From f407e802ac355f7883d0b54836402a06a2a34fd5 Mon Sep 17 00:00:00 2001
From: Brian Bolt <brian.bolt@schrodinger.com>
Date: Wed, 8 May 2024 13:56:03 -0700
Subject: [PATCH] ACAS-770: Additional project grants

---
 conf/config.properties.example                          | 5 +++++
 modules/ServerAPI/src/server/routes/AuthorRoutes.coffee | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/conf/config.properties.example b/conf/config.properties.example
index bea0dca48..e39831864 100644
--- a/conf/config.properties.example
+++ b/conf/config.properties.example
@@ -652,6 +652,11 @@ client.roles.crossProjectLoaderRole=ROLE_ACAS-CROSS-PROJECT-LOADER
 # e.g. server.projects.filterList = ["SomeProject"]
 server.projects.filterList = []
 
+# Grant access to additionalProjectGrants to users with access to projects
+# e.g. server.projects.additionalProjectGrants = {"PROJ-00000001": ["PROJ-00000002", "PROJ-00000003"]}
+# This would grant access to PROJ-00000002 and PROJ-00000003 to users with access to PROJ-00000001
+server.projects.additionalProjectGrants = {}
+
 # For whether protocols and experiments should have sequential user defined corpName labels
 client.entity.saveInitialsCorpName=false
 
diff --git a/modules/ServerAPI/src/server/routes/AuthorRoutes.coffee b/modules/ServerAPI/src/server/routes/AuthorRoutes.coffee
index 8e1d61e45..61be08260 100644
--- a/modules/ServerAPI/src/server/routes/AuthorRoutes.coffee
+++ b/modules/ServerAPI/src/server/routes/AuthorRoutes.coffee
@@ -58,6 +58,11 @@ exports.allowedProjectsInternal = (user, callback) ->
 		allProjects = _.filter allProjects, (project, index) ->
 			! _.contains projectFilterList, project.code
 
+		# Get additional project grants from the config
+		# These configs allow a user access to a set of projects if they belong to the project specified in the key
+		# e.g. {"Project B": ["Project A", "Project C"]} means that if a user has access to Project B, they also have access to Project A and Project C
+		additionalProjectGrants = JSON.parse config.all.server.projects.additionalProjectGrants
+		
 		if (config.all.server.project.roles.enable)
 			filteredProjects = []
 			isAdmin = false;
@@ -66,6 +71,10 @@ exports.allowedProjectsInternal = (user, callback) ->
 			user.roles.forEach (role) ->
 				if role.roleEntry.lsType != null && role.roleEntry.lsType == "Project"
 					allowedProjectCodes.push role.roleEntry.lsKind
+                    # If the user has access to a project, also give them access to its dependent projects
+					if additionalProjectGrants[role.roleEntry.lsKind]?
+						console.log "User #{user.username} has access to project #{role.roleEntry.lsKind} so also giving access to additional projects #{additionalProjectGrants[role.roleEntry.lsKind]}"
+						allowedProjectCodes = allowedProjectCodes.concat(additionalProjectGrants[role.roleEntry.lsKind])
 				else if role.roleEntry.roleName == config.all.client.roles.acas.adminRole
 					isAdmin = true
 			if isAdmin