fix(medic#10341): revoke permissions when user role is deleted from app_settings (medic#10795)

Co-authored-by: Joshua Kuestersteffen <[email protected]>
Co-authored-by: Claude Sonnet 4.6 <[email protected]>

Author: 3 people

admin/src/js/controllers/edit-user.js

@@ -1,7 +1,6 @@
 const moment = require('moment');
 const passwordTester = require('simple-password-tester');
 const phoneNumber = require('@medic/phone-number');
-const CHT = require('@medic/cht-datasource');
 const constants = require('@medic/constants');
 const USER_ROLES = constants.USER_ROLES;
 const PASSWORD_MINIMUM_LENGTH = 8;
@@ -40,9 +39,8 @@ angular
     'use strict';
     'ngInject';
 
-    const datasource = DataContext.getDatasource();
+    const datasourcePromise = DataContext.then(dataContext => dataContext.getDatasource());
     $scope.cancel = () => $uibModalInstance.dismiss();
-    const getContact = DataContext.bind(CHT.Contact.v1.get);
 
     const getRoles = roles => {
       if (!roles || !roles.length) {
@@ -61,9 +59,10 @@ angular
       });
     };
 
-    const validateSkipPasswordPermission = () => {
+    const validateSkipPasswordPermission = datasource => {
       $scope.skipPasswordChange = datasource.v1.hasPermissions(
-        ['can_skip_password_change'], $scope.editUserModel.roles, $scope.permissions
+        ['can_skip_password_change'],
+        $scope.editUserModel.roles
       );
     };
 
@@ -112,7 +111,7 @@ angular
       // If $scope.model === {}, we're creating a new user.
       return $q.all([Settings(), getOidcUsername()])
         .then(([settings, oidcUsername]) => {
-          $scope.permissions = settings.permissions;
+          $scope.settings = settings;
           $scope.roles = settings.roles;
           $scope.allowTokenLogin = allowTokenLogin(settings);
           $scope.allowSSOLogin = allowSSOLogin(settings);
@@ -177,10 +176,10 @@ angular
         .map((row) => row.doc);
     };
 
-    this.setupPromise = determineEditUserModel()
-      .then(model => {
+    this.setupPromise = $q.all([determineEditUserModel(), datasourcePromise])
+      .then(([model, datasource]) => {
         $scope.editUserModel = model;
-        validateSkipPasswordPermission();
+        validateSkipPasswordPermission(datasource);
         populateFacilitynContact();
       })
       .catch(err => {
@@ -324,13 +323,14 @@ angular
       return true;
     };
 
-    const validatePlacesPermission = () => {
+    const validatePlacesPermission = datasource => {
       if (!$scope.editUserModel.place || $scope.editUserModel.place.length <= 1) {
         return true;
       }
 
       const userHasPermission = datasource.v1.hasPermissions(
-        ['can_have_multiple_places'], $scope.editUserModel.roles, $scope.permissions
+        ['can_have_multiple_places'],
+        $scope.editUserModel.roles
       );
 
       if (!userHasPermission) {
@@ -388,16 +388,16 @@ angular
         });
     };
 
-    const validateContactIsInPlace = () => {
+    const validateContactIsInPlace = datasource => {
       const placeIds = $scope.editUserModel.place;
       const contactId = $scope.editUserModel.contact;
       if (!placeIds || !contactId) {
         return $q.resolve(true);
       }
 
-      const getParent = (contactId) => {
-        return getContact(CHT.Qualifier.byUuid(contactId)).then(contact => contact.parent);
-      };
+      const getParent = contactId => datasource.v1.contact
+        .getByUuid(contactId)
+        .then(contact => contact.parent);
 
       const checkParent = (parent, placeIds) => {
         if (!parent) {
@@ -584,41 +584,44 @@ angular
       'password' ? 'text' : 'password';
     };
 
-    // #edit-user-profile is the admin view, which has additional fields.
-    $scope.editUser = () => {
-      $scope.setProcessing();
-      $scope.errors = {};
-      computeFields();
-
+    const runValidations = datasource => {
       const synchronousValidations = validateName() &&
                                      validateRole() &&
                                      validateContactAndFacility() &&
                                      validatePasswordForEditUser() &&
                                      validateEmailAddress() &&
-                                     validatePlacesPermission();
+                                     validatePlacesPermission(datasource);
 
       if (!synchronousValidations) {
         $scope.setError();
         return;
       }
 
