Skip assignment approvals on focus deletion

When a focus is going to be deleted, assignment-level approvals are simply skipped. There's no point in approving these changes, as it is not clear what should be done in the case of their rejection. In the need of focus deletion approvals, please use appropriate policy constraints (referring to object deletion). Resolves MID-7912.
Evolveum · Apr 26, 2022 · 43e0eb5 · 43e0eb5
1 parent 1b7e651
commit 43e0eb5
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 1 deletion.
diff --git a/...a/com/evolveum/midpoint/wf/impl/processors/primary/policy/AssignmentPolicyAspectPart.java b/...a/com/evolveum/midpoint/wf/impl/processors/primary/policy/AssignmentPolicyAspectPart.java
@@ -164,6 +164,11 @@ private PcpStartInstruction createInstructionFromAssignment(
             }
         }
 
+        if (ctx.modelContext.getFocusContext().isDelete()) {
+            LOGGER.debug("Focus is going to be deleted. There's no point in approving any assignment changes.");
+            return null;
+        }
+
         // Let's construct the approval schema plus supporting triggered approval policy rule information
         // Here we also treat default "rules" when no policy rules match.
         ApprovalSchemaBuilder.Result approvalSchemaResult = createSchemaWithRules(triggeredApprovalActionRules,

diff --git a/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/other/TestMiscellaneous.java b/model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/other/TestMiscellaneous.java
@@ -75,6 +75,9 @@ public class TestMiscellaneous extends AbstractWfTestPolicy {
     private static final TestResource<RoleType> ROLE_TEST370 = new TestResource<>(TEST_RESOURCE_DIR, "role-test370.xml", "2c226eba-7279-4768-a34a-38392e3fcb19");
     private static final TestResource<UserType> USER_TEST370 = new TestResource<>(TEST_RESOURCE_DIR, "user-test370.xml", "a981ea50-d069-431d-86dc-f4c7dbbc4723");
 
+    private static final TestResource<RoleType> ROLE_TEST380 = new TestResource<>(TEST_RESOURCE_DIR, "role-test380.xml", "8f39e4ad-298a-4d9a-b793-56ad2f0fc7ce");
+    private static final TestResource<UserType> USER_TEST380 = new TestResource<>(TEST_RESOURCE_DIR, "user-test380.xml", "1994a4d0-4151-4260-82da-bcd1866c296a");
+
     @Override
     protected PrismObject<UserType> getDefaultActor() {
         return userAdministrator;
@@ -617,7 +620,7 @@ public void test360ApproveAsAttorneyGizmoduck() throws Exception {
      * This used to fail with an NPE - see MID-7908.
      */
     @Test
-    public void test370UnassignRoleWithMessage() throws Exception {
+    public void test370DeleteUserWithMessage() throws Exception {
         Task task = getTestTask();
         OperationResult result = task.getResult();
         login(userAdministrator);
@@ -634,6 +637,29 @@ public void test370UnassignRoleWithMessage() throws Exception {
         assertNoObject(UserType.class, USER_TEST370.oid);
     }
 
+    /**
+     * Deletes a user that has an assignment-related constraint with the approval action.
+     *
+     * MID-7912
+     */
+    @Test
+    public void test380DeleteUserWithApproval() throws Exception {
+        Task task = getTestTask();
+        OperationResult result = task.getResult();
+        login(userAdministrator);
+
+        given("user and role are created (in raw mode)");
+        repoAdd(ROLE_TEST380, result);
+        repoAdd(USER_TEST380, result);
+
+        when("user is deleted");
+        deleteObject(UserType.class, USER_TEST380.oid, task, result);
+
+        then("user is gone");
+        assertSuccess(result);
+        assertNoObject(UserType.class, USER_TEST380.oid);
+    }
+
     /**
      * Cleans up closed cases.
      *

diff --git a/model/workflow-impl/src/test/resources/miscellaneous/role-test380.xml b/model/workflow-impl/src/test/resources/miscellaneous/role-test380.xml
@@ -0,0 +1,25 @@
+<!--
+  ~ Copyright (c) 2022 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+    oid="8f39e4ad-298a-4d9a-b793-56ad2f0fc7ce">
+    <name>test380</name>
+    <assignment>
+        <policyRule>
+            <policyConstraints>
+                <assignment>
+                    <operation>delete</operation>
+                </assignment>
+            </policyConstraints>
+            <policyActions>
+                <approval>
+                    <approverRef oid="00000000-0000-0000-0000-000000000002" type="UserType"/>
+                </approval>
+            </policyActions>
+        </policyRule>
+    </assignment>
+</role>
diff --git a/model/workflow-impl/src/test/resources/miscellaneous/user-test380.xml b/model/workflow-impl/src/test/resources/miscellaneous/user-test380.xml
@@ -0,0 +1,14 @@
+<!--
+  ~ Copyright (c) 2022 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+    oid="1994a4d0-4151-4260-82da-bcd1866c296a">
+    <name>test380</name>
+    <assignment>
+        <targetRef oid="8f39e4ad-298a-4d9a-b793-56ad2f0fc7ce" type="RoleType"/>
+    </assignment>
+</user>