fix(rolescoping): fix user-r-id roleScoping

restorecommerce · Apr 30, 2024 · d52d962 · d52d962
1 parent ec7194c
commit d52d962
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 46 deletions.
diff --git a/datasets/demo-shop/data/seed-data/users.yaml b/datasets/demo-shop/data/seed-data/users.yaml
@@ -282,6 +282,14 @@
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
               value: system
+    - id: restorecommerce-demo-customer-000-moderator-000-user-r-id
+      role: user-r-id
+      attributes:
+        - id: urn:restorecommerce:acs:names:roleScopingEntity
+          value: urn:restorecommerce:acs:model:user.User
+          attributes:
+            - id: urn:restorecommerce:acs:names:roleScopingInstance
+              value: restorecommerce-demo-customer-000-moderator-000
   localeId: de-de
   timezoneId: europe-berlin
   meta:
@@ -343,22 +351,22 @@
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
               value: restorecommerce-demo-shops-organization
-    - id: restorecommerce-demo-customer-001-organization-user-r-id
-      role: user-r-id
+    - id: system-scope-r-id
+      role: scoped-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
           value: urn:restorecommerce:acs:model:organization.Organization
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: restorecommerce-demo-customer-001-organization
-    - id: system-scope-r-id
-      role: scoped-r-id
+              value: system
+    - id: restorecommerce-demo-customer-001-moderator-000-user-r-id
+      role: user-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
-          value: urn:restorecommerce:acs:model:organization.Organization
+          value: urn:restorecommerce:acs:model:user.User
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: system
+              value: restorecommerce-demo-customer-001-moderator-000
   localeId: de-de
   timezoneId: europe-berlin
   meta:
@@ -420,22 +428,22 @@
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
               value: restorecommerce-demo-shops-organization
-    - id: restorecommerce-demo-customer-000-organization-user-r-id
-      role: user-r-id
+    - id: system-scope-r-id
+      role: scoped-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
           value: urn:restorecommerce:acs:model:organization.Organization
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: restorecommerce-demo-customer-000-organization
-    - id: system-scope-r-id
-      role: scoped-r-id
+              value: system
+    - id: restorecommerce-demo-customer-000-member-000-user-r-id
+      role: user-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
-          value: urn:restorecommerce:acs:model:organization.Organization
+          value: urn:restorecommerce:acs:model:user.User
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: system
+              value: restorecommerce-demo-customer-000-member-000
   localeId: de-de
   timezoneId: europe-berlin
   meta:
@@ -497,22 +505,22 @@
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
               value: restorecommerce-demo-shops-organization
-    - id: restorecommerce-demo-customer-001-organization-user-r-id
-      role: user-r-id
+    - id: system-scope-r-id
+      role: scoped-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
           value: urn:restorecommerce:acs:model:organization.Organization
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: restorecommerce-demo-customer-001-organization
-    - id: system-scope-r-id
-      role: scoped-r-id
+              value: system
+    - id: restorecommerce-demo-customer-001-member-000-user-r-id
+      role: user-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
-          value: urn:restorecommerce:acs:model:organization.Organization
+          value: urn:restorecommerce:acs:model:user.User
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: system
+              value: restorecommerce-demo-customer-001-member-000
   localeId: de-de
   timezoneId: europe-berlin
   meta:
@@ -566,22 +574,22 @@
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
               value: restorecommerce-demo-shops-organization
-    - id: restorecommerce-demo-customers-organization-user-r-id
-      role: user-r-id
+    - id: system-scope-r-id
+      role: scoped-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
           value: urn:restorecommerce:acs:model:organization.Organization
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: restorecommerce-demo-customers-organization
-    - id: system-scope-r-id
-      role: scoped-r-id
+              value: system
+    - id: restorecommerce-demo-customer-002-user-000-user-r-id
+      role: user-r-id
       attributes:
         - id: urn:restorecommerce:acs:names:roleScopingEntity
-          value: urn:restorecommerce:acs:model:organization.Organization
+          value: urn:restorecommerce:acs:model:user.User
           attributes:
             - id: urn:restorecommerce:acs:names:roleScopingInstance
-              value: system
+              value: restorecommerce-demo-customer-002-user-000
   localeId: de-de
   timezoneId: europe-berlin
   meta:

diff --git a/datasets/demo-shop/generator/catalog/transform.js b/datasets/demo-shop/generator/catalog/transform.js
@@ -181,10 +181,10 @@ function parseInputLine(csvLine) {
 
       products[productHash] = {
         id: productHash,
+        shopId: SHOP_IDS[0],
         product: {
           name: productEntry,
           description: 'Dummy description for product ' + productEntry,
-          shopId: SHOP_IDS[0],
           manufacturerId: brandHash,
           taricCode: uuid.v4(), // no data available
           physical: {

diff --git a/datasets/system/data/seed-data/policies.yaml b/datasets/system/data/seed-data/policies.yaml
@@ -381,12 +381,8 @@
   rules:
     - superadministrator-permits-all
     - administrator-permits-all-hr-scoped
-    - sales-requires-order-state-submitted
-    - sales-requires-order-state-withdrawn
-    - sales-requires-order-state-canceled
-    - moderator-requires-order-state-submitted
-    - moderator-requires-order-state-withdrawn
-    - moderator-requires-order-state-canceled
+    - sales-permits-all-hr-scoped
+    - moderator-permits-all-hr-scoped
     - user-permits-read-owned
     - fallback-deny-all
   meta:
@@ -520,11 +516,14 @@
   rules:
     - superadministrator-permits-all
     - administrator-permits-all-hr-scoped
+    - sales-permits-all-hr-scoped
     - moderator-permits-create-hr-scoped
     - moderator-permits-update-hr-scoped
     - moderator-permits-read-hr-scoped
     - member-permits-read-hr-scoped
     - customer-permits-read-hr-scoped
+    - user-permits-all-owned
+    - permit-read-strict-scoped
     - fallback-deny-all
   meta:
     modifiedBy: ""

diff --git a/datasets/system/data/seed-data/rules.yaml b/datasets/system/data/seed-data/rules.yaml
@@ -400,8 +400,6 @@
         value: user-r-id
       - id: urn:restorecommerce:acs:names:roleScopingEntity
         value: urn:restorecommerce:acs:model:user.User
-      - id: urn:restorecommerce:acs:names:hierarchicalRoleScoping
-        value: "false"
     actions:
       - id: urn:oasis:names:tc:xacml:1.0:action:action-id
         value: urn:restorecommerce:acs:names:action:read
@@ -556,7 +554,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         resource.order_state?.toString() === 'SUBMITTED'
       )
@@ -586,7 +584,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         resource.order_state?.toString() === 'WITHDRAWN'
       )
@@ -616,7 +614,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         resource.order_state?.toString() === 'CANCELED'
       )
@@ -646,7 +644,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         resource.order_state?.toString() === 'SUBMITTED'
       )
@@ -676,7 +674,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         resource.order_state?.toString() === 'WITHDRAWN'
       )
@@ -706,7 +704,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         resource.order_state?.toString() === 'CANCELED'
       )
@@ -736,7 +734,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         !resource.order_state
         || resource.order_state?.toString() === 'PENDING'
@@ -767,7 +765,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         !resource.order_state
         || resource.order_state?.toString() === 'PENDING'
@@ -798,7 +796,7 @@
   effect: PERMIT
   condition:
     "
-    context?.resources?.some(
+    context?.resources?.every(
       resource => (
         resource.order_state?.toString() === 'SUBMITTED'
       )