alchemy-fr · 4rthem · Jan 9, 2024 · Jan 9, 2024 · Jan 9, 2024 · Jan 9, 2024
diff --git a/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php b/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php
@@ -117,7 +117,7 @@ private function getAppScopes(): array
     {
         return [
             'databox' => [
-                'chuck-norris',
+                'super-admin',
                 'asset:create',
                 'asset:delete',
                 'asset:edit',

diff --git a/databox/api/composer.lock b/databox/api/composer.lock
diff --git a/databox/api/config/packages/alchemy_webhook.yaml b/databox/api/config/packages/alchemy_webhook.yaml
@@ -1,6 +1,6 @@
 alchemy_webhook:
   normalizer_roles:
-    - ROLE_CHUCK-NORRIS
+    - ROLE_SUPER-ADMIN
   events:
     'custom:event':
       description: A custom event

diff --git a/databox/api/src/Api/InputTransformer/RenditionDefinitionInputTransformer.php b/databox/api/src/Api/InputTransformer/RenditionDefinitionInputTransformer.php
@@ -40,7 +40,7 @@ public function transform(object $data, string $resourceClass, array $context =
                 $rendDef = $this->em->getRepository(RenditionDefinition::class)
                     ->findOneBy([
                         'key' => $data->key,
-                        'workspace' => $workspace->getId()
+                        'workspace' => $workspace->getId(),
                     ]);
 
                 if ($rendDef) {

diff --git a/databox/api/src/Api/Model/Input/RenditionDefinitionInput.php b/databox/api/src/Api/Model/Input/RenditionDefinitionInput.php
@@ -75,11 +75,11 @@ class RenditionDefinitionInput
      * @var int|null
      */
     #[Groups([RenditionDefinition::GROUP_WRITE])]
-    public $priority = null;
+    public $priority;
 
     /**
      * @var string|null
      */
     #[Groups([RenditionDefinition::GROUP_WRITE])]
-    public $key = null;
+    public $key;
 }
diff --git a/databox/api/src/Api/Processor/AssetAttributeBatchUpdateProcessor.php b/databox/api/src/Api/Processor/AssetAttributeBatchUpdateProcessor.php
@@ -21,8 +21,7 @@ final class AssetAttributeBatchUpdateProcessor implements ProcessorInterface
     public function __construct(
         private readonly BatchAttributeManager $batchAttributeManager,
         private readonly EntityManagerInterface $em,
-    )
-    {
+    ) {
     }
 
     /**

diff --git a/databox/api/src/Api/Provider/AttributeClassCollectionProvider.php b/databox/api/src/Api/Provider/AttributeClassCollectionProvider.php
@@ -37,7 +37,7 @@ protected function provideCollection(
                 ->setParameter('ws', $filters['workspaceId']);
         }
 
-        if (!$this->isChuckNorris()) {
+        if (!$this->isAdmin()) {
             AccessControlEntryRepository::joinAcl(
                 $queryBuilder,
                 $user->getId(),

diff --git a/databox/api/src/Api/Provider/AttributeDefinitionCollectionProvider.php b/databox/api/src/Api/Provider/AttributeDefinitionCollectionProvider.php
@@ -33,7 +33,7 @@ protected function provideCollection(
                 ->setParameter('ws', $filters['workspaceId']);
         }
 
-        if (!$this->isChuckNorris()) {
+        if (!$this->isAdmin()) {
             $user = $this->security->getUser();
 
             if ($user instanceof JwtUser) {

diff --git a/databox/api/src/Elasticsearch/AbstractSearch.php b/databox/api/src/Elasticsearch/AbstractSearch.php
@@ -6,20 +6,20 @@
 
 use App\Entity\Core\Workspace;
 use App\Entity\Core\WorkspaceItemPrivacyInterface;
-use App\Security\Voter\ChuckNorrisVoter;
+use App\Util\SecurityAwareTrait;
 use Doctrine\ORM\EntityManagerInterface;
 use Elastica\Query;
-use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Contracts\Service\Attribute\Required;
 
 abstract class AbstractSearch
 {
+    use SecurityAwareTrait;
+
     protected EntityManagerInterface $em;
-    protected Security $security;
 
     protected function createACLBoolQuery(?string $userId, array $groupIds): ?Query\BoolQuery
     {
-        if ($this->security->isGranted(ChuckNorrisVoter::ROLE)) {
+        if ($this->isSuperAdmin()) {
             return null;
         }
 
