Don't show user management in app switcher if user has not role 'admin'

changelog/unreleased/bugfix-space-and-user-management-permissions

@@ -0,0 +1,8 @@
+Bugfix: Create space and access user management permission
+
+We've fixed a bug, where users with insufficient permissions could access the user management and were able to see
+the "New Space" button in the space overview.
+
+https://github.com/owncloud/web/pull/7197
+https://github.com/owncloud/web/issues/7181
+https://github.com/owncloud/web/issues/7079

packages/web-app-files/src/views/spaces/Projects.vue

@@ -8,7 +8,7 @@
  :show-actions-on-selection="true"
  >
  <template #actions>
- <create-space />
+ <create-space v-if="hasCreatePermission" />
  </template>
  <template #content>
  <p v-text="spacesHint" />
@@ -188,8 +188,7 @@ export default defineComponent({
  return this.$gettext('Store your project related files in Spaces for seamless collaboration.')
  },
  hasCreatePermission() {
- // @TODO
- return true
+ return this.$permissionManager.hasSpaceManagement()
  }
  },
  watch: {

packages/web-app-user-management/src/index.js

@@ -41,13 +41,21 @@ const navItems = [
  icon: 'user',
  route: {
  path: `/${appInfo.id}/users?`
+ },
+ enabled: () => {
+ const permissionManager = window.Vue.$permissionManager
+ return permissionManager.hasUserManagement()
  }
  },
  {
  name: $gettext('Groups'),
  icon: 'group-2',
  route: {
  path: `/${appInfo.id}/groups?`
+ },
+ enabled: () => {
+ const permissionManager = window.Vue.$permissionManager
+ return permissionManager.hasUserManagement()
  }
  }
 ]

packages/web-pkg/src/services/index.ts

@@ -1 +1,2 @@
 export * from './client'
+export * from './permissionManager'

packages/web-pkg/src/services/permissionManager.ts

@@ -0,0 +1,27 @@
+import { Store } from 'vuex'
+interface Role {
+ name: 'admin' | 'spaceadmin' | 'user' | 'guest'
+}
+interface User {
+ role: Role
+}
+
+export class PermissionManager {
+ private readonly store: Store<any>
+
+ constructor(store: Store<any>) {
+ this.store = store
+ }
+
+ public hasUserManagement() {
+ return this.user.role.name === 'admin'
+ }
+
+ public hasSpaceManagement() {
+ return ['admin', 'spaceadmin'].includes(this.user.role.name)
+ }
+
+ get user(): User {
+ return this.store.getters.user
+ }
+}

packages/web-pkg/tests/unit/services/permissionManager.spec.ts

@@ -0,0 +1,34 @@
+import { PermissionManager } from '../../../src/services'
+
+beforeEach(jest.resetAllMocks)
+
+describe('permissionManager', () => {
+ describe('method "hasUserManagement"', () => {
+ test('should be true if user has sufficient rights', () => {
+ const permissionManager = new PermissionManager({
+ getters: { user: { role: { name: 'admin' } } }
+ } as any)
+ expect(permissionManager.hasUserManagement()).toBeTruthy()
+ })
+ test('should be false if user has insufficient rights', () => {
+ const permissionManager = new PermissionManager({
+ getters: { user: { role: { name: 'user' } } }
+ } as any)
+ expect(permissionManager.hasUserManagement()).toBeFalsy()
+ })
+ })
+ describe('method "hasSpaceManagement"', () => {
+ test('should be true if user has sufficient rights', () => {
+ const permissionManager = new PermissionManager({
+ getters: { user: { role: { name: 'admin' } } }
+ } as any)
+ expect(permissionManager.hasUserManagement()).toBeTruthy()
+ })
+ test('should be false if user has insufficient rights', () => {
+ const permissionManager = new PermissionManager({
+ getters: { user: { role: { name: 'user' } } }
+ } as any)
+ expect(permissionManager.hasUserManagement()).toBeFalsy()
+ })
+ })
+})

packages/web-runtime/src/container/bootstrap.ts

@@ -13,7 +13,7 @@ import { getBackendVersion, getWebVersion } from './versions'
 import { useLocalStorage } from 'web-pkg/src/composables'
 import { unref } from '@vue/composition-api'
 import { useDefaultThemeName } from '../composables'
-import { clientService } from 'web-pkg/src/services'
+import { clientService, PermissionManager } from 'web-pkg/src/services'
 import { UppyService } from '../services/uppyService'
 
 import { init as SentryInit } from '@sentry/browser'
@@ -253,6 +253,24 @@ export const announceClientService = ({
  vue.prototype.$clientService.owncloudSdk = sdk
 }
 
