From 1b8718bbb4eae98a39e43efd83879cc2259fa4f4 Mon Sep 17 00:00:00 2001
From: Renaud Michotte <renaud.michotte@gmail.com>
Date: Mon, 15 Jun 2020 14:04:29 +0200
Subject: [PATCH] authorization: limit roles management using API

This commit restricts the role management for patrons using the role
management API. Depending of the API result, some roles could be
disabled into the role field.

- Closes rero/rero-ils#930

Co-authored_by: Renaud Michotte <renaud.michotte@gmail.com>
---
 .../admin/src/app/routes/patrons-route.ts     | 29 +++++++++++++++++++
 .../src/app/routes/route-tool.service.ts      |  7 +++++
 .../app/service/record-permission.service.ts  | 12 ++++++++
 3 files changed, 48 insertions(+)

diff --git a/projects/admin/src/app/routes/patrons-route.ts b/projects/admin/src/app/routes/patrons-route.ts
index 0b2c58c1a..6af86637e 100644
--- a/projects/admin/src/app/routes/patrons-route.ts
+++ b/projects/admin/src/app/routes/patrons-route.ts
@@ -14,7 +14,10 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
+import { FormlyFieldConfig } from '@ngx-formly/core';
 import { DetailComponent, EditorComponent, RecordSearchComponent, RouteInterface } from '@rero/ng-core';
+import { JSONSchema7 } from 'json-schema';
+import { map } from 'rxjs/operators';
 import { CanUpdateGuard } from '../guard/can-update.guard';
 import { PatronsBriefViewComponent } from '../record/brief-view/patrons-brief-view.component';
 import { PatronDetailViewComponent } from '../record/detail-view/patron-detail-view/patron-detail-view.component';
@@ -58,6 +61,11 @@ export class PatronsRoute extends BaseRoute implements RouteInterface {
               }
               return record;
             },
+            formFieldMap: (field: FormlyFieldConfig, jsonSchema: JSONSchema7): FormlyFieldConfig => {
+              // If the current logged user doens't have the 'system_librarian' role, then the user
+              // can't manage the role 'librarian' and 'system_librarian'
+              return this._limitRolesManagement(field, jsonSchema);
+            },
             // use simple query for UI search
             preFilters: {
               simple: 1
@@ -68,4 +76,25 @@ export class PatronsRoute extends BaseRoute implements RouteInterface {
       }
     };
   }
+
+  /** Limit the patron roles management.
+   *
+   * @param field - FormlyFieldConfig
+   * @param jsonSchema - JSONSchema7
+   * @return FormlyFieldConfig
+   */
+  private _limitRolesManagement(field: FormlyFieldConfig, jsonSchema: JSONSchema7): FormlyFieldConfig {
+    const formOptions = jsonSchema.form;
+    if (formOptions && formOptions.fieldMap === 'roles') {
+      const values = Object.assign([], field.templateOptions.options);  // create a clone of original values
+      field.templateOptions.options = this._routeToolService.recordPermissionService.getRolesManagementPermissions().pipe(
+        map(results => results.allowed_roles),
+        map(roles => {
+          values.forEach((role: any) => role.disabled = !roles.includes(role.value));
+          return values;
+        })
+      );
+    }
+    return field;
+  }
 }
diff --git a/projects/admin/src/app/routes/route-tool.service.ts b/projects/admin/src/app/routes/route-tool.service.ts
index 1f951fa9b..2b239d68c 100644
--- a/projects/admin/src/app/routes/route-tool.service.ts
+++ b/projects/admin/src/app/routes/route-tool.service.ts
@@ -62,6 +62,13 @@ export class RouteToolService {
     return this._recordService;
   }
 
+  /**
+   * @return recordPermissionService
+   */
+  get recordPermissionService() {
+    return this._recordPermissionService;
+  }
+
   /**
    * Constructor
    *
diff --git a/projects/admin/src/app/service/record-permission.service.ts b/projects/admin/src/app/service/record-permission.service.ts
index 365864821..a4bffe7a1 100644
--- a/projects/admin/src/app/service/record-permission.service.ts
+++ b/projects/admin/src/app/service/record-permission.service.ts
@@ -18,6 +18,8 @@ import { I18nPluralPipe, NgLocaleLocalization } from '@angular/common';
 import { HttpClient, HttpHeaders } from '@angular/common/http';
 import { Injectable } from '@angular/core';
 import { TranslateService } from '@ngx-translate/core';
+import { Observable } from 'rxjs';
+import { map } from 'rxjs/operators';
 
 @Injectable({
   providedIn: 'root'
@@ -54,6 +56,16 @@ export class RecordPermissionService {
     return this._httpClient.get<RecordPermission>(url, this._httpOptions);
   }
 
+
+  /**
+   * Get roles that the current user can manage
+   * @return an observable on allowed roles management
+   */
+  getRolesManagementPermissions(): Observable<any> {
+    const url = 'api/patrons/roles_management_permissions';
+    return this._httpClient.get(url, this._httpOptions);
+  }
+
   /**
    * Generate tooltip messages
    * @param reasons - Object with reasons to insert into the tooltip