-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: country configurable user scopes & roles #7301
base: develop
Are you sure you want to change the base?
Conversation
response: { | ||
failAction: async (req, _2, err: Boom) => { | ||
if (process.env.NODE_ENV === 'production') { | ||
// In prod, log a limited error message and throw the default Bad Request error. | ||
logger.error(`Response validationError: ${err.message}`) | ||
throw badRequest(`Invalid response payload returned from handler`) | ||
} else { | ||
// During development, log and respond with the full error. | ||
logger.error( | ||
`${req.path} response has a validation error: ${err.message}` | ||
) | ||
throw err | ||
} | ||
} | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#7295
Also good to amend for workflow
status: 'active', | ||
scope: ['admin'], | ||
role: 'NATIONAL_SYSTEM_ADMIN', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
user-mgnt
doesn't return scopes anymore as it doesn't know what scopes are. Scopes are now controlled by CC's /roles
endpoint in combination with the auth service which creates JWT tokens.
@@ -36,9 +38,16 @@ export default async function authenticateSuperUserHandler( | |||
throw unauthorized() | |||
} | |||
|
|||
if (result.status === 'deactivated') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just to improve error messaging when you try to seed again after seeding once
@@ -1257,3 +1257,37 @@ export interface ICertificate { | |||
payments?: Payment[] | |||
data?: string | |||
} | |||
|
|||
export function modifyFormField( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Improvement: Related to a small refactor I made here while debugging something
(process.env.NODE_ENV === 'development' || QA_ENV) && | ||
!userScopes.includes('demo') | ||
) { | ||
userScopes.push('demo') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good thing to notice is that the addition of the demo
scope (used to control 2FA of users, email/sms notifications) is now made the responsibility of CC.
@@ -111,14 +100,6 @@ export const createFhirPractitionerRole = async ( | |||
code: user.systemRole | |||
} | |||
] | |||
}, | |||
{ | |||
coding: [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to immediately find if these are used or if they are used at all. I decided to remove these as end user friendly text labels shouldn't be stored in the database but we should use role ids and message objects instead
@@ -7,7 +7,7 @@ | |||
"scripts": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auth service
The auth service's new responsibility is to, as part of authentication, connect scopes coming from CC to user's role
field. This is done every time a user needs a JWT token
packages/client/package.json
Outdated
@@ -12,7 +12,7 @@ | |||
"build": "VITE_APP_VERSION=$VERSION NODE_OPTIONS=--max_old_space_size=8000 vite build", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Client
The most significant change is that the data model for user.role looks now a little different. Instead of a labels
array with a single entity label for each supported language, the client now only receives a singular label
, the is a message descriptor object. This object needs to be passed through react-intl
to get the end-user friendly string.
@@ -127,39 +127,3 @@ describe('when user has a valid token in local storage', () => { | |||
expect(loadLocations).toHaveBeenCalled() | |||
}) | |||
}) | |||
|
|||
describe('it handles react errors', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Improvement: I changed the error boundaries so that when running unit tests, errors won't get swallowed but instead are console.logged and thrown as you would expect in a test run
@@ -47,6 +47,10 @@ const StyledErrorBoundaryComponent = ({ intl, children }: IFullProps) => { | |||
const [authError, setAuthError] = useState(false) | |||
|
|||
const onError = (error: Error) => { | |||
if (import.meta.env.MODE === 'test') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Improvement: part of https://github.com/opencrvs/opencrvs-core/pull/7301/files#r1667055909
@@ -11,35 +11,25 @@ | |||
import { gql } from '@apollo/client' | |||
import { client } from '@client/utils/apolloClient' | |||
|
|||
export const getSystemRolesQuery = gql` | |||
query getSystemRoles($value: ComparisonInput) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure why we had these filtering and search parameters here in the first place
vi.mock('@client/utils/authApi', () => ({ | ||
invalidateToken: () => Promise.resolve() | ||
})) | ||
vi.mock('@client/pdfRenderer', () => ({ | ||
printPDF: () => Promise.resolve() | ||
})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Zangetsu101 as per my testing these weren't working previously but now are 😮
@@ -65,21 +65,15 @@ const initialState: IUserFormState = { | |||
userDetailsStored: false, | |||
submitting: false, | |||
loadingRoles: false, | |||
userRoles: [], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could also be a React hook.. We just need a good template example of how to write offline-capable data fetch hooks 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need to know the user roles? Can't we get the scopes from the JWT token?
