From 34d7425bfcb28ff62e36fc0bd061ed3e6e2a7b6d Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Fri, 10 May 2024 20:30:26 +0200
Subject: [PATCH] feat: introduce a new permission instead of relying on a role
 for Global sharing

...and introduce some other fixes:
- fix: correct styling for sharing buttons on access modal ui
- fix: cleanup/remove unnecessary parts
- fix: adjust permission name to "artifact:global:share:put" to better reflect its real purpose
- fix: better name for isPermittedGlobalShareArtifact (previous name isPermittedGlobalShareCohort did not reflect the
  fact that it is about all kind of artifacts)
- fix: move isOwner() check and make sure it is only applied when !config.limitedPermissionManagement
- fix: move isOwner() check for conceptset-manager
---
 .../access/configure-access-modal.html        |  5 +-
 .../cohort-definition-manager.html            |  2 +-
 .../cohort-definition-manager.js              | 50 ++++++++-----------
 js/pages/concept-sets/conceptset-manager.html |  2 +-
 js/pages/concept-sets/conceptset-manager.js   | 48 ++++++++----------
 js/services/AuthAPI.js                        | 29 +++++++----
 js/services/ShareRoleCheck.js                 | 32 ------------
 7 files changed, 64 insertions(+), 104 deletions(-)
 delete mode 100644 js/services/ShareRoleCheck.js

diff --git a/js/components/security/access/configure-access-modal.html b/js/components/security/access/configure-access-modal.html
index 672339db7..b437d938f 100644
--- a/js/components/security/access/configure-access-modal.html
+++ b/js/components/security/access/configure-access-modal.html
@@ -92,15 +92,14 @@
 		<label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.globalReadStatus', 'Status of global READ access:')"></label>
 		<div/>
 		<div class="btn-group" data-toggle="buttons">
-		    <label data-bind="css: { active: !shareFlag()},
+		    <label data-bind="css: { active: shareFlag()},
 				      click: function () { shareFlag(false); grantGlobalReadAccess();},
 				      clickBubble: false,
 				      text: ko.i18n('common.configureAccessModal.globalReadStatusNotGranted', 'Granted')
 				      "
 			   class="btn btn-primary",		   
 		    />
-		    <label data-bind="css: { 
-				      active: shareFlag()}, 
+		    <label data-bind="css: { active: !shareFlag()}, 
 				      click: function () { shareFlag(true); revokeGlobalReadAccess();},
 				      clickBubble: false,
 				      text: ko.i18n('common.configureAccessModal.globalReadStatusIsGranted', 'Not Granted')
diff --git a/js/pages/cohort-definitions/cohort-definition-manager.html b/js/pages/cohort-definitions/cohort-definition-manager.html
index 9ea780951..dc868e11f 100644
--- a/js/pages/cohort-definitions/cohort-definition-manager.html
+++ b/js/pages/cohort-definitions/cohort-definition-manager.html
@@ -35,7 +35,7 @@
 
