Fixed permission checks for characterization and feature analysis.

chrisknoll · chrisknoll · commit 997d4e49ae5b · 2026-04-02T14:07:00.000-04:00
diff --git a/js/pages/characterizations/services/PermissionService.js b/js/pages/characterizations/services/PermissionService.js
@@ -5,78 +5,91 @@ define([
 ) {
 
     function isPermittedCreateCC() {
-        return AuthAPI.isPermitted(`cohort-characterization:post`);
+        return AuthAPI.isPermitted(`create:cohort-characterization`);
     }
 
     function isPermittedImportCC() {
-        return AuthAPI.isPermitted(`cohort-characterization:import:post`);
+        return AuthAPI.isPermitted(`create:cohort-characterization`);
     }
 
     function isPermittedGetCCList() {
-        return AuthAPI.isPermitted(`cohort-characterization:get`);
+        return true; // we do not need to restrict list opertions
     }
 
-    function isPermittedGetCC(id) {
-        return AuthAPI.isPermitted(`cohort-characterization:${id}:get`);
+    var isPermittedGetCC = function(id) {
+        var grant = AuthAPI.getCCGrant(id);
+        return  grant.isOwner ||
+            AuthAPI.isPermitted("read:cohort-characterization") ||
+            AuthAPI.isPermitted("write:cohort-characterization") ||
+            AuthAPI.checkAccess("READ", grant.accessTypes);
     }
 
-    function isPermittedUpdateCC(id) {
-        return AuthAPI.isPermitted(`cohort-characterization:${id}:put`);
-    }
+    var isPermittedUpdateCC = function(id) {
+        var grant = AuthAPI.getCCGrant(id);
+        return  grant.isOwner ||
+            AuthAPI.isPermitted("write:cohort-characterization") ||
+            AuthAPI.checkAccess("WRITE", grant.accessTypes);
+    }    
 
     function isPermittedDeleteCC(id) {
-        return AuthAPI.isPermitted(`cohort-characterization:${id}:delete`);
+        return isPermittedUpdateCC(id);
     }
 
     function isPermittedListGenerations(id) {
-        return AuthAPI.isPermitted(`cohort-characterization:${id}:generation:get`);
+        return true; // TODO: do we need to restrict listing generations?
     }
 
     function isPermittedGenerate(id, sourceKey) {
-        return AuthAPI.isPermitted(`cohort-characterization:${id}:generation:${sourceKey}:post`);
+        return AuthAPI.hasSourceAccess(sourceKey, "WRITE"); // TODO: Do we need read/write checks on the design?
     }
 
     function isPermittedResults(sourceKey) {
-        return (AuthAPI.isPermitted(`cohort-characterization:generation:*:result:post`))
-            && AuthAPI.isPermitted(`source:${sourceKey}:access`);
+        return AuthAPI.hasSourceAccess(sourceKey, "READ");
     }
 
     function isPermittedExportGenerationDesign(id) {
-        return AuthAPI.isPermitted(`cohort-characterization:generation:${id}:design:get`);
+        return isPermittedGetCC(id);
     }
 
     function isPermittedExportCC(id) {
-        return AuthAPI.isPermitted(`cohort-characterization:${id}:export:get`);
+        return isPermittedGetCC(id);
     }
 
     function isPermittedCopyCC(id) {
-        return AuthAPI.isPermitted(`cohort-characterization:${id}:post`);
+        return isPermittedGetCC(id) && isPermittedCreateCC();
     }
 
-    //
+    // FA Permissions
 
     function isPermittedGetFaList() {
-        return AuthAPI.isPermitted(`feature-analysis:get`);
+        return true; // TODO: do we need perms to list assets?
     }
 
     function isPermittedCreateFa() {
-        return AuthAPI.isPermitted(`feature-analysis:post`);
+        return AuthAPI.isPermitted(`create:feature-analysis`);
     }
 
     function isPermittedGetFa(id) {
-        return AuthAPI.isPermitted(`feature-analysis:${id}:get`);
+        var grant = AuthAPI.getFAGrant(id);
+        return  grant.isOwner ||
+            AuthAPI.isPermitted("read:feature-analysis") ||
+            AuthAPI.isPermitted("write:feature-analysis") ||
+            AuthAPI.checkAccess("READ", grant.accessTypes);
     }
 
     function isPermittedUpdateFa(id) {
-        return AuthAPI.isPermitted(`feature-analysis:${id}:put`);
+        var grant = AuthAPI.getFAGrant(id);
+        return  grant.isOwner ||
+            AuthAPI.isPermitted("write:feature-analysis") ||
+            AuthAPI.checkAccess("WRITE", grant.accessTypes);
     }
 
     function isPermittedDeleteFa(id) {
-        return AuthAPI.isPermitted(`feature-analysis:${id}:delete`);
+        return isPermittedUpdateFa(id);
     }
 
     function isPermittedCopyFa(id) {
-        return AuthAPI.isPermitted(`feature-analysis:${id}:copy:get`);
+        return isPermittedGetFa(id) && isPermittedCreateFa();
     }
 
     return {
diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
@@ -230,6 +230,18 @@ define(function(require, exports) {
         return granted.includes(check);  
     }
 
+    var getCCGrant = function(id) {
+        var ccId = +id; // force to numeric
+        var authz = permissions().cohortCharacterizationAccess;
+        return authz[ccId] || NONE_ENTITY_GRANT; // assign a falsy entity grant if not found
+    }
+
+    var getFAGrant = function(id) {
+        var faId = +id; // force to numeric
+        var authz = permissions().feAnalysisAccess;
+        return authz[faId] || NONE_ENTITY_GRANT; // assign a falsy entity grant if not found
+    }    
+
     function base64urldecode(arg) {
         var s = arg;
         s = s.replace(/-/g, '+'); // 62nd char of encoding
@@ -451,7 +463,6 @@ define(function(require, exports) {
     }
 
     const hasSourceAccess = function (sourceKey, accessType = "READ") {
-        var sourceKey = sharedState.sourceKeyOfVocabUrl();
         var sourceId = (sharedState.sources().find(s => s.sourceKey == sourceKey) || {}).sourceId;
         
         if (!sourceId) return false; // source not found
@@ -516,6 +527,7 @@ define(function(require, exports) {
     var api = {
         AUTH_PROVIDERS: AUTH_PROVIDERS,
         AUTH_CLIENTS: AUTH_CLIENTS,
+        NONE_ENTITY_GRANT: NONE_ENTITY_GRANT,
 
         token: token,
         authClient: authClient,
@@ -534,11 +546,16 @@ define(function(require, exports) {
         isAuthenticated: isAuthenticated,
 		signInOpened: signInOpened,
         isPermitted: isPermitted,
+        checkAccess: checkAccess,
 
         isPermittedGetAllNotifications: isPermittedGetAllNotifications,
         isPermittedGetViewedNotifications: isPermittedGetViewedNotifications,
         isPermittedPostViewedNotifications: isPermittedPostViewedNotifications,
 
+        // will add the various get{entity} grants here
+        getCCGrant: getCCGrant,
+        getFAGrant: getFAGrant,
+
         isPermittedCreateConceptset: isPermittedCreateConceptset,
         isPermittedReadConceptset: isPermittedReadConceptset,
         isPermittedUpdateConceptset: isPermittedUpdateConceptset,
