User security: super user check only for role system

basic-application/basic-application-back/src/main/java/basicapp/back/security/model/BasicApplicationPermissionConstants.java

@@ -39,12 +39,15 @@ public class BasicApplicationPermissionConstants extends CorePermissionConstants
   // Add contants of the form public static final String MY_PERMISSION_NAME = "MY_PERMISSION_NAME";
   // here
 
-  public static final String GLOBAL_ROLE_READ = "GLOBAL_ROLE_READ";
-  public static final String GLOBAL_ROLE_WRITE = "GLOBAL_ROLE_WRITE";
+  public static final String GLOBAL_REFERENCE_DATA_READ = "GLOBAL_REFERENCE_DATA_READ";
+  public static final String GLOBAL_REFERENCE_DATA_WRITE = "GLOBAL_REFERENCE_DATA_WRITE";
+
   public static final String GLOBAL_USER_READ = "GLOBAL_USER_READ";
   public static final String GLOBAL_USER_WRITE = "GLOBAL_USER_WRITE";
+
+  public static final String GLOBAL_ROLE_READ = "GLOBAL_ROLE_READ";
+  public static final String GLOBAL_ROLE_WRITE = "GLOBAL_ROLE_WRITE";
+
   public static final String GLOBAL_ANNOUNCEMENT_READ = "GLOBAL_ANNOUNCEMENT_READ";
   public static final String GLOBAL_ANNOUNCEMENT_WRITE = "GLOBAL_ANNOUNCEMENT_WRITE";
-  public static final String GLOBAL_REFERENCE_DATA_READ = "GLOBAL_REFERENCE_DATA_READ";
-  public static final String GLOBAL_REFERENCE_DATA_WRITE = "GLOBAL_REFERENCE_DATA_WRITE";
 }

basic-application/basic-application-front/src/main/java/basicapp/front/user/template/UserTemplate.java

@@ -1,6 +1,7 @@
 package basicapp.front.user.template;
 
-import basicapp.back.security.model.BasicApplicationPermissionConstants;
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ;
+
 import basicapp.front.common.template.MainTemplate;
 import basicapp.front.user.page.BasicUserListPage;
 import org.apache.wicket.markup.html.WebPage;
@@ -9,8 +10,7 @@
 import org.iglooproject.wicket.more.markup.html.template.model.BreadCrumbElement;
 import org.iglooproject.wicket.more.security.authorization.AuthorizeInstantiationIfPermission;
 
-@AuthorizeInstantiationIfPermission(
-    permissions = BasicApplicationPermissionConstants.GLOBAL_USER_READ)
+@AuthorizeInstantiationIfPermission(permissions = GLOBAL_USER_READ)
 public abstract class UserTemplate extends MainTemplate {
 
   private static final long serialVersionUID = 1L;

basic-application/basic-application-front/src/test/java/test/web/AnnouncementPageTestCase.java

@@ -1,5 +1,6 @@
 package test.web;
 
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_ANNOUNCEMENT_READ;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import basicapp.front.announcement.page.AnnouncementListPage;
@@ -14,6 +15,8 @@ class AnnouncementPageTestCase extends AbstractBasicApplicationWebappTestCase {
 
   @Test
   void initPage() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_ANNOUNCEMENT_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(AnnouncementListPage.class);

basic-application/basic-application-front/src/test/java/test/web/BasicUserDetailPageTestCase.java

@@ -1,5 +1,7 @@
 package test.web;
 
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ;
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_WRITE;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -21,7 +23,10 @@ class BasicUserDetailPageTestCase extends AbstractBasicApplicationWebappTestCase
 
   @Test
   void initPage() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
+
     String url =
         BasicUserDetailPage.MAPPER.ignoreParameter2().map(GenericEntityModel.of(basicUser)).url();
     tester.executeUrl(url);
@@ -31,6 +36,8 @@ void initPage() throws ServiceException, SecurityServiceException {
 
   @Test
   void breadcrumb() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     String url =
@@ -64,6 +71,8 @@ void breadcrumb() throws ServiceException, SecurityServiceException {
 
   @Test
   void desactivateUser() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ, GLOBAL_USER_WRITE);
+
     authenticateUser(administrator);
 
     String url =

basic-application/basic-application-front/src/test/java/test/web/BasicUserListPageTestCase.java

@@ -1,23 +1,19 @@
 package test.web;
 
-import static org.assertj.core.api.Assertions.assertThat;
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import basicapp.back.business.user.model.User;
 import basicapp.back.business.user.search.UserSort;
-import basicapp.front.user.form.UserAjaxDropDownSingleChoice;
 import basicapp.front.user.page.BasicUserDetailPage;
 import basicapp.front.user.page.BasicUserListPage;
 import basicapp.front.user.page.TechnicalUserListPage;
 import igloo.wicket.component.CountLabel;
-import java.util.Objects;
 import org.apache.wicket.util.tester.FormTester;
 import org.iglooproject.jpa.exception.SecurityServiceException;
 import org.iglooproject.jpa.exception.ServiceException;
 import org.iglooproject.wicket.more.markup.repeater.sequence.SequenceGridView;
-import org.iglooproject.wicket.more.markup.repeater.table.DecoratedCoreDataTablePanel;
 import org.iglooproject.wicket.more.markup.repeater.table.column.CoreLabelLinkColumnPanel;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import test.web.config.spring.SpringBootTestBasicApplicationWebapp;
 
