtyData.createRoleUuid();
-        executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
-                        "values(?, ?, ?, ?)",
+        executePrepared("insert into sec_role(id, name, security_scope) " +
+                        "values(?, ?, ?)",
                 colorReadRoleId,
                 "colorReadRole",
-                "REST",
-                1
+                "REST"
         );
 
+        executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
+                "values(?, ?, ?, ?, ?)",
+                dirtyData.createPermissionUuid(),
+                colorReadRoleId,
+                PermissionType.ENTITY_OP.getId(),
+                "*:read",
+                1);
+
         //read_only role. can update colours, can't update cars
         colorUpdateRoleId = dirtyData.createRoleUuid();
-        executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
-                        "values(?, ?, ?, ?)",
+        executePrepared("insert into sec_role(id, name, security_scope) " +
+                        "values(?, ?, ?)",
                 colorUpdateRoleId,
                 "colorUpdateRole",
-                "REST",
-                1
+                "REST"
         );
 
+        executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
+                        "values(?, ?, ?, ?, ?)",
+                dirtyData.createPermissionUuid(),
+                colorUpdateRoleId,
+                PermissionType.ENTITY_OP.getId(),
+                "*:read",
+                1);
+
         //read-only role. can create colours
         colorCreateRoleId = dirtyData.createRoleUuid();
-        executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
-                        "values(?, ?, ?, ?)",
+        executePrepared("insert into sec_role(id, name, security_scope) " +
+                        "values(?, ?, ?)",
                 colorCreateRoleId,
                 "colorCreateRole",
-                "REST",
-                1
+                "REST"
         );
 
+        executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
+                        "values(?, ?, ?, ?, ?)",
+                dirtyData.createPermissionUuid(),
+                colorCreateRoleId,
+                PermissionType.ENTITY_OP.getId(),
+                "*:read",
+                1);
+
         //read-only role. can delete colours
         colorDeleteRoleId = dirtyData.createRoleUuid();
-        executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
-                        "values(?, ?, ?, ?)",
+        executePrepared("insert into sec_role(id, name, security_scope) " +
+                        "values(?, ?, ?)",
                 colorDeleteRoleId,
                 "colorDeleteRole",
-                "REST",
-                1
+                "REST"
         );
 
+        executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
+                        "values(?, ?, ?, ?, ?)",
+                dirtyData.createPermissionUuid(),
+                colorDeleteRoleId,
+                PermissionType.ENTITY_OP.getId(),
+                "*:read",
+                1);
+
         //read-only role for attributes access tests
         carReadRoleId = dirtyData.createRoleUuid();
-        executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
-                        "values(?, ?, ?, ?)",
+        executePrepared("insert into sec_role(id, name, security_scope) " +
+                        "values(?, ?, ?)",
                 carReadRoleId,
                 "carReadRole",
-                "REST",
-                1
+                "REST"
         );
 
+        executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
+                        "values(?, ?, ?, ?, ?)",
+                dirtyData.createPermissionUuid(),
+                carReadRoleId,
+                PermissionType.ENTITY_OP.getId(),
+                "*:read",
+                1);
+
         //read-only role, prohibiting viewing the colors
         noColorReadRoleId = dirtyData.createRoleUuid();
-        executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
-                        "values(?, ?, ?, ?)",
+        executePrepared("insert into sec_role(id, name, security_scope) " +
+                        "values(?, ?, ?)",
                 noColorReadRoleId,
                 "noColorReadRole",
-                "REST",
-                1
+                "REST"
         );
+
+        executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
+                        "values(?, ?, ?, ?, ?)",
+                dirtyData.createPermissionUuid(),
+                noColorReadRoleId,
+                PermissionType.ENTITY_OP.getId(),
+                "*:read",
+                1);
     }
 
     private void createDbData() throws SQLException {