-
Notifications
You must be signed in to change notification settings - Fork 196
Fix(publisher): Inconsistent role based behaviour in comment reply functionality #1391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,7 +26,7 @@ import { FormattedMessage, injectIntl } from 'react-intl'; | |
| import Alert from 'AppComponents/Shared/Alert'; | ||
| import CommentsAPI from 'AppData/Comments'; | ||
| import MCPServer from 'AppData/MCPServer'; | ||
| import { isRestricted } from 'AppData/AuthManager'; | ||
| import AuthManager from 'AppData/AuthManager'; | ||
|
|
||
| const PREFIX = 'CommentAdd'; | ||
|
|
||
|
|
@@ -192,12 +192,8 @@ class CommentAdd extends React.Component { | |
| * @returns {boolean} - True if access is restricted, false otherwise | ||
| */ | ||
| isAccessRestricted() { | ||
| const { api } = this.props; | ||
| if (api.apiType.toUpperCase() === MCPServer.CONSTS.MCP) { | ||
| return isRestricted(['apim:comment_write', 'apim:comment_manage'], api); | ||
| } else { | ||
| return isRestricted(['apim:api_create', 'apim:api_publish'], api); | ||
| } | ||
| const user = AuthManager.getUser(); | ||
| return !user.scopes.includes("apim:comment_write") && !user.scopes.includes("apim:comment_manage"); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also logic here is an AND. but our scope validation logic behaves in OR in REST API
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, the REST API allows access if the user has either scope (OR). Since this frontend method calculates whether to restrict the user, it needs to return true only when the user is missing both scopes. So |
||
| } | ||
|
|
||
| /** | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -171,7 +171,7 @@ class CommentOptions extends React.Component { | |
| const user = AuthManager.getUser(); | ||
| const username = Utils.getUserNameWithoutDomain(user.name); | ||
| const canDelete = (comment.createdBy === username) || user.isAdmin(); | ||
| const canReply = !user.isCreator() || user.isAdmin(); | ||
| const canReply = user.scopes.includes("apim:comment_write") || user.scopes.includes("apim:comment_manage"); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. cant we use the isRestricted same util method here |
||
| // const canModify = comment.createdBy === username; | ||
| return ( | ||
| <StyledGrid container spacing={1} className={classes.verticalSpace} key={comment.id}> | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original isRestricted() utility handles the user being null other cases of having publish permissions and lifecycle states. any reason to remove that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the backend
carbon-apimgtlogic foraddComment, there were no consideration in the API lifecycle state and publish permission checks, therefore rather than using existing genericisRestrictedhelper method, a separate method has been used to check the permissions for theAdd Commentin the frontend.