Writing offline-capable fetch hooks should be possible via gateway using Apollo & fetchPolicy 'cache-first' or 'cache-and-network'
@@ -90,7 +91,9 @@ export default defineConfig(({ mode }) => { | |||
}, | |||
resolve: { | |||
alias: { | |||
crypto: 'crypto-js' | |||
crypto: 'crypto-js', | |||
'@opencrvs/commons/build/dist/authentication': |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, couldn't get both the TS compiler and vitest to agree with each other without this
} | ||
} | ||
|
||
export async function fetchJSON<ResponseType = any>( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our new shared HTTP client
ocrvs-7421: misc bugs
feat: separate query for sent for review tab
* fix: use correct scopes for request, approve, reject and make correction in root-resolver * fix: show `sentForApproval` tab for `RECORD_REGISTRATION_REQUEST_CORRECTION` scope * fix: unit test: update scope for req correction
* fix: allow fetchRegistration for actionable scopes * fix: only self assigned & unassign scope can unassign * fix: require assignment for print & issue actions * test: assignment test for certify & issue * fix: add missing actionable scopes
* fix: add missing scopes for outbox * fix: remove declare scopes from update action * fix: allow update scope to change role * test: update navigation tab scopes
This reverts commit 935d5de.
* fix: amend active tab id of advance search * fix: hide advance searching based on scopes * fix: remove marriage scope from advance search component permission scope * chore: refactor advance search section to receive param * chore: refactor advance search section creator with user office id * chore: add filter location function * fix: add comment for additional props * fix: refactor variable name * fix: amend accordion state function with office id * fix: update advance search test with user details
62f205e
to
07d655d
Compare
07d655d
to
5ae2637
Compare
* fix: update unassign conditional query * fix: update wq record assignment value while assign and unassign based on hearth bundle * Revert "fix: update wq record assignment value while assign and unassign based on hearth bundle" This reverts commit b6a4aa7. * fix: add assignment property in declaration
* fix: update new sys admin scope in events middleware * fix: update scopes in events package
…tion (#8332) * fix: save additional practitioner role entry in bundle during view action * fix: amend officeHome on page change handler * fix: update commons import in client
* fix: add practitioner role entry in download bundle * fix: update search result declaration's assignment status * fix: refactor creation of practitioner role entry * fix: amend assignment property of download button component * fix: amend assignment logic for record audit
* fix: update searched record assignment to be read from redux in audit * fix: update assignment reading in resolver from full bundle * fix: remove assignment check in issuing event query
Ticket: #6455
Farajaland: opencrvs/opencrvs-farajaland#1042
The design for change is quite disruptive and non-backwards compatible. I started exploring this from a more incremental direction but eventually decided it's better to do a larger permission overhaul now so we can then just focus on specifying more scopes as per country needs.
Changes
systemRole
is now deprecated. Only the simple role of the user is being used, and matched against the default role configuration, or country config roles. The auth-microservice now provides the scopes.usePermissions
hook.Scope
andscopes
.To-do
systemRole
completely. Identify where these roles are still referred at and create as narrowed down scopes as possible using @jpye-finch 's permissions table as a guideFrontend
@TODO
comments and see JPF's answers in this PR.Navigation.tsx
, create auseNavigation
-hook. Have the useNavigation hook return a list of the navigation items, that the Navigation.tsx then renders. Also, have the useNavigation return ahomePage
which is the first item of the array. Then use this inHome.tsx
andHistoryNavigator.tsx
to remove theuseHomePage
-hook.<ProtectedRoute roles={[
. This should becomescopes=[
. Design: Could we define the routes so, thatuseNavigation
could also use thescopes
configuration to figure out what navigation items the users have?systemRole
. The sanity of some can be considered, if the test is not meaningful anymore; feel free to delete it or write a new one that is more connected to the current application logic.Backend
packages/gateway/src/features/registration/utils.ts:57
the English role label was stored in the certificate collector details, not the role id. How does changing this touserDetails.role
affect things? Is a migration needed?Design: Consider howScopes: Add search scopes to control what records a user can search for #6909searchEvents
would now work, when different user roles fetch all of the workqueues. Return an empty array of records if you don't have access?Locations
Tests & maintenance
default-employees.csv
. Go through that the navigation items look the same, comparing to QA or farajaland-dev.Unrelated technical requirements identified