 					<!-- ko if: (enablePermissionManagement() === true && userCanShare() === true) -->
 					<button class="btn btn-primary"
-						data-bind="title: ko.i18n('common.configureAccess', 'Configure access'), visible: isOwner() && !previewVersion(), click: () => isAccessModalShown(!isAccessModalShown())">
+						data-bind="title: ko.i18n('common.configureAccess', 'Configure access'), visible: !previewVersion(), click: () => isAccessModalShown(!isAccessModalShown())">
 						<i class="fa fa-lock"></i>
 					</button>
 					<!-- /ko -->
diff --git a/js/pages/cohort-definitions/cohort-definition-manager.js b/js/pages/cohort-definitions/cohort-definition-manager.js
index 6a78d2eec..9f69c69e2 100644
--- a/js/pages/cohort-definitions/cohort-definition-manager.js
+++ b/js/pages/cohort-definitions/cohort-definition-manager.js
@@ -2,7 +2,6 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 	'appConfig',
 	'components/cohortbuilder/CohortDefinition',
 	'services/CohortDefinition',
-	'services/ShareRoleCheck',
 	'services/MomentAPI',
 	'services/ConceptSet',
 	'services/Permission',
@@ -59,15 +58,14 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 	'utilities/sql',
 	'components/conceptset/conceptset-list',
 	'components/name-validation',
-	'components/versions/versions',
+	'components/versions/versions'
 ], function (
 	$,
 	ko,
 	view,
 	config,
 	CohortDefinition,
-        cohortDefinitionService,
-        shareRoleCheck,
+	cohortDefinitionService,
 	momentApi,
 	conceptSetService,
 	PermissionService,
@@ -200,28 +198,30 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 			this.pollTimeoutId = null;
 			this.authApi = authApi;
 			this.config = config;
-
-		        this.enablePermissionManagement = ko.observable(false);
- 		        this.enablePermissionManagement(config.enablePermissionManagement);
-
-		        this.userCanShare = ko.observable(false);
-		        if (config.permissionManagementRoleId === "") {
-			   this.userCanShare(true);
-		        } else {
-			   shareRoleCheck.checkIfRoleCanShare(authApi.subject(), config.permissionManagementRoleId)
-				.then(res=>{
-				    this.userCanShare(res);
-				})
-				.catch(error => {
-				    console.error(error);
-				    alert(ko.i18n('cohortDefinitions.cohortDefinitionManager.shareRoleCheck', 'Error when determining if user can share cohorts')());
-				});
-			}		        
-		    
 			this.relatedSourcecodesOptions = globalConstants.relatedSourcecodesOptions;
 			this.commonUtils = commonUtils;
 			this.isLoading = ko.observable(false);
 			this.currentCohortDefinition = sharedState.CohortDefinition.current;
+
+			PermissionService.decorateComponent(this, {
+				entityTypeGetter: () => entityType.COHORT_DEFINITION,
+				entityIdGetter: () => this.currentCohortDefinition().id(),
+				createdByUsernameGetter: () => this.currentCohortDefinition() && this.currentCohortDefinition().createdBy()
+					&& this.currentCohortDefinition().createdBy().login
+			});
+
+			this.enablePermissionManagement = ko.observable(config.enablePermissionManagement);
+			if (config.enablePermissionManagement) {
+				this.userCanShare = ko.observable(
+						  (config.limitedPermissionManagement &&
+						   authApi.isPermittedGlobalShareArtifact()) ||
+						  (!config.limitedPermissionManagement &&
+						   this.isOwner())
+						);
+			} else {
+				this.userCanShare = ko.observable(false);
+			}
+
 			this.currentCohortDefinitionMode = sharedState.CohortDefinition.mode;
 			this.currentCohortDefinitionInfo = sharedState.CohortDefinition.info;
 			this.cohortDefinitionSourceInfo = sharedState.CohortDefinition.sourceInfo;
@@ -868,12 +868,6 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 
 			}
 
-			PermissionService.decorateComponent(this, {
-				entityTypeGetter: () => entityType.COHORT_DEFINITION,
-				entityIdGetter: () => this.currentCohortDefinition().id(),
-				createdByUsernameGetter: () => this.currentCohortDefinition() && this.currentCohortDefinition().createdBy()
-					&& this.currentCohortDefinition().createdBy().login
-			});
 
 			TagsService.decorateComponent(this, {
 				assetTypeGetter: () => TagsService.ASSET_TYPE.COHORT_DEFINITION,
diff --git a/js/pages/concept-sets/conceptset-manager.html b/js/pages/concept-sets/conceptset-manager.html
index 4ff046c19..bc93102e5 100644
--- a/js/pages/concept-sets/conceptset-manager.html
+++ b/js/pages/concept-sets/conceptset-manager.html
@@ -28,7 +28,7 @@
         <button type="button" class="btn btn-primary" data-bind="visible: !previewVersion(), click: optimize, css: { disabled: !canOptimize() || isProcessing() }, text: ko.i18n('cs.manager.optimize', 'Optimize')"></button>
 