+/**
+ * announce uppyService and inject it into vue
+ *
+ * @param vue
+ * @param store
+ */
+export const announcePermissionManager = ({
+ vue,
+ store
+}: {
+ vue: VueConstructor
+ store: Store<any>
+}): void => {
+ const permissionManager = new PermissionManager(store)
+ vue.prototype.$permissionManager = permissionManager
+ set(vue, '$permissionManager', permissionManager)
+}
+
 /**
  * announce uppyService and inject it into vue
  *

packages/web-runtime/src/index.ts

@@ -21,6 +21,7 @@ import {
  announceVersions,
  applicationStore,
  announceUppyService,
+ announcePermissionManager,
  startSentry
 } from './container'
 
@@ -29,6 +30,7 @@ export const bootstrap = async (configurationPath: string): Promise<void> => {
  startSentry(runtimeConfiguration, Vue)
  announceClientService({ vue: Vue, runtimeConfiguration })
  announceUppyService({ vue: Vue })
+ announcePermissionManager({ vue: Vue, store })
  await announceClient(runtimeConfiguration)
  await announceStore({ vue: Vue, store, runtimeConfiguration })
  await announceApplications({

packages/web-runtime/src/store/user.js

@@ -5,6 +5,7 @@ import { router } from '../router'
 import { clientService } from 'web-pkg/src/services'
 
 import { setUser as sentrySetUser } from '@sentry/browser'
+import axios from 'axios'
 
 let vueAuthInstance
 
@@ -20,7 +21,9 @@ const state = {
  groups: [],
  userReady: false,
  quota: null,
- language: null
+ language: null,
+ role: {},
+ roles: []
 }
 
 const actions = {
@@ -101,9 +104,42 @@ const actions = {
 
  // FIXME: Can be removed as soon as the uuid is integrated in the OCS api
  let graphUser
+ let role = []
  if (context.state.capabilities.spaces?.enabled) {
  const graphClient = clientService.graphAuthenticated(instance, token)
  graphUser = await graphClient.users.getMe()
+
+ const {
+ data: { bundles: roles }
+ } = await axios.post(
+ '/api/v0/settings/roles-list',
+ {},
+ {
+ headers: {
+ authorization: `Bearer ${token}`
+ }
+ }
+ )
+
+ context.commit('SET_ROLES', roles)
+
+ const userAssignmentResponse = await axios.post(
+ '/api/v0/settings/assignments-list',
+ {
+ account_uuid: graphUser.data.id
+ },
+ {
+ headers: {
+ authorization: `Bearer ${token}`
+ }
+ }
+ )
+ const assignments = userAssignmentResponse.data?.assignments
+ const roleAssignment = assignments.find((assignment) => 'roleId' in assignment)
+
+ if (roleAssignment) {
+ role = roles.find((role) => role.id === roleAssignment.roleId)
+ }
  }
 
  let userEmail = ''
@@ -124,6 +160,7 @@ const actions = {
  token,
  isAuthenticated: true,
  groups: userGroups,
+ role,
  language
  })
 
@@ -261,6 +298,7 @@ const mutations = {
  state.token = user.token
  state.groups = user.groups
  state.language = user.language
+ state.role = user.role
  sentrySetUser({ username: user.id })
  },
  SET_CAPABILITIES(state, data) {
@@ -281,6 +319,9 @@ const mutations = {
  quota.total = parseInt(quota.total)
 
  state.quota = quota
+ },
+ SET_ROLES(state, roles) {
+ state.roles = roles
  }
 }
 
@@ -300,8 +341,8 @@ const getters = {
  capabilities: (state) => {
  return state.capabilities
  },
-
- quota: (state) => state.quota
+ quota: (state) => state.quota,
+ roles: (state) => state.roles
 }
 
 export default {