feat!: country configurable user scopes & roles #7301
Conversation
rikukissa
changed the title
| response: { | ||
| failAction: async (req, _2, err: Boom) => { | ||
| if (process.env.NODE_ENV === 'production') { | ||
| // In prod, log a limited error message and throw the default Bad Request error. | ||
| logger.error(`Response validationError: ${err.message}`) | ||
| throw badRequest(`Invalid response payload returned from handler`) | ||
| } else { | ||
| // During development, log and respond with the full error. | ||
| logger.error( | ||
| `${req.path} response has a validation error: ${err.message}` | ||
| ) | ||
| throw err | ||
| } | ||
| } | ||
| }, |
There was a problem hiding this comment.
#7295
Also good to amend for workflow
| status: 'active', | ||
| scope: ['admin'], | ||
| role: 'NATIONAL_SYSTEM_ADMIN', |
There was a problem hiding this comment.
user-mgnt doesn't return scopes anymore as it doesn't know what scopes are. Scopes are now controlled by CC's /roles endpoint in combination with the auth service which creates JWT tokens.
| @@ -36,9 +38,16 @@ export default async function authenticateSuperUserHandler( | |||
| throw unauthorized() | |||
| } | |||
|
|
|||
| if (result.status === 'deactivated') { | |||
There was a problem hiding this comment.
This is just to improve error messaging when you try to seed again after seeding once
| @@ -1257,3 +1257,37 @@ export interface ICertificate { | |||
| payments?: Payment[] | |||
| data?: string | |||
| } | |||
|
|
|||
| export function modifyFormField( | |||
There was a problem hiding this comment.
Improvement: Related to a small refactor I made here while debugging something
| (process.env.NODE_ENV === 'development' || QA_ENV) && | ||
| !userScopes.includes('demo') | ||
| ) { | ||
| userScopes.push('demo') |
There was a problem hiding this comment.
Good thing to notice is that the addition of the demo scope (used to control 2FA of users, email/sms notifications) is now made the responsibility of CC.
| @@ -111,14 +100,6 @@ export const createFhirPractitionerRole = async ( | |||
| code: user.systemRole | |||
| } | |||
| ] | |||
| }, | |||
| { | |||
| coding: [ | |||
There was a problem hiding this comment.
I wasn't able to immediately find if these are used or if they are used at all. I decided to remove these as end user friendly text labels shouldn't be stored in the database but we should use role ids and message objects instead
| @@ -7,7 +7,7 @@ | |||
| "scripts": { | |||
There was a problem hiding this comment.
Auth service
The auth service's new responsibility is to, as part of authentication, connect scopes coming from CC to user's role field. This is done every time a user needs a JWT token
packages/client/package.json
Outdated
| @@ -12,7 +12,7 @@ | |||
| "build": "VITE_APP_VERSION=$VERSION NODE_OPTIONS=--max_old_space_size=8000 vite build", | |||
There was a problem hiding this comment.
Client
The most significant change is that the data model for user.role looks now a little different. Instead of a labels array with a single entity label for each supported language, the client now only receives a singular label, the is a message descriptor object. This object needs to be passed through react-intl to get the end-user friendly string.
| @@ -127,39 +127,3 @@ describe('when user has a valid token in local storage', () => { | |||
| expect(loadLocations).toHaveBeenCalled() | |||
| }) | |||
| }) | |||
|
|
|||
| describe('it handles react errors', () => { | |||
There was a problem hiding this comment.
Improvement: I changed the error boundaries so that when running unit tests, errors won't get swallowed but instead are console.logged and thrown as you would expect in a test run
| @@ -47,6 +47,10 @@ const StyledErrorBoundaryComponent = ({ intl, children }: IFullProps) => { | |||
| const [authError, setAuthError] = useState(false) | |||
|
|
|||
| const onError = (error: Error) => { | |||
| if (import.meta.env.MODE === 'test') { | |||
There was a problem hiding this comment.
Improvement: part of https://github.com/opencrvs/opencrvs-core/pull/7301/files#r1667055909
| @@ -11,35 +11,25 @@ | |||
| import { gql } from '@apollo/client' | |||
| import { client } from '@client/utils/apolloClient' | |||
|
|
|||
| export const getSystemRolesQuery = gql` | |||
| query getSystemRoles($value: ComparisonInput) { | |||
There was a problem hiding this comment.
Not sure why we had these filtering and search parameters here in the first place
| vi.mock('@client/utils/authApi', () => ({ | ||
| invalidateToken: () => Promise.resolve() | ||
| })) | ||
| vi.mock('@client/pdfRenderer', () => ({ | ||
| printPDF: () => Promise.resolve() | ||
| })) |
There was a problem hiding this comment.
