fix for MID-3921 #18 (authorizations for org members menu items)

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/roles/RoleGovernanceRelationsPanel.java

@@ -7,7 +7,6 @@
 import com.evolveum.midpoint.prism.PrismReferenceValue;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
-import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.result.OperationResult;
@@ -18,7 +17,6 @@
 import com.evolveum.midpoint.web.component.util.SelectableBean;
 import com.evolveum.midpoint.web.page.admin.configuration.component.HeaderMenuAction;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
-import org.apache.commons.lang.StringUtils;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.extensions.markup.html.repeater.data.grid.ICellPopulator;
 import org.apache.wicket.extensions.markup.html.repeater.data.table.IColumn;
@@ -56,7 +54,7 @@ public RoleGovernanceRelationsPanel(String id, IModel<RoleType> model, List<Rela
     }
 
     @Override
-    protected List<InlineMenuItem> createNewMemberInlineMenuItems() {
+    protected List<InlineMenuItem> newMemberInlineMenuItems() {
         List<InlineMenuItem> newMemberMenuItems = new ArrayList<>();
         newMemberMenuItems.add(new InlineMenuItem(createStringResource("roleMemberPanel.menu.createApprover"),
                 false, new HeaderMenuAction(this) {
@@ -120,8 +118,8 @@ public void onClick(AjaxRequestTarget target) {
     }
 
     @Override
-    protected List<InlineMenuItem> createRemoveMemberInlineMenuItems() {
-        return super.createRemoveMemberInlineMenuItems();
+    protected List<InlineMenuItem> createUnassignMemberInlineMenuItems() {
+        return super.createUnassignMemberInlineMenuItems();
     }
 
     @Override

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/roles/RoleMemberPanel.java

@@ -15,12 +15,10 @@
  */
 package com.evolveum.midpoint.web.page.admin.roles;
 
-import com.evolveum.midpoint.common.SystemConfigurationHolder;
 import com.evolveum.midpoint.gui.api.component.MainObjectListPanel;
 import com.evolveum.midpoint.gui.api.page.PageBase;
 import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
 import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
-import com.evolveum.midpoint.prism.PrismConstants;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismReferenceValue;
@@ -30,7 +28,6 @@
 import com.evolveum.midpoint.prism.query.TypeFilter;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
-import com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty;
 import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -55,7 +52,6 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.ajax.form.OnChangeAjaxBehavior;
-import org.apache.wicket.markup.html.WebMarkupContainer;
 import org.apache.wicket.markup.html.form.DropDownChoice;
 import org.apache.wicket.markup.html.form.Form;
 import org.apache.wicket.markup.html.form.IChoiceRenderer;
@@ -367,13 +363,13 @@ private ObjectQuery createDirectMemberQuery() {
 	}
 
 	@Override
-	protected List<InlineMenuItem> createNewMemberInlineMenuItems() {
+	protected List<InlineMenuItem> newMemberInlineMenuItems() {
 		return super.createNewMemberInlineMenuItems();
 	}
 
 	@Override
-	protected List<InlineMenuItem> createRemoveMemberInlineMenuItems() {
-		return super.createRemoveMemberInlineMenuItems();
+	protected List<InlineMenuItem> createUnassignMemberInlineMenuItems() {
+		return super.createUnassignMemberInlineMenuItems();
 	}
 
 	@Override

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/AbstractRoleMemberPanel.java

@@ -190,15 +190,22 @@ protected ObjectQuery createContentQuery() {
 
 	protected List<InlineMenuItem> createMembersHeaderInlineMenu() {
 		List<InlineMenuItem> headerMenuItems = new ArrayList<>();
-		headerMenuItems.addAll(createNewMemberInlineMenuItems());
+		headerMenuItems.addAll(newMemberInlineMenuItems());
 
 		headerMenuItems.add(new InlineMenuItem());
-        headerMenuItems.addAll(createRemoveMemberInlineMenuItems());
+        headerMenuItems.addAll(createUnassignMemberInlineMenuItems());
         headerMenuItems.addAll(createMemberRecomputeInlineMenuItems());
 
