From 16f72fb0d5fdd9497762e0488abc528b9ffbfbb7 Mon Sep 17 00:00:00 2001 From: jamesrdi Date: Fri, 2 Jun 2023 13:12:19 +0200 Subject: [PATCH] Closes #2269 - Implement READTASKS Permission --- .../delete/DeleteClassificationAccTest.java | 1 + .../update/UpdateClassificationAccTest.java | 2 + .../TaskUpdatePriorityWorkerAccTest.java | 1 + .../task/ServiceLevelOfAllTasksAccTest.java | 1 + .../task/claim/ClaimTaskAccTest.java | 7 +- .../task/claim/SetOwnerAccTest.java | 4 +- .../task/complete/CancelTaskAccTest.java | 4 +- .../task/complete/CompleteTaskAccTest.java | 4 +- .../complete/CompleteTaskWithSpiAccTest.java | 1 + .../task/create/CreateTaskAccTest.java | 1 + .../task/create/CreateTaskWithSorAccTest.java | 1 + .../task/delete/DeleteTaskAccTest.java | 1 + .../task/delete/DeleteTaskWithSorAccTest.java | 1 + .../acceptance/task/get/GetTaskAccTest.java | 63 +++++++++++ .../task/get/GetTaskWithSorAccTest.java | 1 + .../task/query/TaskQueryImplAccTest.java | 106 ++++++++++++++++++ .../requestchanges/RequestChangesAccTest.java | 4 +- .../RequestChangesWithAfterSpiAccTest.java | 2 + .../RequestChangesWithBeforeSpiAccTest.java | 1 + .../requestreview/RequestReviewAccTest.java | 4 +- .../RequestReviewWithAfterSpiAccTest.java | 2 + .../RequestReviewWithBeforeSpiAccTest.java | 1 + .../update/UpdateManualPriorityAccTest.java | 1 + .../UpdateManualPriorityWithSpiAccTest.java | 1 + .../task/update/UpdateTaskWithSorAccTest.java | 1 + .../create/CreateTaskCommentAccTest.java | 4 +- .../get/GetTaskCommentAccTest.java | 7 +- .../update/UpdateTaskCommentAccTest.java | 1 + .../taskana/task/internal/TaskQueryImpl.java | 29 +++-- .../task/internal/TaskQuerySqlProvider.java | 14 ++- .../task/internal/TaskServiceImpl.java | 6 +- .../internal/WorkbasketQueryMapper.java | 18 +-- .../create/CreateWorkbasketAccTest.java | 19 ++++ .../QueryWorkbasketByPermissionAccTest.java | 26 +++++ ...UpdateWorkbasketAuthorizationsAccTest.java | 26 +++++ .../testapi/builder/TaskBuilderTest.java | 1 + .../builder/TaskCommentBuilderTest.java | 1 + 37 files changed, 332 insertions(+), 36 deletions(-) diff --git a/lib/taskana-core-test/src/test/java/acceptance/classification/delete/DeleteClassificationAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/classification/delete/DeleteClassificationAccTest.java index 07bffb8759..49042e5b71 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/classification/delete/DeleteClassificationAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/classification/delete/DeleteClassificationAccTest.java @@ -45,6 +45,7 @@ void setup() throws Exception { .accessId("businessadmin") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService, "admin"); } diff --git a/lib/taskana-core-test/src/test/java/acceptance/classification/update/UpdateClassificationAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/classification/update/UpdateClassificationAccTest.java index 64bcc46aea..9567993e15 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/classification/update/UpdateClassificationAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/classification/update/UpdateClassificationAccTest.java @@ -134,6 +134,7 @@ private String createTaskWithExistingClassification(ClassificationSummary classi .accessId(currentUserContext.getUserid()) .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService, "businessadmin"); @@ -156,6 +157,7 @@ private List createTasksWithExistingClassificationInAttachment( .accessId(currentUserContext.getUserid()) .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService, "businessadmin"); ClassificationSummary classificationSummaryWithSpecifiedServiceLevel = diff --git a/lib/taskana-core-test/src/test/java/acceptance/jobs/helper/TaskUpdatePriorityWorkerAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/jobs/helper/TaskUpdatePriorityWorkerAccTest.java index 416ffd2b8a..21b58091c7 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/jobs/helper/TaskUpdatePriorityWorkerAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/jobs/helper/TaskUpdatePriorityWorkerAccTest.java @@ -65,6 +65,7 @@ void setUp(ClassificationService classificationService, WorkbasketService workba .workbasketId(workbasketSummary.getId()) .accessId("whatever") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .buildAndStore(workbasketService); TaskBuilder taskBuilder = diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/ServiceLevelOfAllTasksAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/ServiceLevelOfAllTasksAccTest.java index b28c0853fd..5e0ca19c92 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/ServiceLevelOfAllTasksAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/ServiceLevelOfAllTasksAccTest.java @@ -79,6 +79,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); } diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/claim/ClaimTaskAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/claim/ClaimTaskAccTest.java index b176d41fb6..65996ed8ee 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/claim/ClaimTaskAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/claim/ClaimTaskAccTest.java @@ -59,6 +59,7 @@ void setup() throws Exception { .accessId("user-1-2") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -257,7 +258,8 @@ void should_ThrowNotAuthorizedException_When_UserHasNoReadPermissionAndTaskIsRea catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); assertThat(e.getCurrentUserId()).isEqualTo("user-taskrouter"); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasketSummary.getId()); - assertThat(e.getRequiredPermissions()).containsExactlyInAnyOrder(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactlyInAnyOrder(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); ; } @@ -280,7 +282,8 @@ void should_ThrowNotAuthorizedException_When_UserHasNoReadPermissionAndTaskIsRea catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); assertThat(e.getCurrentUserId()).isEqualTo("user-taskrouter"); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasketSummary.getId()); - assertThat(e.getRequiredPermissions()).containsExactlyInAnyOrder(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactlyInAnyOrder(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); } @WithAccessId(user = "user-1-2") diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/claim/SetOwnerAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/claim/SetOwnerAccTest.java index 9a3a16bc41..65d6f0a586 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/claim/SetOwnerAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/claim/SetOwnerAccTest.java @@ -56,6 +56,7 @@ void setup() throws Exception { .accessId("user-1-2") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -117,7 +118,8 @@ void should_ThrowException_When_SetOwnerViaUpdateTaskIsNotAuthorizedOnWorkbasket catchThrowableOfType(call2, NotAuthorizedOnWorkbasketException.class); assertThat(e2.getWorkbasketId()).isEqualTo(defaultWorkbasketSummary.getId()); assertThat(e2.getCurrentUserId()).isEqualTo("user-1-1"); - assertThat(e2.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e2.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); } @WithAccessId(user = "user-1-2") diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/complete/CancelTaskAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/complete/CancelTaskAccTest.java index 99ba22a414..eab92363cc 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/complete/CancelTaskAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/complete/CancelTaskAccTest.java @@ -58,6 +58,7 @@ void setup() throws Exception { .accessId("user-1-2") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -130,7 +131,8 @@ void should_ThrowException_When_UserNotAuthorized() throws Exception { NotAuthorizedOnWorkbasketException e = catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); - assertThat(e.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); assertThat(e.getCurrentUserId()).isEqualTo("user-taskrouter"); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasketSummary.getId()); } diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskAccTest.java index 77065f6045..2bcfa54965 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskAccTest.java @@ -76,6 +76,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -217,7 +218,8 @@ void should_ThrowException_When_UserIsNotAuthorizedOnTask() throws Exception { assertThat(e.getCurrentUserId()).isEqualTo(currentUserContext.getUserid()); WorkbasketSummary workbasket = claimedTask.getWorkbasketSummary(); assertThat(e.getWorkbasketId()).isEqualTo(workbasket.getId()); - assertThat(e.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); } @WithAccessId(user = "user-1-1") diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskWithSpiAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskWithSpiAccTest.java index ccba830e0e..03fccdd96f 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskWithSpiAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/complete/CompleteTaskWithSpiAccTest.java @@ -54,6 +54,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskAccTest.java index 64d1548b19..617ff0b091 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskAccTest.java @@ -85,6 +85,7 @@ void setup() throws Exception { .accessId("user-1-2") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskWithSorAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskWithSorAccTest.java index b309fe3572..263f45b4e2 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskWithSorAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/create/CreateTaskWithSorAccTest.java @@ -56,6 +56,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskAccTest.java index 068b36f7e5..440e243e8c 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskAccTest.java @@ -64,6 +64,7 @@ void setup() throws Exception { .accessId("user-1-2") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); task1 = diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskWithSorAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskWithSorAccTest.java index c7ba3c291b..e5f3e1525e 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskWithSorAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/delete/DeleteTaskWithSorAccTest.java @@ -56,6 +56,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskAccTest.java index ddb7640372..9913127bc1 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskAccTest.java @@ -52,8 +52,12 @@ class GetTaskAccTest { ClassificationSummary defaultClassificationSummary; WorkbasketSummary defaultWorkbasketSummary; + WorkbasketSummary wbWithoutReadTasksPerm; + WorkbasketSummary wbWithoutReadPerm; ObjectReference defaultObjectReference; Task task; + Task task2; + Task task3; Map callbackInfo; @WithAccessId(user = "admin") @@ -62,6 +66,8 @@ void setup() throws Exception { defaultClassificationSummary = defaultTestClassification().buildAndStoreAsSummary(classificationService); defaultWorkbasketSummary = defaultTestWorkbasket().buildAndStoreAsSummary(workbasketService); + wbWithoutReadTasksPerm = defaultTestWorkbasket().buildAndStoreAsSummary(workbasketService); + wbWithoutReadPerm = defaultTestWorkbasket().buildAndStoreAsSummary(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); callbackInfo = createSimpleCustomPropertyMap(3); @@ -70,6 +76,21 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) + .permission(WorkbasketPermission.APPEND) + .buildAndStore(workbasketService); + WorkbasketAccessItemBuilder.newWorkbasketAccessItem() + .workbasketId(wbWithoutReadTasksPerm.getId()) + .accessId("user-1-1") + .permission(WorkbasketPermission.OPEN) + .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.APPEND) + .buildAndStore(workbasketService); + WorkbasketAccessItemBuilder.newWorkbasketAccessItem() + .workbasketId(wbWithoutReadPerm.getId()) + .accessId("user-1-1") + .permission(WorkbasketPermission.OPEN) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -123,6 +144,20 @@ void setup() throws Exception { .workbasketSummary(defaultWorkbasketSummary) .primaryObjRef(defaultObjectReference) .buildAndStore(taskService); + + task2 = + TaskBuilder.newTask() + .workbasketSummary(wbWithoutReadTasksPerm) + .classificationSummary(defaultClassificationSummary) + .primaryObjRef(defaultObjectReference) + .buildAndStore(taskService); + + task3 = + TaskBuilder.newTask() + .workbasketSummary(wbWithoutReadPerm) + .classificationSummary(defaultClassificationSummary) + .primaryObjRef(defaultObjectReference) + .buildAndStore(taskService); } @WithAccessId(user = "user-1-1") @@ -182,6 +217,34 @@ void should_ReturnTask_When_RequestingTaskByTaskId() throws Exception { assertThat(readTask).hasNoNullFieldsOrPropertiesExcept("ownerLongName", "completed"); } + @WithAccessId(user = "user-1-1") + @Test + void should_ThrowException_When_NoReadTasksPerm() { + ThrowingCallable call = () -> taskService.getTask(task2.getId()); + + NotAuthorizedOnWorkbasketException e = + catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); + + assertThat(e.getRequiredPermissions()) + .containsExactlyInAnyOrder(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); + assertThat(e.getCurrentUserId()).isEqualTo("user-1-1"); + assertThat(e.getWorkbasketId()).isEqualTo(wbWithoutReadTasksPerm.getId()); + } + + @WithAccessId(user = "user-1-1") + @Test + void should_ThrowException_When_UserHasReadTasksButNoReadPerm() { + ThrowingCallable call = () -> taskService.getTask(task3.getId()); + + NotAuthorizedOnWorkbasketException e = + catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); + + assertThat(e.getRequiredPermissions()) + .containsExactlyInAnyOrder(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); + assertThat(e.getCurrentUserId()).isEqualTo("user-1-1"); + assertThat(e.getWorkbasketId()).isEqualTo(wbWithoutReadPerm.getId()); + } + @WithAccessId(user = "user-1-1") @Test void should_ThrowException_When_RequestedTaskByIdIsNotExisting() { diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskWithSorAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskWithSorAccTest.java