@Zangetsu101 as per my testing these weren't working previously but now are 😮
| @@ -65,21 +65,15 @@ const initialState: IUserFormState = { | |||
| userDetailsStored: false, | |||
| submitting: false, | |||
| loadingRoles: false, | |||
| userRoles: [], | |||
There was a problem hiding this comment.
This could also be a React hook.. We just need a good template example of how to write offline-capable data fetch hooks 🤔
There was a problem hiding this comment.
Why do we need to know the user roles? Can't we get the scopes from the JWT token?
Writing offline-capable fetch hooks should be possible via gateway using Apollo & fetchPolicy 'cache-first' or 'cache-and-network'
| @@ -90,7 +91,9 @@ export default defineConfig(({ mode }) => { | |||
| }, | |||
| resolve: { | |||
| alias: { | |||
| crypto: 'crypto-js' | |||
| crypto: 'crypto-js', | |||
| '@opencrvs/commons/build/dist/authentication': | |||
There was a problem hiding this comment.
Sorry, couldn't get both the TS compiler and vitest to agree with each other without this
| } | ||
| } | ||
|
|
||
| export async function fetchJSON<ResponseType = any>( |
There was a problem hiding this comment.
Our new shared HTTP client
ocrvs-7436: misc bugs
ocrvs-7419: misc bugs
ocrvs-7421: misc bugs
feat: separate query for sent for review tab
* fix: use correct scopes for request, approve, reject and make correction in root-resolver * fix: show `sentForApproval` tab for `RECORD_REGISTRATION_REQUEST_CORRECTION` scope * fix: unit test: update scope for req correction
* fix: allow fetchRegistration for actionable scopes * fix: only self assigned & unassign scope can unassign * fix: require assignment for print & issue actions * test: assignment test for certify & issue * fix: add missing actionable scopes
* fix: add missing scopes for outbox * fix: remove declare scopes from update action * fix: allow update scope to change role * test: update navigation tab scopes
This reverts commit 935d5de.
* fix: amend active tab id of advance search * fix: hide advance searching based on scopes * fix: remove marriage scope from advance search component permission scope * chore: refactor advance search section to receive param * chore: refactor advance search section creator with user office id * chore: add filter location function * fix: add comment for additional props * fix: refactor variable name * fix: amend accordion state function with office id * fix: update advance search test with user details
Nil20
force-pushed
the
configurable-roles
branch
from
62f205e to
07d655d
Compare
Nil20
force-pushed
the
configurable-roles
branch
from
07d655d to
5ae2637
Compare
* fix: update unassign conditional query * fix: update wq record assignment value while assign and unassign based on hearth bundle * Revert "fix: update wq record assignment value while assign and unassign based on hearth bundle" This reverts commit b6a4aa7. * fix: add assignment property in declaration
* fix: update new sys admin scope in events middleware * fix: update scopes in events package
Ticket: #6455
Farajaland: opencrvs/opencrvs-farajaland#1042
The design for change is quite disruptive and non-backwards compatible. I started exploring this from a more incremental direction but eventually decided it's better to do a larger permission overhaul now so we can then just focus on specifying more scopes as per country needs.
Changes
systemRoleis now deprecated. Only the simple role of the user is being used, and matched against the default role configuration, or country config roles. The auth-microservice now provides the scopes.usePermissionshook.Scopeandscopes.To-do
systemRolecompletely. Identify where these roles are still referred at and create as narrowed down scopes as possible using @jpye-finch 's permissions table as a guideFrontend
@TODOcomments and see JPF's answers in this PR.Navigation.tsx, create auseNavigation-hook. Have the useNavigation hook return a list of the navigation items, that the Navigation.tsx then renders. Also, have the useNavigation return ahomePagewhich is the first item of the array. Then use this inHome.tsxandHistoryNavigator.tsxto remove theuseHomePage-hook.<ProtectedRoute roles={[. This should becomescopes=[. Design: Could we define the routes so, thatuseNavigationcould also use thescopesconfiguration to figure out what navigation items the users have?systemRole. The sanity of some can be considered, if the test is not meaningful anymore; feel free to delete it or write a new one that is more connected to the current application logic.Backend
packages/gateway/src/features/registration/utils.ts:57the English role label was stored in the certificate collector details, not the role id. How does changing this touserDetails.roleaffect things? Is a migration needed?Design: Consider howScopes: Add search scopes to control what records a user can search for #6909searchEventswould now work, when different user roles fetch all of the workqueues. Return an empty array of records if you don't have access?Locations
Tests & maintenance
default-employees.csv. Go through that the navigation items look the same, comparing to QA or farajaland-dev.Unrelated technical requirements identified