@@ -103,10 +103,4 @@ public function setEm(EntityManagerInterface $em): void
     {
         $this->em = $em;
     }
-
-    #[Required]
-    public function setSecurity(Security $security): void
-    {
-        $this->security = $security;
-    }
 }
diff --git a/databox/api/src/Elasticsearch/Listener/CollectionPostTransformListener.php b/databox/api/src/Elasticsearch/Listener/CollectionPostTransformListener.php
@@ -31,18 +31,18 @@ public function hydrateDocument(PostTransformEvent $event): void
         [$users, $groups] = $this->discoverChildren($collection);
 
         // TODO check impact
-//        if (!in_array(null, $users, true)) {
-//            $parent = $collection->getParent();
-//            while (null !== $parent) {
-//                $users = array_merge($users, $this->permissionManager->getAllowedUsers($parent, PermissionInterface::VIEW));
-//                if (in_array(null, $users, true)) {
-//                    break;
-//                }
-//
-//                $groups = array_merge($groups, $this->permissionManager->getAllowedGroups($parent, PermissionInterface::VIEW));
-//                $parent = $parent->getParent();
-//            }
-//        }
+        //        if (!in_array(null, $users, true)) {
+        //            $parent = $collection->getParent();
+        //            while (null !== $parent) {
+        //                $users = array_merge($users, $this->permissionManager->getAllowedUsers($parent, PermissionInterface::VIEW));
+        //                if (in_array(null, $users, true)) {
+        //                    break;
+        //                }
+        //
+        //                $groups = array_merge($groups, $this->permissionManager->getAllowedGroups($parent, PermissionInterface::VIEW));
+        //                $parent = $parent->getParent();
+        //            }
+        //        }
 
         if (in_array(null, $users, true)) {
             $users = ['*'];

diff --git a/databox/api/src/Entity/Core/Asset.php b/databox/api/src/Entity/Core/Asset.php
@@ -39,7 +39,6 @@
 use App\Entity\WithOwnerIdInterface;
 use App\Repository\Core\AssetRepository;
 use App\Security\Voter\AbstractVoter;
-use App\Security\Voter\AssetVoter;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Collection as DoctrineCollection;
 use Doctrine\DBAL\Types\Types;

diff --git a/databox/api/src/Entity/Template/AssetDataTemplate.php b/databox/api/src/Entity/Template/AssetDataTemplate.php
@@ -13,7 +13,6 @@
 use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
-use App\Api\InputTransformer\AssetDataTemplateInputTransformer;
 use App\Api\Model\Input\Template\AssetDataTemplateInput;
 use App\Api\Model\Output\Template\AssetDataTemplateOutput;
 use App\Api\Provider\AssetDataTemplateCollectionProvider;

diff --git a/databox/api/src/Repository/Core/AttributeDefinitionRepository.php b/databox/api/src/Repository/Core/AttributeDefinitionRepository.php
@@ -7,14 +7,15 @@
 use Alchemy\AclBundle\Entity\AccessControlEntryRepository;
 use Alchemy\AclBundle\Security\PermissionInterface;
 use App\Entity\Core\AttributeDefinition;
-use App\Security\Voter\ChuckNorrisVoter;
+use App\Util\SecurityAwareTrait;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
-use Symfony\Bundle\SecurityBundle\Security;
 
 class AttributeDefinitionRepository extends ServiceEntityRepository implements AttributeDefinitionRepositoryInterface
 {
-    public function __construct(ManagerRegistry $registry, private readonly Security $security)
+    use SecurityAwareTrait;
+
+    public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, AttributeDefinition::class);
     }
@@ -31,7 +32,7 @@ public function getSearchableAttributes(?string $userId, array $groupIds, array
             ->innerJoin('t.workspace', 'w')
         ;
 