 	<!-- ko if: (enablePermissionManagement() === true && userCanShare() === true)  -->
-        <button class="btn btn-primary" data-bind="visible: !previewVersion() && isOwner(), click: () => isAccessModalShown(!isAccessModalShown()), title: ko.i18n('common.configureAccess', 'Configure access')">
+        <button class="btn btn-primary" data-bind="visible: !previewVersion(), click: () => isAccessModalShown(!isAccessModalShown()), title: ko.i18n('common.configureAccess', 'Configure access')">
             <i class="fa fa-lock"></i>
         </button>
 	<!-- /ko -->
diff --git a/js/pages/concept-sets/conceptset-manager.js b/js/pages/concept-sets/conceptset-manager.js
index c1ee6f61e..eee93a131 100644
--- a/js/pages/concept-sets/conceptset-manager.js
+++ b/js/pages/concept-sets/conceptset-manager.js
@@ -8,8 +8,7 @@ define([
 	'./const',
 	'const',
 	'components/conceptset/utils',
-        'services/Vocabulary',
-    	'services/ShareRoleCheck',
+	'services/Vocabulary',
 	'services/Permission',
 	'services/Tags',
 	'components/security/access/const',
@@ -56,8 +55,7 @@ define([
 	constants,
 	globalConstants,
 	utils,
-        vocabularyAPI,
-        shareRoleCheck,
+	vocabularyAPI,
 	GlobalPermissionService,
 	TagsService,
 	{ entityType },
@@ -177,24 +175,25 @@ define([
 				return this.currentConceptSet() && this.currentConceptSet().id > 0;
 			});
 
-		        this.enablePermissionManagement = ko.observable(false);
- 		        this.enablePermissionManagement(config.enablePermissionManagement);
-
-		        this.userCanShare = ko.observable(false);
-		        if (config.permissionManagementRoleId === "") {
-			   this.userCanShare(true);
-		        } else {
-			   shareRoleCheck.checkIfRoleCanShare(authApi.subject(), config.permissionManagementRoleId)
-				.then(res=>{
-				    this.userCanShare(res);
-				})
-				.catch(error => {
-				    console.error(error);
-				    alert(ko.i18n('conceptSets.conceptSetManager.shareRoleCheck', 'Error when determining if user can share concept sets')());
-				});
-			}		        
+			GlobalPermissionService.decorateComponent(this, {
+				entityTypeGetter: () => entityType.CONCEPT_SET,
+				entityIdGetter: () => this.currentConceptSet() && this.currentConceptSet().id,
+				createdByUsernameGetter: () => this.currentConceptSet() && this.currentConceptSet().createdBy
+					&& this.currentConceptSet().createdBy.login
+			});
+
+			this.enablePermissionManagement = ko.observable(config.enablePermissionManagement);
+			if (config.enablePermissionManagement) {
+				this.userCanShare = ko.observable(
+					(config.limitedPermissionManagement &&
+					 authApi.isPermittedGlobalShareArtifact()) ||
+					(!config.limitedPermissionManagement &&
+					 this.isOwner())
+				  );
+			} else {
+				this.userCanShare = ko.observable(false);
+			}
 
-		    
 			this.isSaving = ko.observable(false);
 			this.isDeleting = ko.observable(false);
 			this.isOptimizing = ko.observable(false);
@@ -352,13 +351,6 @@ define([
 
 			this.activeUtility = ko.observable("");
 
-			GlobalPermissionService.decorateComponent(this, {
-				entityTypeGetter: () => entityType.CONCEPT_SET,
-				entityIdGetter: () => this.currentConceptSet() && this.currentConceptSet().id,
-				createdByUsernameGetter: () => this.currentConceptSet() && this.currentConceptSet().createdBy
-					&& this.currentConceptSet().createdBy.login
-			});
-
 			this.tags = ko.observableArray(this.currentConceptSet() && this.currentConceptSet().tags);
 			TagsService.decorateComponent(this, {
 				assetTypeGetter: () => TagsService.ASSET_TYPE.CONCEPT_SET,
diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
index b0a28eeba..312ac890f 100644
--- a/js/services/AuthAPI.js
+++ b/js/services/AuthAPI.js
@@ -395,6 +395,12 @@ define(function(require, exports) {
         return isPermitted('cohortdefinition:' + id + ':copy:get');
     }
 
