authorization: limit roles management using API

This commit restricts the role management for patrons using the role
management API. Depending of the API result, some roles could be
disabled into the role field.

- Closes rero/rero-ils#930

Co-authored_by: Renaud Michotte <[email protected]>

projects/admin/src/app/routes/patrons-route.ts

@@ -14,7 +14,10 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
+import { FormlyFieldConfig } from '@ngx-formly/core';
 import { DetailComponent, EditorComponent, RecordSearchComponent, RouteInterface } from '@rero/ng-core';
+import { JSONSchema7 } from 'json-schema';
+import { map } from 'rxjs/operators';
 import { CanUpdateGuard } from '../guard/can-update.guard';
 import { PatronsBriefViewComponent } from '../record/brief-view/patrons-brief-view.component';
 import { PatronDetailViewComponent } from '../record/detail-view/patron-detail-view/patron-detail-view.component';
@@ -58,6 +61,11 @@ export class PatronsRoute extends BaseRoute implements RouteInterface {
               }
               return record;
             },
+            formFieldMap: (field: FormlyFieldConfig, jsonSchema: JSONSchema7): FormlyFieldConfig => {
+              // If the current logged user doens't have the 'system_librarian' role, then the user
+              // can't manage the role 'librarian' and 'system_librarian'
+              return this._limitRolesManagement(field, jsonSchema);
+            },
             // use simple query for UI search
             preFilters: {
               simple: 1
@@ -68,4 +76,25 @@ export class PatronsRoute extends BaseRoute implements RouteInterface {
       }
     };
   }
+
+  /** Limit the patron roles management.
+   *
+   * @param field - FormlyFieldConfig
+   * @param jsonSchema - JSONSchema7
+   * @return FormlyFieldConfig
+   */
+  private _limitRolesManagement(field: FormlyFieldConfig, jsonSchema: JSONSchema7): FormlyFieldConfig {
+    const formOptions = jsonSchema.form;
+    if (formOptions && formOptions.fieldMap === 'roles') {
+      const values = Object.assign([], field.templateOptions.options);  // create a clone of original values
+      field.templateOptions.options = this._routeToolService.recordPermissionService.getRolesManagementPermissions().pipe(
+        map(results => results.allowed_roles),
+        map(roles => {
+          values.forEach((role: any) => role.disabled = !roles.includes(role.value));
+          return values;
+        })
+      );
+    }
+    return field;
+  }
 }

projects/admin/src/app/routes/route-tool.service.ts

@@ -62,6 +62,13 @@ export class RouteToolService {
     return this._recordService;
   }
 
+  /**
+   * @return recordPermissionService
+   */
+  get recordPermissionService() {
+    return this._recordPermissionService;
+  }
+
   /**
    * Constructor
    *

projects/admin/src/app/service/record-permission.service.ts

@@ -18,6 +18,8 @@ import { I18nPluralPipe, NgLocaleLocalization } from '@angular/common';
 import { HttpClient, HttpHeaders } from '@angular/common/http';
 import { Injectable } from '@angular/core';
 import { TranslateService } from '@ngx-translate/core';
+import { Observable } from 'rxjs';
+import { map } from 'rxjs/operators';
 
 @Injectable({
   providedIn: 'root'
@@ -54,6 +56,16 @@ export class RecordPermissionService {
     return this._httpClient.get<RecordPermission>(url, this._httpOptions);
   }
 
+
+  /**
+   * Get roles that the current user can manage
+   * @return an observable on allowed roles management
+   */
+  getRolesManagementPermissions(): Observable<any> {
+    const url = 'api/patrons/roles_management_permissions';
+    return this._httpClient.get(url, this._httpOptions);
+  }
+
   /**
    * Generate tooltip messages
    * @param reasons - Object with reasons to insert into the tooltip