-        if (!$this->security->isGranted(ChuckNorrisVoter::ROLE)) {
+        if (!$this->isSuperAdmin()) {
             if (null !== $userId) {
                 AccessControlEntryRepository::joinAcl(
                     $queryBuilder,

diff --git a/databox/api/src/Security/Voter/ChuckNorrisVoter.php b/databox/api/src/Security/Voter/ChuckNorrisVoter.php
diff --git a/databox/api/src/Util/SecurityAwareTrait.php b/databox/api/src/Util/SecurityAwareTrait.php
@@ -5,7 +5,7 @@
 namespace App\Util;
 
 use Alchemy\AuthBundle\Security\JwtUser;
-use App\Security\Voter\ChuckNorrisVoter;
+use Alchemy\AuthBundle\Security\Voter\SuperAdminVoter;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -21,9 +21,14 @@ public function setSecurity(Security $security): void
         $this->security = $security;
     }
 
-    protected function isChuckNorris(): bool
+    protected function isSuperAdmin(): bool
     {
-        return $this->security->isGranted(ChuckNorrisVoter::ROLE);
+        return $this->security->isGranted(SuperAdminVoter::ROLE);
+    }
+
+    protected function isAdmin(): bool
+    {
+        return $this->security->isGranted(JwtUser::ROLE_ADMIN);
     }
 
     protected function isGranted(mixed $attributes, mixed $subject = null): bool

diff --git a/databox/client/src/api/acl.ts b/databox/client/src/api/acl.ts
@@ -21,14 +21,14 @@ export async function putAce(
     objectType: string,
     objectId: string | undefined,
     mask: number
-): Promise<void> {
-    await apiClient.put(`/permissions/ace`, {
+): Promise<Ace> {
+    return (await apiClient.put(`/permissions/ace`, {
         userType,
         userId,
         objectType,
         objectId,
         mask,
-    });
+    })).data;
 }
 
 export async function deleteAce(

diff --git a/databox/client/src/api/renditionRule.ts b/databox/client/src/api/renditionRule.ts
@@ -21,8 +21,8 @@ export async function postRenditionRule(
     objectId: string,
     userType: UserType,
     userId: string | null
-): Promise<void> {
-    await apiClient.post(`/rendition-rules`, {
+): Promise<RenditionRule> {
+    return (await apiClient.post(`/rendition-rules`, {
         workspaceId:
             objectType === CollectionOrWorkspace.Workspace
                 ? objectId
@@ -34,7 +34,7 @@ export async function postRenditionRule(
         userId: userType === UserType.User ? userId : undefined,
         groupId: userType === UserType.Group ? userId : undefined,
         allowed: [`/rendition-classes/${classId}`],
-    });
+    })).data;
 }
 
 export async function deleteRenditionRule(id: string): Promise<void> {

diff --git a/databox/client/src/components/Acl/AclForm.tsx b/databox/client/src/components/Acl/AclForm.tsx
@@ -24,7 +24,7 @@ export default function AclForm({
 
     const updatePermission = useCallback(
         async (userType: UserType, userId: string | null, mask: number) => {
-            await putAce(userType, userId, objectType, objectId, mask);
+            return await putAce(userType, userId, objectType, objectId, mask);
         },
         [objectType, objectId]
     );
-Original file line number
+Diff line change
@@ Expand Up @@
         public function __construct(
             private readonly BatchAttributeManager $batchAttributeManager,
             private readonly EntityManagerInterface $em,
-        )
-        {
+        ) {
         }
         /**
@@ Expand Down @@