index 340fc40296..99d2bb0d94 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskWithSorAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/get/GetTaskWithSorAccTest.java @@ -45,6 +45,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/query/TaskQueryImplAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/query/TaskQueryImplAccTest.java index fb5c8e990c..29c8a6ba03 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/query/TaskQueryImplAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/query/TaskQueryImplAccTest.java @@ -47,6 +47,7 @@ import pro.taskana.testapi.security.WithAccessId; import pro.taskana.workbasket.api.WorkbasketPermission; import pro.taskana.workbasket.api.WorkbasketService; +import pro.taskana.workbasket.api.exceptions.NotAuthorizedToQueryWorkbasketException; import pro.taskana.workbasket.api.models.WorkbasketSummary; @TaskanaIntegrationTest @@ -93,6 +94,7 @@ private void persistPermission(WorkbasketSummary workbasketSummary) throws Excep .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) .permission(WorkbasketPermission.APPEND) + .permission(WorkbasketPermission.READTASKS) .buildAndStore(workbasketService, "businessadmin"); } @@ -102,11 +104,17 @@ class PermissionsTest { WorkbasketSummary wb1; WorkbasketSummary wb2; WorkbasketSummary wbWithoutPermissions; + WorkbasketSummary wbWithoutReadTasksPerm; + WorkbasketSummary wbWithoutReadPerm; + WorkbasketSummary wbWithoutOpenPerm; TaskSummary taskSummary1; TaskSummary taskSummary2; TaskSummary taskSummary3; TaskSummary taskSummary4; TaskSummary taskSummary5; + TaskSummary taskSummary6; + TaskSummary taskSummary7; + TaskSummary taskSummary8; @WithAccessId(user = "user-1-1") @BeforeAll @@ -115,6 +123,34 @@ void setup() throws Exception { wb2 = createWorkbasketWithPermission(); wbWithoutPermissions = defaultTestWorkbasket().buildAndStoreAsSummary(workbasketService, "businessadmin"); + wbWithoutReadTasksPerm = + defaultTestWorkbasket().buildAndStoreAsSummary(workbasketService, "businessadmin"); + wbWithoutReadPerm = + defaultTestWorkbasket().buildAndStoreAsSummary(workbasketService, "businessadmin"); + wbWithoutOpenPerm = + defaultTestWorkbasket().buildAndStoreAsSummary(workbasketService, "businessadmin"); + + WorkbasketAccessItemBuilder.newWorkbasketAccessItem() + .workbasketId(wbWithoutReadTasksPerm.getId()) + .accessId(currentUserContext.getUserid()) + .permission(WorkbasketPermission.OPEN) + .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.APPEND) + .buildAndStore(workbasketService, "businessadmin"); + WorkbasketAccessItemBuilder.newWorkbasketAccessItem() + .workbasketId(wbWithoutReadPerm.getId()) + .accessId(currentUserContext.getUserid()) + .permission(WorkbasketPermission.OPEN) + .permission(WorkbasketPermission.READTASKS) + .permission(WorkbasketPermission.APPEND) + .buildAndStore(workbasketService, "businessadmin"); + WorkbasketAccessItemBuilder.newWorkbasketAccessItem() + .workbasketId(wbWithoutOpenPerm.getId()) + .accessId(currentUserContext.getUserid()) + .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) + .permission(WorkbasketPermission.APPEND) + .buildAndStore(workbasketService, "businessadmin"); taskSummary1 = taskInWorkbasket(wb1).buildAndStoreAsSummary(taskService); taskSummary2 = taskInWorkbasket(wb2).buildAndStoreAsSummary(taskService); @@ -124,6 +160,12 @@ void setup() throws Exception { taskInWorkbasket(wbWithoutPermissions).buildAndStoreAsSummary(taskService, "admin"); taskSummary5 = taskInWorkbasket(wbWithoutPermissions).buildAndStoreAsSummary(taskService, "admin"); + taskSummary6 = + taskInWorkbasket(wbWithoutReadTasksPerm).buildAndStoreAsSummary(taskService, "admin"); + taskSummary7 = + taskInWorkbasket(wbWithoutReadPerm).buildAndStoreAsSummary(taskService, "admin"); + taskSummary8 = + taskInWorkbasket(wbWithoutOpenPerm).buildAndStoreAsSummary(taskService, "admin"); } @WithAccessId(user = "admin") @@ -167,6 +209,70 @@ void should_OnlyReturnTasksFromCorrectWorkbaskets_When_UserHasNoPermissionToOneW .contains(taskSummary1, taskSummary2) .doesNotContain(taskSummary3, taskSummary4, taskSummary5); } + + @WithAccessId(user = "user-1-1") + @Test + void should_ReturnEmptyList_When_WorkbasketOfTaskHasNoReadTasksPerm() { + List list = taskService.createTaskQuery().idIn(taskSummary3.getId()).list(); + + assertThat(list.isEmpty()); + } + + @WithAccessId(user = "user-1-1") + @Test + void should_ThrowException_When_QueryByWorkbasketThatHasOpenReadButNoReadTasksPermission() { + assertThatThrownBy( + () -> + taskService + .createTaskQuery() + .workbasketIdIn(wbWithoutReadTasksPerm.getId()) + .list()) + .isInstanceOf(NotAuthorizedToQueryWorkbasketException.class); + } + + @WithAccessId(user = "user-1-1") + @Test + void should_ReturnEmptyList_When_WorkbasketOfTaskHasReadTasksButNoReadPerm() { + List list = taskService.createTaskQuery().idIn(taskSummary7.getId()).list(); + + assertThat(list).isEmpty(); + } + + @WithAccessId(user = "user-1-1") + @Test + void should_QueryByTaskId_When_WorkbasketHasReadAndReadTasksButNoOpenPerm() { + List list = taskService.createTaskQuery().idIn(taskSummary8.getId()).list(); + + assertThat(list).containsOnly(taskSummary8); + } + + @WithAccessId(user = "user-1-1") + @Test + void should_OnlyReturnTaskFromWorkbasketWithoutOpenPerm_When_OthersHasNoReadOrReadTasksPerm() { + List list = + taskService + .createTaskQuery() + .idIn(taskSummary6.getId(), taskSummary7.getId(), taskSummary8.getId()) + .list(); + + assertThat(list).containsOnly(taskSummary8); + } + + @WithAccessId(user = "user-1-1") + @Test + void should_ThrowException_When_QueryByWbIdAndWorkbasketHasReadTasksButNoReadPerm() { + assertThatThrownBy( + () -> taskService.createTaskQuery().workbasketIdIn(wbWithoutReadPerm.getId()).list()) + .isInstanceOf(NotAuthorizedToQueryWorkbasketException.class); + } + + @WithAccessId(user = "user-1-1") + @Test + void should_ThrowException_When_QueryByWbIdAndWorkbasketHasReadAndReadTasksButNoOpenPerm() { + assertThatThrownBy( + () -> taskService.createTaskQuery().workbasketIdIn(wbWithoutOpenPerm.getId()).list()) + .isInstanceOf(NotAuthorizedToQueryWorkbasketException.class); + } } @Nested diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesAccTest.java index d66ec742ed..a5c191e95e 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesAccTest.java @@ -55,6 +55,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -143,7 +144,8 @@ void should_ThrowException_When_UserHasNoWorkbasketPermission() throws Exception NotAuthorizedOnWorkbasketException e = catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); - assertThat(e.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); assertThat(e.getCurrentUserId()).isEqualTo("user-1-2"); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasketSummary.getId()); assertThat(e.getDomain()).isNull(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithAfterSpiAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithAfterSpiAccTest.java index eb1fc7757c..973181f938 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithAfterSpiAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithAfterSpiAccTest.java @@ -60,6 +60,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .permission(WorkbasketPermission.TRANSFER) .buildAndStore(workbasketService); @@ -68,6 +69,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(newWorkbasket.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithBeforeSpiAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithBeforeSpiAccTest.java index e244eed616..77911eb565 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithBeforeSpiAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/requestchanges/RequestChangesWithBeforeSpiAccTest.java @@ -57,6 +57,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .permission(WorkbasketPermission.TRANSFER) .buildAndStore(workbasketService); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewAccTest.java index 2b2a2cda12..cedf97ff37 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewAccTest.java @@ -55,6 +55,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -172,7 +173,8 @@ void should_ThrowException_When_UserHasNoWorkbasketPermission() throws Exception NotAuthorizedOnWorkbasketException e = catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); - assertThat(e.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); assertThat(e.getCurrentUserId()).isEqualTo("user-1-2"); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasketSummary.getId()); assertThat(e.getDomain()).isNull(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithAfterSpiAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithAfterSpiAccTest.java index 3f70f5a325..94ebf4931f 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithAfterSpiAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithAfterSpiAccTest.java @@ -61,6 +61,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .permission(WorkbasketPermission.TRANSFER) .buildAndStore(workbasketService); @@ -69,6 +70,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(newWorkbasket.