fix(engine): respect user when deleting auth for group memberships (c…

…amunda#3565) related to camunda#3564
vivekchand · Jul 12, 2023 · 32b97f7 · 32b97f7
1 parent 204b409
commit 32b97f7
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 1 deletion.
diff --git a/engine/src/main/java/org/camunda/bpm/engine/impl/identity/db/DbIdentityServiceProvider.java b/engine/src/main/java/org/camunda/bpm/engine/impl/identity/db/DbIdentityServiceProvider.java
@@ -299,7 +299,7 @@ public IdentityOperationResult createMembership(String userId, String groupId) {
   public IdentityOperationResult deleteMembership(String userId, String groupId) {
     checkAuthorization(Permissions.DELETE, Resources.GROUP_MEMBERSHIP, groupId);
     if (existsMembership(userId, groupId)) {
-      deleteAuthorizations(Resources.GROUP_MEMBERSHIP, groupId);
+      deleteAuthorizationsForUser(Resources.GROUP_MEMBERSHIP, groupId, userId);
 
       Map<String, Object> parameters = new HashMap<>();
       parameters.put("userId", userId);

diff --git a/...test/java/org/camunda/bpm/engine/test/api/identity/IdentityServiceAuthorizationsTest.java b/...test/java/org/camunda/bpm/engine/test/api/identity/IdentityServiceAuthorizationsTest.java
@@ -51,6 +51,8 @@
 import org.camunda.bpm.engine.authorization.Authorization;
 import org.camunda.bpm.engine.authorization.Groups;
 import org.camunda.bpm.engine.authorization.MissingAuthorization;
+import org.camunda.bpm.engine.authorization.Permissions;
+import org.camunda.bpm.engine.authorization.Resources;
 import org.camunda.bpm.engine.identity.Group;
 import org.camunda.bpm.engine.identity.Tenant;
 import org.camunda.bpm.engine.identity.TenantQuery;
@@ -659,6 +661,69 @@ public void testMembershipDeleteAuthorizations() {
     }
   }
 
+  @Test
+  public void shouldKeepAuthorizationsForAnyUser() {
+    // given
+    Group myGroup = identityService.newGroup("myGroup");
+    identityService.saveGroup(myGroup);
+
+    User myUser = identityService.newUser("myUser");
+    identityService.saveUser(myUser);
+
+    identityService.createMembership(myUser.getId(), myGroup.getId());
+
+    createAuthorization(AUTH_TYPE_GLOBAL, GROUP, myGroup.getId(), "*", ALL);
+    createAuthorization(AUTH_TYPE_GLOBAL, GROUP_MEMBERSHIP, myGroup.getId(), "*", ALL);
+    createAuthorization(AUTH_TYPE_GLOBAL, USER, myUser.getId(), "*", ALL);
+
+    processEngineConfiguration.setAuthorizationEnabled(true);
+    identityService.setAuthenticatedUserId(myUser.getId());
+
+    // when
+    identityService.deleteMembership(myUser.getId(), myGroup.getId());
+
+    // then
+    processEngineConfiguration.setAuthorizationEnabled(false);
+    List<Authorization> list = authorizationService.createAuthorizationQuery().list();
+    assertThat(list).extracting("resource", "resourceId", "userId", "permissions")
+        .containsExactlyInAnyOrder(tuple(GROUP.resourceType(), myGroup.getId(), "*", ALL.getValue()),
+            tuple(GROUP_MEMBERSHIP.resourceType(), myGroup.getId(), "*", ALL.getValue()),
+            tuple(USER.resourceType(), myUser.getId(), "*", ALL.getValue()));
+  }
+
+  @Test
+  public void shouldRemoveAuthorizationForUserAndKeepAuthorizationsForAnyUser() {
+    // given
+    Group myGroup = identityService.newGroup("myGroup");
+    identityService.saveGroup(myGroup);
+
+    User myUser = identityService.newUser("myUser");
+    identityService.saveUser(myUser);
+
+    identityService.createMembership(myUser.getId(), myGroup.getId());
+
+    createAuthorization(AUTH_TYPE_GLOBAL, GROUP, myGroup.getId(), "*", ALL);
+    createAuthorization(AUTH_TYPE_GLOBAL, GROUP_MEMBERSHIP, myGroup.getId(), "*", ALL);
+    createAuthorization(AUTH_TYPE_GRANT, GROUP_MEMBERSHIP, myGroup.getId(), myUser.getId(), ALL);
+    createAuthorization(AUTH_TYPE_GRANT, GROUP_MEMBERSHIP, myGroup.getId(), "foo", ALL);
+    createAuthorization(AUTH_TYPE_GLOBAL, USER, myUser.getId(), "*", ALL);
+
+    processEngineConfiguration.setAuthorizationEnabled(true);
+    identityService.setAuthenticatedUserId(myUser.getId());
+
+    // when
+    identityService.deleteMembership(myUser.getId(), myGroup.getId());
+
+    // then
+    processEngineConfiguration.setAuthorizationEnabled(false);
+    List<Authorization> list = authorizationService.createAuthorizationQuery().list();
+    assertThat(list).extracting("resource", "resourceId", "userId", "permissions")
+        .containsExactlyInAnyOrder(tuple(GROUP.resourceType(), myGroup.getId(), "*", ALL.getValue()),
+            tuple(GROUP_MEMBERSHIP.resourceType(), myGroup.getId(), "*", ALL.getValue()),
+            tuple(GROUP_MEMBERSHIP.resourceType(), myGroup.getId(), "foo", ALL.getValue()),
+            tuple(USER.resourceType(), myUser.getId(), "*", ALL.getValue()));
+  }
+
   @Test
   public void testTenantUserMembershipCreateAuthorizations() {
 
@@ -1329,4 +1394,17 @@ protected void cleanupAfterTest() {
     }
   }
 
+  protected void createAuthorization(int authType,
+                                     Resources resource,
+                                     String resourceId,
+                                     String userId,
+                                     Permissions permission) {
+    Authorization authorization = authorizationService.createNewAuthorization(authType);
+    authorization.setResource(resource);
+    authorization.setResourceId(resourceId);
+    authorization.addPermission(permission);
+    authorization.setUserId(userId);
+    authorizationService.saveAuthorization(authorization);
+  }
+
 }