Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import { FormattedMessage, injectIntl } from 'react-intl';
import Alert from 'AppComponents/Shared/Alert';
import CommentsAPI from 'AppData/Comments';
import MCPServer from 'AppData/MCPServer';
import { isRestricted } from 'AppData/AuthManager';
import AuthManager from 'AppData/AuthManager';

const PREFIX = 'CommentAdd';

Expand Down Expand Up @@ -192,12 +192,8 @@ class CommentAdd extends React.Component {
* @returns {boolean} - True if access is restricted, false otherwise
*/
isAccessRestricted() {
const { api } = this.props;
if (api.apiType.toUpperCase() === MCPServer.CONSTS.MCP) {
return isRestricted(['apim:comment_write', 'apim:comment_manage'], api);
} else {
return isRestricted(['apim:api_create', 'apim:api_publish'], api);
}
const user = AuthManager.getUser();
return !user.scopes.includes("apim:comment_write") && !user.scopes.includes("apim:comment_manage");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original isRestricted() utility handles the user being null other cases of having publish permissions and lifecycle states. any reason to remove that?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the backend carbon-apimgt logic for addComment, there were no consideration in the API lifecycle state and publish permission checks, therefore rather than using existing generic isRestricted helper method, a separate method has been used to check the permissions for the Add Comment in the frontend.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also logic here is an AND. but our scope validation logic behaves in OR in REST API

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the REST API allows access if the user has either scope (OR). Since this frontend method calculates whether to restrict the user, it needs to return true only when the user is missing both scopes. So !write && !manage exactly mirrors the backend's write || manage logic"

}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ class CommentOptions extends React.Component {
const user = AuthManager.getUser();
const username = Utils.getUserNameWithoutDomain(user.name);
const canDelete = (comment.createdBy === username) || user.isAdmin();
const canReply = !user.isCreator() || user.isAdmin();
const canReply = user.scopes.includes("apim:comment_write") || user.scopes.includes("apim:comment_manage");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cant we use the isRestricted same util method here

// const canModify = comment.createdBy === username;
return (
<StyledGrid container spacing={1} className={classes.verticalSpace} key={comment.id}>
Expand Down
Loading