SUPPORT-9346: fix access to application pages

2025-08-29 11:52:11 +03:00 · 2025-08-29 11:52:11 +03:00 · 3a4a733c4b
commit 3a4a733c4b
parent 44681d41d3
8 changed files with 183 additions and 13 deletions
--- a/frontend/src/ts/modules/app/app-routing.module.ts
+++ b/frontend/src/ts/modules/app/app-routing.module.ts
@ -2,7 +2,7 @@ import {NgModule} from "@angular/core";
 import {RouterModule, Routes} from "@angular/router";
 import {ConfirmExitGuard} from "@webbpm/base-package";
 import {RolesGuard} from "./guard/RolesGuard";
-
+import {ErvuRole} from "./enum/ErvuRole";

 const appRoutes: Routes = [
  {
@ -13,37 +13,58 @@ const appRoutes: Routes = [
  {
    path: 'add_user_application',
    loadChildren: 'generated-sources/page-add_user_application.module#Pageadd_user_applicationModule',
-    canActivate: [ConfirmExitGuard, RolesGuard]
+    canActivate: [ConfirmExitGuard, RolesGuard],
+    data: {
+      roles: [ErvuRole.CREATOR]
+    }
  },
  {
    path: 'edit_user_application',
    loadChildren: 'generated-sources/page-edit_user_application.module#Pageedit_user_applicationModule',
-    canActivate: [ConfirmExitGuard, RolesGuard]
+    canActivate: [ConfirmExitGuard, RolesGuard],
+    data: {
+      roles: [ErvuRole.CREATOR]
+    }
  },
  {
    path: 'block_user_application',
    loadChildren: 'generated-sources/page-block_user_application.module#Pageblock_user_applicationModule',
-    canActivate: [ConfirmExitGuard, RolesGuard]
+    canActivate: [ConfirmExitGuard, RolesGuard],
+    data: {
+      roles: [ErvuRole.CREATOR]
+    }
  },
  {
    path: 'reset_password',
    loadChildren: 'generated-sources/page-reset_password.module#Pagereset_passwordModule',
-    canActivate: [ConfirmExitGuard, RolesGuard]
+    canActivate: [ConfirmExitGuard, RolesGuard],
+    data: {
+      roles: [ErvuRole.CREATOR]
+    }
  },
  {
    path: 'process_application/:id',
    loadChildren: 'generated-sources/page-process_application.module#Pageprocess_applicationModule',
-    canActivate: [ConfirmExitGuard, RolesGuard]
+    canActivate: [ConfirmExitGuard, RolesGuard],
+    data: {
+      checkOrg: true
+    }
  },
  {
    path: 'process_application_edit_user/:id',
    loadChildren: 'generated-sources/page-process_application_edit_user.module#Pageprocess_application_edit_userModule',
-    canActivate: [ConfirmExitGuard, RolesGuard]
+    canActivate: [ConfirmExitGuard, RolesGuard],
+    data: {
+      checkOrg: true
+    }
  },
  {
    path: 'unblock_user_application',
    loadChildren: 'generated-sources/page-unblock_user_application.module#Pageunblock_user_applicationModule',
-    canActivate: [ConfirmExitGuard, RolesGuard]
+    canActivate: [ConfirmExitGuard, RolesGuard],
+    data: {
+      roles: [ErvuRole.CREATOR]
+    }
  }
 ];

--- a/frontend/src/ts/modules/app/enum/ErvuRole.ts
+++ b/frontend/src/ts/modules/app/enum/ErvuRole.ts
@ -0,0 +1,5 @@
+export enum ErvuRole {
+  CREATOR = 'responsible_for_information_security',
+  REVIEWER = 'responsible_for_internal_control',
+  APPROVER = 'security_administrator'
+}
--- a/frontend/src/ts/modules/app/guard/RolesGuard.ts
+++ b/frontend/src/ts/modules/app/guard/RolesGuard.ts
@ -8,15 +8,17 @@ import {
 import {Injectable} from "@angular/core";
 import {AuthorizationService} from "../service/authorization.service";
 import {TokenProvider} from "../provider/token.provider";
+import {HttpClient} from "@angular/common/http";
+import {ErvuRole} from "../enum/ErvuRole";

@Injectable({providedIn: 'root'})
 export class RolesGuard implements CanActivate{

-  protected readonly allowedRoles: string[] = [];
+  private allowedRoles: string[];

  constructor(protected authService: AuthorizationService,
              protected tokenProvider: TokenProvider,
-              protected router: Router) {
+              protected router: Router, private httpClient: HttpClient) {
  }

  async canActivate(
@ -25,14 +27,21 @@ export class RolesGuard implements CanActivate{
    if (!await this.tokenProvider.getToken()) {
      return this.getUrlOnFailure()
    }
+    this.allowedRoles = route.data && route.data.roles ? route.data.roles : [];
+    let checkOrg = route.data && route.data.checkOrg;

    if (!this.authService.isAuthorized()) {
      return this.authService.getCurrentSession()
-          .then(() => this.checkRoles() ? true : this.getUrlOnFailure())
+          .then(() => {
+            if (checkOrg) {
+              return this.checkOrgByAppId(route.params.id);
+            }
+            return this.checkRoles() ? true : this.getUrlOnFailure();
+          })
          .catch(() => this.getUrlOnFailure());
    }
    else {
-      return this.checkRoles();
+      return checkOrg ? this.checkOrgByAppId(route.params.id) : this.checkRoles();
    }
  }

@ -44,4 +53,26 @@ export class RolesGuard implements CanActivate{
    return this.allowedRoles.length === 0
           || this.authService.hasAnyRole(this.allowedRoles);
  }
-}
+
+  private checkOrgByAppId(id: string): Promise<boolean | UrlTree> {
+    if (this.authService.hasAnyRole([ErvuRole.CREATOR, ErvuRole.REVIEWER])) {
+      return this.httpClient.get("allowed", {
+        headers: {
+          'app-number': id,
+          'check-parents': (!this.authService.hasRole(ErvuRole.CREATOR)).toString()
+        },
+        observe: 'response'
+      })
+          .toPromise()
+          .then(response => {
+            return response.body ? true : this.getUrlOnFailure();
+          })
+          .catch(() => this.getUrlOnFailure());
+    }
+    else if (this.authService.hasRole(ErvuRole.APPROVER)) {
+      return Promise.resolve(true);
+    }
+
+    return Promise.resolve(this.getUrlOnFailure());
+  }
+}