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithBeforeSpiAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithBeforeSpiAccTest.java index 234e67e34b..aac442e86d 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithBeforeSpiAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/requestreview/RequestReviewWithBeforeSpiAccTest.java @@ -58,6 +58,7 @@ void setup(ClassificationService classificationService, WorkbasketService workba .workbasketId(defaultWorkbasketSummary.getId()) .accessId("user-1-1") .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .permission(WorkbasketPermission.TRANSFER) .buildAndStore(workbasketService); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityAccTest.java index 928c2c5256..b01646c350 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityAccTest.java @@ -53,6 +53,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityWithSpiAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityWithSpiAccTest.java index ff084a9085..9d798005c4 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityWithSpiAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateManualPriorityWithSpiAccTest.java @@ -74,6 +74,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateTaskWithSorAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateTaskWithSorAccTest.java index ec22b30658..400fce4ede 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateTaskWithSorAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/task/update/UpdateTaskWithSorAccTest.java @@ -46,6 +46,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core-test/src/test/java/acceptance/taskcomment/create/CreateTaskCommentAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/taskcomment/create/CreateTaskCommentAccTest.java index 3e575ced23..1ac49a834f 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/taskcomment/create/CreateTaskCommentAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/taskcomment/create/CreateTaskCommentAccTest.java @@ -50,6 +50,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); @@ -104,7 +105,8 @@ void should_FailToCreateTaskComment_When_UserHasNoWorkbasketPermission() { catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); assertThat(e.getCurrentUserId()).isEqualTo("user-1-2"); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasket.getId()); - assertThat(e.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); } @WithAccessId(user = "user-1-1") diff --git a/lib/taskana-core-test/src/test/java/acceptance/taskcomment/get/GetTaskCommentAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/taskcomment/get/GetTaskCommentAccTest.java index 318598b0f6..0d04830893 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/taskcomment/get/GetTaskCommentAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/taskcomment/get/GetTaskCommentAccTest.java @@ -61,6 +61,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); task1 = @@ -134,7 +135,8 @@ void should_FailToReturnTaskComments_When_TaskIsNotVisible() { catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); assertThat(e.getCurrentUserId()).isEqualTo("user-1-2"); - assertThat(e.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasket.getId()); } @@ -154,7 +156,8 @@ void should_FailToReturnTaskComment_When_TaskIsNotVisible() throws Exception { catchThrowableOfType(call, NotAuthorizedOnWorkbasketException.class); assertThat(e.getCurrentUserId()).isEqualTo("user-1-2"); - assertThat(e.getRequiredPermissions()).containsExactly(WorkbasketPermission.READ); + assertThat(e.getRequiredPermissions()) + .containsExactly(WorkbasketPermission.READ, WorkbasketPermission.READTASKS); assertThat(e.getWorkbasketId()).isEqualTo(defaultWorkbasket.getId()); } diff --git a/lib/taskana-core-test/src/test/java/acceptance/taskcomment/update/UpdateTaskCommentAccTest.java b/lib/taskana-core-test/src/test/java/acceptance/taskcomment/update/UpdateTaskCommentAccTest.java index cca3c506bb..99d02c726e 100644 --- a/lib/taskana-core-test/src/test/java/acceptance/taskcomment/update/UpdateTaskCommentAccTest.java +++ b/lib/taskana-core-test/src/test/java/acceptance/taskcomment/update/UpdateTaskCommentAccTest.java @@ -53,6 +53,7 @@ void setup() throws Exception { .accessId("user-1-1") .permission(WorkbasketPermission.OPEN) .permission(WorkbasketPermission.READ) + .permission(WorkbasketPermission.READTASKS) .permission(WorkbasketPermission.APPEND) .buildAndStore(workbasketService); defaultObjectReference = defaultTestObjectReference().build(); diff --git a/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQueryImpl.java b/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQueryImpl.java index 78435614a3..7689fce53d 100644 --- a/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQueryImpl.java +++ b/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQueryImpl.java @@ -1943,7 +1943,7 @@ public List list() { return