Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-12589

Add authorization for document actions in DocumentControllerBase

    Details

    • Type: Task Task
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Similar issues:
      KULRICE-12641Add authorization for document actions in MaintenanceDocumentController
      KULRICE-12561Add Dialogs to DocumentControllerBase methods
      KULRICE-5334Docs - Finish DocumentControllerBase (all workflow methods)
      KULRICE-1048Add support for Role-based authorization
      KULRICE-6245Document Authorization - User Guide
      KULRICE-4542Create Authorization Exception Handler for graceful handling of DocumentAuthorizationException
      KULRICE-8904Add Document Type Authorizer column to KREW_DOC_TYP_T table
      KULRICE-9426Ad Hoc to Person unauthroized to take action on document possible
      KULRICE-14220Implement authorization checks on api endpoints for groups, action list, and document search
      KULRICE-13779Create Travel Authorization transactional document in KRAD
    • Epic Link:
    • Rice Module:
      KRAD
    • Application Requirement:
      KC
    • Sprint:
      2.5.0-m2 Sprint 3, 2.5.0-m3 Sprint 1, Core 2.5.0-m6 Sprint 1, Core 2.5.0-m6 Sprint 2
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes
    • Story Points:
      3

      Description

      Complete the TODO in the DocumentControllerBase to implement authorization on the document actions.

      // TODO: authorization on document actions
      // if (KEWConstants.SUPERUSER_COMMAND.equalsIgnoreCase(command))

      { // form.setSuppressAllButtons(true); // }

        Issue Links

          Activity

          Hide
          Steve Manning (Inactive) added a comment -

          The "TODO" and corresponding snippet of code seem to have been pulled directly from the KNS class KualiDocumentActionBase#docHandler method.

          Show
          Steve Manning (Inactive) added a comment - The "TODO" and corresponding snippet of code seem to have been pulled directly from the KNS class KualiDocumentActionBase#docHandler method.
          Hide
          Kristina Taylor (Inactive) added a comment -

          Apply the suggestions from the code review.

          Show
          Kristina Taylor (Inactive) added a comment - Apply the suggestions from the code review.
          Hide
          Steve Manning (Inactive) added a comment -

          This issue will have to be revisited once superuser functionality has been reworked by the uxi team.

          Show
          Steve Manning (Inactive) added a comment - This issue will have to be revisited once superuser functionality has been reworked by the uxi team.
          Hide
          Martin Taylor (Inactive) added a comment - - edited

          Spoke with Kristina: reviewing existing functionality around super user and supressAllButtons.

          Super User Functionality is expressed in document search and editing existing documents under the SuperUser Action Tab. Super user functionality is obtained through 'Administer Routing for Document' permission (1). SupressAllButtons which is part of KualiDocumentForm and is set to false by default. SupressAllButtons is set to true when if SUPERUSER_COMMAND (displaySuperUserView) is set. This only occurs in KualiDocumentActionBase#docHandler. If set to true, supressAllButtons will hide ad hoc requests (adHocRecipientsTag), supress displaying buttons (documentControls.tag), bypass rendering of require fields label (KualiMaintenanceDocument.jsp, documentPage.jsp).

          Source Code related to SUPERUSER_COMMAND and supressAllButtons:

          • org.kuali.rice.kew.superuser.web.SuperUserAction
          • org.kuali.rice.kew.api.KewApiConstants#SUPERUSER_COMMAND
          • kew/WEB-INF/jsp/superuser/SuperUser.jsp:120
          • org.kuali.rice.kns.web.struts.form.KualiDocumentFormBase#isSuppressAllButtons
          • org/kuali/rice/kns/web/struts/action/KualiDocumentActionBase.java:380
          • WEB-INF/tags/kr/documentControls.tag:34
          • WEB-INF/tags/kr/adHocRecipients.tag:19
          • kr/WEB-INF/jsp/KualiMaintenanceDocument.jsp:38

          Documentation on super user functions:
          (1) https://kfs.ucdavis.edu/kfs-help/default.htm?turl=WordDocuments%2Fsuperuservsnonsuperusersearches.htm
          (2) https://kfs.ucdavis.edu/kfs-help/default.htm?turl=WordDocuments%2Fsuperuserfunctions.htm