-      const asynchronousValidations = $q
+      return $q
         .all([
           validateFacilityHierarchy(),
-          validateContactIsInPlace(),
+          validateContactIsInPlace(datasource),
           validateTokenLogin(),
         ])
-        .then(responses => responses.every(response => response));
-
-      return asynchronousValidations
+        .then(responses => responses.every(Boolean))
         .then(valid => {
           if (!valid) {
             $scope.setError();
             return;
           }
 
           return validateReplicationLimit().then(() => updateUser());
-        })
+        });
+    };
+
+    // #edit-user-profile is the admin view, which has additional fields.
+    $scope.editUser = () => {
+      $scope.setProcessing();
+      $scope.errors = {};
+      computeFields();
+
+      return datasourcePromise
+        .then(runValidations)
         .catch(err => {
           if (err.key) {
             $translate(err.key, err.params).then(value => $scope.setError(err, value, err.severity));

admin/src/js/services/auth.js

@@ -2,15 +2,12 @@ angular.module('inboxServices').factory('Auth',
   function(
     $log,
     DataContext,
-    Session,
-    Settings
+    Session
   ) {
 
     'use strict';
     'ngInject';
 
-    const datasource = DataContext.getDatasource();
-
     /**
      * Receives a list of groups of permissions and returns a promise that will be resolved if the
      * current user's role has all the permissions of any of the provided groups.
@@ -23,21 +20,16 @@ angular.module('inboxServices').factory('Auth',
         return has(permissionsGroupList);
       }
 
-      return Settings()
-        .then(settings => {
-          if (!settings) {
-            $log.debug('AuthService :: CHT-Core settings not configured.');
-            return false;
-          }
-
+      return DataContext
+        .then(dataContext => {
           const userCtx = Session.userCtx();
 
           if (!userCtx) {
             $log.debug('AuthService :: Not logged in.');
             return false;
           }
 
-          return datasource.v1.hasAnyPermission(permissionsGroupList, userCtx.roles, settings.permissions);
+          return dataContext.getDatasource().v1.hasAnyPermission(permissionsGroupList, userCtx.roles);
         })
         .catch(() => false);
     };
@@ -49,21 +41,16 @@ angular.module('inboxServices').factory('Auth',
      * @param permissions {string | string[]}
      */
     const has = (permissions) => {
-      return Settings()
-        .then(settings => {
-          if (!settings) {
-            $log.debug('AuthService :: CHT-Core settings not configured.');
-            return false;
-          }
-
+      return DataContext
+        .then(dataContext => {
           const userCtx = Session.userCtx();
 
           if (!userCtx) {
             $log.debug('AuthService :: Not logged in.');
             return false;
           }
 
-          return datasource.v1.hasPermissions(permissions, userCtx.roles, settings.permissions);
+          return dataContext.getDatasource().v1.hasPermissions(permissions, userCtx.roles);
         })
         .catch(() => false);
     };

admin/src/js/services/data-context.js

@@ -1,15 +1,32 @@
 const cht = require('@medic/cht-datasource');
+const constants = require('@medic/constants');
+const DOC_IDS = constants.DOC_IDS;
 
 angular.module('inboxServices').factory('DataContext', function(
-  Location
+  $log,
+  Changes,
+  Location,
+  Settings
 ) {
   'use strict';
   'ngInject';
 
-  const dataContext = cht.getRemoteDataContext(Location.rootUrl);
-  return Object.assign( // NoSONAR
-    {},
-    dataContext,
-    { getDatasource: () => cht.getDatasource(dataContext) }
-  );
+  return Settings().then(initialSettings => {
+    let latestSettings = initialSettings;
+    Changes({
+      key: 'data-context-settings',
+      filter: change => change.id === DOC_IDS.SETTINGS,
+      callback: () => Settings()
+        .then(settings => latestSettings = settings)
+        .catch(err => $log.error('Failed to refresh settings', err))
+    });
+
+    const settingsService = { getAll: () => latestSettings };
+    const dataContext = cht.getRemoteDataContext(settingsService, Location.rootUrl);
+    return Object.assign( // NoSONAR
+      {},
+      dataContext,
+      { getDatasource: () => cht.getDatasource(dataContext) }
+    );
+  });
 });

admin/src/js/services/search.js

@@ -14,9 +14,9 @@ const Search = require('@medic/search');
 
       'ngInject';
 
-      return function() {
-        return Search(DB(), DataContext);
-      };
+      const searchPromise = DataContext.then(dataContext => Search(DB(), dataContext));
+      const doSearch = (...args) => searchPromise.then(search => search(...args));
+      return () => doSearch;
     });
 
   angular.module('inboxServices').factory('Search',