@@ -26,6 +22,8 @@ class BasicUserListPageTestCase extends AbstractBasicApplicationWebappTestCase {
 
   @Test
   void initPage() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(BasicUserListPage.class);
@@ -34,6 +32,8 @@ void initPage() throws ServiceException, SecurityServiceException {
 
   @Test
   void dataTableBuilderCountZero() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(TechnicalUserListPage.class);
@@ -51,6 +51,8 @@ void dataTableBuilderCountZero() throws ServiceException, SecurityServiceExcepti
 
   @Test
   void dataTableBuilderCountOne() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(TechnicalUserListPage.class);
@@ -64,6 +66,8 @@ void dataTableBuilderCountOne() throws ServiceException, SecurityServiceExceptio
 
   @Test
   void dataTableBuilderCountMultiple() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(BasicUserListPage.class);
@@ -75,39 +79,10 @@ void dataTableBuilderCountMultiple() throws ServiceException, SecurityServiceExc
         "results:headingAddInContainer:leftAddInWrapper:leftAddIn:1", "2 utilisateurs");
   }
 
-  @Test
-  @Disabled("n'est plus utile car plus de usergroup, a modifier pour checker le quicksearch ?")
-  public void dataTableBuilderFiltersDropDown() throws ServiceException, SecurityServiceException {
-    authenticateUser(administrator);
-
-    tester.startPage(BasicUserListPage.class);
-    tester.assertRenderedPage(BasicUserListPage.class);
-
-    tester.assertVisible("results", DecoratedCoreDataTablePanel.class);
-    @SuppressWarnings("unchecked")
-    DecoratedCoreDataTablePanel<User, ?> results =
-        (DecoratedCoreDataTablePanel<User, ?>) tester.getComponentFromLastRenderedPage("results");
-    assertThat(results.getItemCount()).isEqualTo(2);
-
-    FormTester form = tester.newFormTester("search:form");
-
-    // TODO voir comment on peut ajouter une valeur dans un AjaxDropDown et la selectionnée
-    UserAjaxDropDownSingleChoice userQuickSearch =
-        (UserAjaxDropDownSingleChoice)
-            form.getForm()
-                .streamChildren()
-                .filter(children -> Objects.equals(children.getId(), "quickAccess"))
-                .findFirst()
-                .orElse(null);
-    form.setValue(userQuickSearch, "basicUser2");
-
-    form.submit();
-
-    assertThat(results.getItemCount()).isEqualTo(1);
-  }
-
   @Test
   void accessToDetail() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(BasicUserListPage.class);
@@ -136,6 +111,8 @@ void accessToDetail() throws ServiceException, SecurityServiceException {
 
   @Test
   void excelButtonTootilp() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(BasicUserListPage.class);

basic-application/basic-application-front/src/test/java/test/web/HomePageTestCase.java

@@ -1,5 +1,9 @@
 package test.web;
 
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_ANNOUNCEMENT_READ;
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_REFERENCE_DATA_READ;
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_ROLE_READ;
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import basicapp.back.security.model.BasicApplicationPermissionConstants;
@@ -77,6 +81,13 @@ void sidebarMenuUserAuthenticated() throws ServiceException, SecurityServiceExce
 
   @Test
   void sidebarMenuUserAdmin() throws ServiceException, SecurityServiceException {
+    addPermissions(
+        administrator,
+        GLOBAL_REFERENCE_DATA_READ,
+        GLOBAL_USER_READ,
+        GLOBAL_ROLE_READ,
+        GLOBAL_ANNOUNCEMENT_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(HomePage.class);

basic-application/basic-application-front/src/test/java/test/web/ReferenceDataPageTestCase.java

@@ -1,5 +1,6 @@
 package test.web;
 
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_REFERENCE_DATA_READ;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import basicapp.front.referencedata.page.ReferenceDataPage;
@@ -14,6 +15,8 @@ class ReferenceDataPageTestCase extends AbstractBasicApplicationWebappTestCase {
 
   @Test
   void initPage() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_REFERENCE_DATA_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(ReferenceDataPage.class);

basic-application/basic-application-front/src/test/java/test/web/ValidatorTestCase.java

@@ -1,5 +1,7 @@
 package test.web;
 
+import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ;
+
 import basicapp.front.profile.page.ProfilePage;
 import basicapp.front.user.page.TechnicalUserListPage;
 import org.apache.wicket.Component;
@@ -17,6 +19,8 @@ class ValidatorTestCase extends AbstractBasicApplicationWebappTestCase {
   /** Test the UserPasswordValidator when username = password which shouldn't be allowed */
   @Test
   void technicalUserPasswordValidator() throws ServiceException, SecurityServiceException {
+    addPermissions(administrator, GLOBAL_USER_READ);
+
     authenticateUser(administrator);
 
     tester.startPage(TechnicalUserListPage.class);

igloo/igloo-components/igloo-component-jpa-security/src/main/java/org/iglooproject/jpa/security/service/AbstractCorePermissionEvaluator.java

@@ -108,8 +108,7 @@ protected Collection<Permission> getPermissions(Authentication authentication) {
   @Override
   public boolean isSuperUser(Authentication authentication) {
     if (authentication != null) {
-      return securityService.hasSystemRole(authentication)
-          || securityService.hasAdminRole(authentication);
+      return securityService.hasSystemRole(authentication);
     }
     return false;
   }