          Show
          Martin Taylor (Inactive) added a comment - - edited Spoke with Kristina: reviewing existing functionality around super user and supressAllButtons. Super User Functionality is expressed in document search and editing existing documents under the SuperUser Action Tab. Super user functionality is obtained through 'Administer Routing for Document' permission (1). SupressAllButtons which is part of KualiDocumentForm and is set to false by default. SupressAllButtons is set to true when if SUPERUSER_COMMAND (displaySuperUserView) is set. This only occurs in KualiDocumentActionBase#docHandler. If set to true, supressAllButtons will hide ad hoc requests (adHocRecipientsTag), supress displaying buttons (documentControls.tag), bypass rendering of require fields label (KualiMaintenanceDocument.jsp, documentPage.jsp). Source Code related to SUPERUSER_COMMAND and supressAllButtons: org.kuali.rice.kew.superuser.web.SuperUserAction org.kuali.rice.kew.api.KewApiConstants#SUPERUSER_COMMAND kew/WEB-INF/jsp/superuser/SuperUser.jsp:120 org.kuali.rice.kns.web.struts.form.KualiDocumentFormBase#isSuppressAllButtons org/kuali/rice/kns/web/struts/action/KualiDocumentActionBase.java:380 WEB-INF/tags/kr/documentControls.tag:34 WEB-INF/tags/kr/adHocRecipients.tag:19 kr/WEB-INF/jsp/KualiMaintenanceDocument.jsp:38 Documentation on super user functions: (1) https://kfs.ucdavis.edu/kfs-help/default.htm?turl=WordDocuments%2Fsuperuservsnonsuperusersearches.htm (2) https://kfs.ucdavis.edu/kfs-help/default.htm?turl=WordDocuments%2Fsuperuserfunctions.htm
          Hide
          Kristina Taylor (Inactive) added a comment -

          Could we possibly use the new DocumentView.isSuperUserView to implement this?

          Show
          Kristina Taylor (Inactive) added a comment - Could we possibly use the new DocumentView.isSuperUserView to implement this?
          Hide
          Martin Taylor (Inactive) added a comment -

          Possibly, want to check with Jerry about. If so, it could be a render !#view.superUserView on the DocumentPageFooter. Another issue is do we want to tie the footer render to superuser or a DocumentActionsGroup inside the Footer (allows for merging and still hiding existing buttons vs locking down footer all together).

          Show
          Martin Taylor (Inactive) added a comment - Possibly, want to check with Jerry about. If so, it could be a render !#view.superUserView on the DocumentPageFooter. Another issue is do we want to tie the footer render to superuser or a DocumentActionsGroup inside the Footer (allows for merging and still hiding existing buttons vs locking down footer all together).
          Hide
          Kristina Taylor (Inactive) added a comment -

          We probably want to use the DocumentActionsGroup approach, in case other people want to add additional stuff to the footer. That way all the standard buttons would be locked down. I think using the superUserView is appropriate, as it is not used anywhere else.

          Show
          Kristina Taylor (Inactive) added a comment - We probably want to use the DocumentActionsGroup approach, in case other people want to add additional stuff to the footer. That way all the standard buttons would be locked down. I think using the superUserView is appropriate, as it is not used anywhere else.
          Hide
          Martin Taylor (Inactive) added a comment - - edited

          Ran into formatting issues due to lists vs group on footers. Went back to p:render on the footer and used super user view. In testing found some issues with the super user check in the DocControllerServiceImpl that needs to be modified before closing this ticket.

          Show
          Martin Taylor (Inactive) added a comment - - edited Ran into formatting issues due to lists vs group on footers. Went back to p:render on the footer and used super user view. In testing found some issues with the super user check in the DocControllerServiceImpl that needs to be modified before closing this ticket.
          Hide
          Martin Taylor (Inactive) added a comment -

          Discussion on super user command related to kns/krad, both function to remove access from the command (related to ad-hoc recipients and available actions) while action flags add special features. Command changes are already in place.

          Show
          Martin Taylor (Inactive) added a comment - Discussion on super user command related to kns/krad, both function to remove access from the command (related to ad-hoc recipients and available actions) while action flags add special features. Command changes are already in place.

            People

            • Assignee:
              Martin Taylor (Inactive)
              Reporter:
              Claus Niesen
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 30 minutes
                1h 30m

                  Agile

                    Structure Helper Panel