[EC-416] Refactor organization permission checks (#3252)

* Replace Permissions enum and helper methods with callbacks * Remove scim feature flag * Check if org has feature enabled as part of canManage checks * Pin jest-mock-extended at v2.0.6 to fix compilation error
2025-12-15 07:43:35 +00:00 · 2022-08-16 00:08:06 +10:00
parent 96d5f50c7f
commit d30701ada7
32 changed files with 474 additions and 282 deletions
--- a/libs/common/src/enums/permissions.ts
+++ b/libs/common/src/enums/permissions.ts
@@ -1,29 +0,0 @@
-export enum Permissions {
-  AccessEventLogs,
-  AccessImportExport,
-  AccessReports,
-  /**
-   * @deprecated Sep 29 2021: This permission has been split out to `createNewCollections`, `editAnyCollection`, and
-   * `deleteAnyCollection`. It exists here for backwards compatibility with Server versions <= 1.43.0
-   */
-  ManageAllCollections,
-  /**
-   * @deprecated Sep 29 2021: This permission has been split out to `editAssignedCollections` and
-   * `deleteAssignedCollections`. It exists here for backwards compatibility with Server versions <= 1.43.0
-   */
-  ManageAssignedCollections,
-  ManageGroups,
-  ManageOrganization,
-  ManagePolicies,
-  ManageProvider,
-  ManageUsers,
-  ManageUsersPassword,
-  CreateNewCollections,
-  EditAnyCollection,
-  DeleteAnyCollection,
-  EditAssignedCollections,
-  DeleteAssignedCollections,
-  ManageSso,
-  ManageBilling,
-  ManageScim,
-}
--- a/libs/common/src/models/domain/organization.ts
+++ b/libs/common/src/models/domain/organization.ts
@@ -1,6 +1,5 @@
 import { OrganizationUserStatusType } from "../../enums/organizationUserStatusType";
 import { OrganizationUserType } from "../../enums/organizationUserType";
-import { Permissions } from "../../enums/permissions";
 import { ProductType } from "../../enums/productType";
 import { PermissionsApi } from "../api/permissionsApi";
 import { OrganizationData } from "../data/organizationData";
@@ -114,7 +113,7 @@ export class Organization {
  }

  get canAccessEventLogs() {
-    return this.isAdmin || this.permissions.accessEventLogs;
+    return (this.isAdmin || this.permissions.accessEventLogs) && this.useEvents;
  }

  get canAccessImportExport() {
@@ -168,11 +167,11 @@ export class Organization {
  }

  get canManageGroups() {
-    return this.isAdmin || this.permissions.manageGroups;
+    return (this.isAdmin || this.permissions.manageGroups) && this.useGroups;
  }

  get canManageSso() {
-    return this.isAdmin || this.permissions.manageSso;
+    return (this.isAdmin || this.permissions.manageSso) && this.useSso;
  }

  get canManageScim() {
@@ -180,7 +179,7 @@ export class Organization {
  }

  get canManagePolicies() {
-    return this.isAdmin || this.permissions.managePolicies;
+    return (this.isAdmin || this.permissions.managePolicies) && this.usePolicies;
  }

  get canManageUsers() {
@@ -195,30 +194,6 @@ export class Organization {
    return this.canManagePolicies;
  }

-  hasAnyPermission(permissions: Permissions[]) {
-    const specifiedPermissions =
-      (permissions.includes(Permissions.AccessEventLogs) && this.canAccessEventLogs) ||
-      (permissions.includes(Permissions.AccessImportExport) && this.canAccessImportExport) ||
-      (permissions.includes(Permissions.AccessReports) && this.canAccessReports) ||
-      (permissions.includes(Permissions.CreateNewCollections) && this.canCreateNewCollections) ||
-      (permissions.includes(Permissions.EditAnyCollection) && this.canEditAnyCollection) ||
-      (permissions.includes(Permissions.DeleteAnyCollection) && this.canDeleteAnyCollection) ||
-      (permissions.includes(Permissions.EditAssignedCollections) &&
-        this.canEditAssignedCollections) ||
-      (permissions.includes(Permissions.DeleteAssignedCollections) &&
-        this.canDeleteAssignedCollections) ||
-      (permissions.includes(Permissions.ManageGroups) && this.canManageGroups) ||
-      (permissions.includes(Permissions.ManageOrganization) && this.isOwner) ||
-      (permissions.includes(Permissions.ManagePolicies) && this.canManagePolicies) ||
-      (permissions.includes(Permissions.ManageUsers) && this.canManageUsers) ||
-      (permissions.includes(Permissions.ManageUsersPassword) && this.canManageUsersPassword) ||
-      (permissions.includes(Permissions.ManageSso) && this.canManageSso) ||
-      (permissions.includes(Permissions.ManageScim) && this.canManageScim) ||
-      (permissions.includes(Permissions.ManageBilling) && this.canManageBilling);
-
-    return specifiedPermissions && (this.enabled || this.isOwner);
-  }
-
  get canManageBilling() {
    return this.isOwner && (this.isProviderUser || !this.hasProvider);
  }