taskanaEngine.executeInDatabaseConnection( () -> { checkForIllegalParamCombinations(); - checkOpenAndReadPermissionForSpecifiedWorkbaskets(); + checkOpenReadAndReadTasksPermissionForSpecifiedWorkbaskets(); setupJoinAndOrderParameters(); setupAccessIds(); List tasks = @@ -1959,7 +1959,7 @@ public List list(int offset, int limit) { try { taskanaEngine.openConnection(); checkForIllegalParamCombinations(); - checkOpenAndReadPermissionForSpecifiedWorkbaskets(); + checkOpenReadAndReadTasksPermissionForSpecifiedWorkbaskets(); setupAccessIds(); setupJoinAndOrderParameters(); RowBounds rowBounds = new RowBounds(offset, limit); @@ -1990,7 +1990,7 @@ public List listValues(TaskQueryColumnName columnName, SortDirection sor this.orderBy.clear(); this.addOrderCriteria(columnName.toString(), sortDirection); checkForIllegalParamCombinations(); - checkOpenAndReadPermissionForSpecifiedWorkbaskets(); + checkOpenReadAndReadTasksPermissionForSpecifiedWorkbaskets(); setupAccessIds(); if (columnName.equals(TaskQueryColumnName.CLASSIFICATION_NAME)) { @@ -2026,7 +2026,7 @@ public TaskSummary single() { TaskSummary result; try { taskanaEngine.openConnection(); - checkOpenAndReadPermissionForSpecifiedWorkbaskets(); + checkOpenReadAndReadTasksPermissionForSpecifiedWorkbaskets(); setupAccessIds(); setupJoinAndOrderParameters(); TaskSummaryImpl taskSummaryImpl = @@ -2051,7 +2051,7 @@ public long count() { Long rowCount; try { taskanaEngine.openConnection(); - checkOpenAndReadPermissionForSpecifiedWorkbaskets(); + checkOpenReadAndReadTasksPermissionForSpecifiedWorkbaskets(); setupAccessIds(); setupJoinAndOrderParameters(); rowCount = taskanaEngine.getSqlSession().selectOne(getLinkToCounterTaskScript(), this); @@ -2177,7 +2177,7 @@ private void setupAccessIds() { } } - private void checkOpenAndReadPermissionForSpecifiedWorkbaskets() { + private void checkOpenReadAndReadTasksPermissionForSpecifiedWorkbaskets() { if (taskanaEngine.getEngine().isUserInRole(TaskanaRole.ADMIN, TaskanaRole.TASK_ADMIN)) { if (LOGGER.isDebugEnabled()) { LOGGER.debug("Skipping permissions check since user is in role ADMIN or TASK_ADMIN."); @@ -2188,13 +2188,13 @@ private void checkOpenAndReadPermissionForSpecifiedWorkbaskets() { if (this.workbasketIdIn != null && this.workbasketIdIn.length > 0) { filterByAccessIdIn = false; for (String workbasketId : workbasketIdIn) { - checkOpenAndReadPermissionById(workbasketId); + checkOpenReadAndReadTasksPermissionById(workbasketId); } } if (workbasketKeyDomainIn != null && workbasketKeyDomainIn.length > 0) { filterByAccessIdIn = false; for (KeyDomain keyDomain : workbasketKeyDomainIn) { - checkOpenAndReadPermissionByKeyDomain(keyDomain); + checkOpenReadAndReadTasksPermissionByKeyDomain(keyDomain); } } } catch (NotAuthorizedOnWorkbasketException e) { @@ -2202,20 +2202,24 @@ private void checkOpenAndReadPermissionForSpecifiedWorkbaskets() { } } - private void checkOpenAndReadPermissionById(String workbasketId) + private void checkOpenReadAndReadTasksPermissionById(String workbasketId) throws NotAuthorizedOnWorkbasketException { try { taskanaEngine .getEngine() .getWorkbasketService() - .checkAuthorization(workbasketId, WorkbasketPermission.OPEN, WorkbasketPermission.READ); + .checkAuthorization( + workbasketId, + WorkbasketPermission.OPEN, + WorkbasketPermission.READ, + WorkbasketPermission.READTASKS); } catch (WorkbasketNotFoundException e) { LOGGER.warn( String.format("The workbasket with the ID ' %s ' does not exist.", workbasketId), e); } } - private void checkOpenAndReadPermissionByKeyDomain(KeyDomain keyDomain) + private void checkOpenReadAndReadTasksPermissionByKeyDomain(KeyDomain keyDomain) throws NotAuthorizedOnWorkbasketException { try { taskanaEngine @@ -2225,7 +2229,8 @@ private void checkOpenAndReadPermissionByKeyDomain(KeyDomain keyDomain) keyDomain.getKey(), keyDomain.getDomain(), WorkbasketPermission.OPEN, - WorkbasketPermission.READ); + WorkbasketPermission.READ, + WorkbasketPermission.READTASKS); } catch (WorkbasketNotFoundException e) { LOGGER.warn( String.format( diff --git a/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQuerySqlProvider.java b/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQuerySqlProvider.java index bebeaea3fd..f3d21883c0 100644 --- a/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQuerySqlProvider.java +++ b/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskQuerySqlProvider.java @@ -117,7 +117,8 @@ public static String queryTaskSummariesDb2() { + "s.ACCESS_ID IN " + "(#{item}) " + "and " - + "s.WORKBASKET_ID = X.WORKBASKET_ID AND s.perm_read = 1 fetch first 1 rows only" + + "s.WORKBASKET_ID = X.WORKBASKET_ID AND s.perm_read = 1 AND s.perm_readtasks = 1" + + " fetch first 1 rows only" + "" + " " + "VALUES(1)" @@ -250,7 +251,8 @@ public static String countQueryTasksDb2() { + "WHERE s.ACCESS_ID IN " + "(#{item}) " + "and " - + "s.WORKBASKET_ID = X.WORKBASKET_ID AND s.perm_read = 1 fetch first 1 rows only " + + "s.WORKBASKET_ID = X.WORKBASKET_ID AND s.perm_read = 1 AND s.perm_readtasks = 1" + + " fetch first 1 rows only " + " " + "" + "VALUES(1)" @@ -366,16 +368,18 @@ private static String checkForAuthorization() { + "FROM (" + "" + "" - + "SELECT WORKBASKET_ID as WID, MAX(PERM_READ) as MAX_READ " + + "SELECT WORKBASKET_ID as WID, MAX(PERM_READ) as MAX_READ, " + + "MAX(PERM_READTASKS) as MAX_READTASKS " + "" + "" - + "SELECT WORKBASKET_ID as WID, MAX(PERM_READ::int) as MAX_READ " + + "SELECT WORKBASKET_ID as WID, MAX(PERM_READ::int) as MAX_READ, " + + "MAX(PERM_READTASKS::int) as MAX_READTASKS " + "" + "" + "FROM WORKBASKET_ACCESS_LIST s where ACCESS_ID IN " + "(#{item}) " + "GROUP by WORKBASKET_ID) f " - + "WHERE MAX_READ = 1) " + + "WHERE MAX_READ = 1 AND MAX_READTASKS = 1) " + ""; } diff --git a/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskServiceImpl.java b/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskServiceImpl.java index 4fe06b386f..8834f08e24 100644 --- a/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskServiceImpl.java +++ b/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskServiceImpl.java @@ -381,12 +381,14 @@ public Task getTask(String id) throws NotAuthorizedOnWorkbasketException, TaskNo WorkbasketQueryImpl query = (WorkbasketQueryImpl) workbasketService.createWorkbasketQuery(); query.setUsedToAugmentTasks(true); String workbasketId = resultTask.getWorkbasketSummary().getId(); - List workbaskets = query.idIn(workbasketId).list(); + List workbaskets = + query.idIn(workbasketId).callerHasPermissions(WorkbasketPermission.READTASKS).list(); if (workbaskets.isEmpty()) { throw new NotAuthorizedOnWorkbasketException( taskanaEngine.getEngine().getCurrentUserContext().getUserid(), workbasketId, - WorkbasketPermission.READ); + WorkbasketPermission.READ, + WorkbasketPermission.READTASKS); } else { resultTask.setWorkbasketSummary(workbaskets.get(0)); } diff --git a/lib/taskana-core/src/main/java/pro/taskana/workbasket/internal/WorkbasketQueryMapper.java b/lib/taskana-core/src/main/java/pro/taskana/workbasket/internal/WorkbasketQueryMapper.java index 4cea03abb9..156eb1d3ae 100644 --- a/lib/taskana-core/src/main/java/pro/taskana/workbasket/internal/WorkbasketQueryMapper.java +++ b/lib/taskana-core/src/main/java/pro/taskana/workbasket/internal/WorkbasketQueryMapper.java @@ -18,13 +18,13 @@ public interface WorkbasketQueryMapper { + " " + "" + "" - + "LEFT OUTER JOIN (select WORKBASKET_ID as WID, MAX(PERM_READ) as MAX_READ, MAX(PERM_OPEN) as MAX_OPEN, " + + "LEFT OUTER JOIN (select WORKBASKET_ID as WID, MAX(PERM_READ) as MAX_READ, MAX(PERM_READTASKS) as MAX_READTASKS, MAX(PERM_OPEN) as MAX_OPEN, " + "MAX(PERM_APPEND) as MAX_APPEND, MAX(PERM_TRANSFER) as MAX_TRANSFER, MAX(PERM_DISTRIBUTE) as MAX_DISTRIBUTE, MAX(PERM_CUSTOM_1) as MAX_CUSTOM_1, MAX(PERM_CUSTOM_2) as MAX_CUSTOM_2, " + "MAX(PERM_CUSTOM_3) as MAX_CUSTOM_3, MAX(PERM_CUSTOM_4) as MAX_CUSTOM_4, MAX(PERM_CUSTOM_5) as MAX_CUSTOM_5, MAX(PERM_CUSTOM_6) as MAX_CUSTOM_6, MAX(PERM_CUSTOM_7) as MAX_CUSTOM_7, " + "MAX(PERM_CUSTOM_8) as MAX_CUSTOM_8, MAX(PERM_CUSTOM_9) as MAX_CUSTOM_9, MAX(PERM_CUSTOM_10) as MAX_CUSTOM_10, MAX(PERM_CUSTOM_11) as MAX_CUSTOM_11, MAX(PERM_CUSTOM_12) as MAX_CUSTOM_12 " + "" + "" - + "LEFT OUTER JOIN (select WORKBASKET_ID as WID, MAX(PERM_READ::int) as MAX_READ, MAX(PERM_OPEN::int) as MAX_OPEN, " + + "LEFT OUTER JOIN (select WORKBASKET_ID as WID, MAX(PERM_READ::int) as MAX_READ, MAX(PERM_READTASKS::int) as MAX_READTASKS, MAX(PERM_OPEN::int) as MAX_OPEN, " + "MAX(PERM_APPEND::int) as MAX_APPEND, MAX(PERM_TRANSFER::int) as MAX_TRANSFER, MAX(PERM_DISTRIBUTE::int) as MAX_DISTRIBUTE, MAX(PERM_CUSTOM_1::int) as MAX_CUSTOM_1, MAX(PERM_CUSTOM_2::int) as MAX_CUSTOM_2, " + "MAX(PERM_CUSTOM_3::int) as MAX_CUSTOM_3, MAX(PERM_CUSTOM_4::int) as MAX_CUSTOM_4, MAX(PERM_CUSTOM_5::int) as MAX_CUSTOM_5, MAX(PERM_CUSTOM_6::int) as MAX_CUSTOM_6, MAX(PERM_CUSTOM_7::int) as MAX_CUSTOM_7, " + "MAX(PERM_CUSTOM_8::int) as MAX_CUSTOM_8, MAX(PERM_CUSTOM_9::int) as MAX_CUSTOM_9, MAX(PERM_CUSTOM_10::int) as MAX_CUSTOM_10, MAX(PERM_CUSTOM_11::int) as MAX_CUSTOM_11, MAX(PERM_CUSTOM_12::int) as MAX_CUSTOM_12 " @@ -74,6 +74,7 @@ public interface WorkbasketQueryMapper { + " " + "" + "a.MAX_READ " + + "a.MAX_READTASKS " + "a.MAX_OPEN " + "a.MAX_APPEND" + "a.MAX_TRANSFER" @@ -118,7 +119,7 @@ public interface WorkbasketQueryMapper { @Select( "