+    var isPermittedGlobalShareArtifact = function() {
+        // special * permission (intended for admins) that allows the
+        // user to share any artifact with a "global reader role":
+        return isPermitted('artifact:global:share:put');
+    }
+
     var isPermittedUpdateCohort = function(id) {
         var permission = 'cohortdefinition:' + id + ':put';
         return isPermitted(permission);
@@ -407,17 +413,17 @@ define(function(require, exports) {
     }
 
     var isPermittedGenerateCohort = function(cohortId, sourceKey) {
-	var v = isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
-		isPermitted('cohortdefinition:' + cohortId + ':info:get');
-
-	// By default, everyone can generate any artifact they have
-	// permission to read. If a permissionManagementRoleId has
-	// been assigned, (non- empty string assignment), the default
-	// generate functionality is not desired. Rather, users will have to
-	// have a role that allows them to update the specific cohort definition. 
-	if (config.permissionManagementRoleId !== ""){
-	    v = v && isPermitted('cohortdefinition:' + cohortId + ':put')
-	}
+        var v = isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
+            isPermitted('cohortdefinition:' + cohortId + ':info:get');
+
+        // By default, everyone can generate any artifact they have
+        // permission to read. If limitedPermissionManagement has
+        // been set to true, the default
+        // generate functionality is not desired. Rather, users will have to
+        // have a permission that allows them to update the specific cohort definition. 
+        if (config.limitedPermissionManagement){
+            v = v && isPermitted('cohortdefinition:' + cohortId + ':put')
+        }
         return v
     }
 
@@ -586,6 +592,7 @@ define(function(require, exports) {
         isPermittedReadCohort: isPermittedReadCohort,
         isPermittedCreateCohort: isPermittedCreateCohort,
         isPermittedCopyCohort: isPermittedCopyCohort,
+        isPermittedGlobalShareArtifact: isPermittedGlobalShareArtifact,
         isPermittedUpdateCohort: isPermittedUpdateCohort,
         isPermittedDeleteCohort: isPermittedDeleteCohort,
         isPermittedGenerateCohort: isPermittedGenerateCohort,
diff --git a/js/services/ShareRoleCheck.js b/js/services/ShareRoleCheck.js
deleted file mode 100644
index eaac53a60..000000000
--- a/js/services/ShareRoleCheck.js
+++ /dev/null
@@ -1,32 +0,0 @@
-define(function (require, exports) {
-    var $ = require('jquery');
-    var constants = require('const');
-    const httpService = require('services/http');
-    
-    async function getRoleUsers(subject, permissionManagementRoleId) {
-	return await httpService.doGet(constants.apiPaths.roleUsers(permissionManagementRoleId))
-	      .then(({ data = [] }) => data)
-	      .catch((er) => {
-		  console.error('ERROR: Can\'t find users with permissionManagementRoleId: ' + permissionManagementRoleId);
-	      });
-    };
-    
-    async function checkIfRoleCanShare(subject, permissionManagementRoleId) {
-	var isAbleToShare = false;
-	const roleUsers = await getRoleUsers(subject, permissionManagementRoleId);
-	console.log("INFO: roleUsers:" + roleUsers.toString());
-	
-	roleUsers.forEach((user) => {
-	    console.log("INFO: user.login of user that has the permissionManagementRoleId " + permissionManagementRoleId + ": " + user.login + "; subject (currently logged in user): " + subject);
-            if (subject == user.login){
-		isAbleToShare = true;		
-	    }
-        });
-	console.log("INFO: isAbleToShare: " + isAbleToShare);
-	return isAbleToShare;
-    };
-
-    return {
-	checkIfRoleCanShare,
-    };
-});