 		return headerMenuItems;
 	}
 
+	protected List<InlineMenuItem> newMemberInlineMenuItems() {
+		List<InlineMenuItem> newMemberMenuItems = new ArrayList<>();
+		newMemberMenuItems.addAll(createNewMemberInlineMenuItems());
+		newMemberMenuItems.addAll(assignNewMemberInlineMenuItems());
+		return newMemberMenuItems;
+	}
+
 	protected List<InlineMenuItem> createNewMemberInlineMenuItems() {
 		List<InlineMenuItem> newMemberMenuItems = new ArrayList<>();
 		newMemberMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.createMember"),
@@ -210,7 +217,11 @@ public void onClick(AjaxRequestTarget target) {
 				createFocusMemberPerformed(null, target);
 			}
 		}));
+		return newMemberMenuItems;
+	}
 
+	protected List<InlineMenuItem> assignNewMemberInlineMenuItems() {
+		List<InlineMenuItem> newMemberMenuItems = new ArrayList<>();
 		newMemberMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.addMembers"), false,
 				new HeaderMenuAction(this) {
 					private static final long serialVersionUID = 1L;
@@ -262,7 +273,7 @@ public void onClick(AjaxRequestTarget target) {
         return recomputeMenuItems;
 	}
 
-	protected List<InlineMenuItem> createRemoveMemberInlineMenuItems() {
+	protected List<InlineMenuItem> createUnassignMemberInlineMenuItems() {
 		List<InlineMenuItem> removeMenuItems = new ArrayList<>();
         removeMenuItems
                 .add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.unassignMembersSelected"),

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/OrgMemberPanel.java

@@ -26,7 +26,6 @@
 import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
-import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterEntry;
 import com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.web.component.util.VisibleEnableBehaviour;
@@ -51,14 +50,8 @@
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismReferenceValue;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
-import com.evolveum.midpoint.prism.path.ItemPath;
-import com.evolveum.midpoint.prism.query.AndFilter;
 import com.evolveum.midpoint.prism.query.InOidFilter;
-import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
-import com.evolveum.midpoint.prism.query.OrgFilter;
-import com.evolveum.midpoint.prism.query.RefFilter;
-import com.evolveum.midpoint.prism.query.TypeFilter;
 import com.evolveum.midpoint.prism.query.OrgFilter.Scope;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.RetrieveOption;
@@ -382,28 +375,52 @@ public void yesPerformed(AjaxRequestTarget target) {
 
 	@Override
 	protected List<InlineMenuItem> createMembersHeaderInlineMenu() {
-		List<InlineMenuItem> headerMenuItems = super.createMembersHeaderInlineMenu();
-
-		headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.deleteMember"),
-				false, new HeaderMenuAction(this) {
+		List<InlineMenuItem> headerMenuItems = new ArrayList<>();
+		headerMenuItems.addAll(newMemberInlineMenuItems());
+		headerMenuItems.add(new InlineMenuItem());
 
-					@Override
-					public void onClick(AjaxRequestTarget target) {
-						deleteMemberPerformed(QueryScope.SELECTED, null, target, "TreeTablePanel.menu.deleteMember.confirm");
-					}
-				}));
-
-		headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.deleteAllMembers"),
-				false, new HeaderMenuAction(this) {
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_UNASSIGN_MEMBER_ACTION_URI)) {
+			headerMenuItems.addAll(super.createUnassignMemberInlineMenuItems());
+		}
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_RECOMPUTE_MEMBER_ACTION_URI)) {
+			headerMenuItems.addAll(super.createMemberRecomputeInlineMenuItems());
+		}
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_DELETE_MEMBER_ACTION_URI)) {
+			headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.deleteMember"),
+					false, new HeaderMenuAction(this) {
 
-					@Override
-					public void onClick(AjaxRequestTarget target) {
-						deleteMemberPerformed(QueryScope.ALL, null, target, "TreeTablePanel.menu.deleteAllMembers.confirm");
-					}
-				}));
+				@Override
+				public void onClick(AjaxRequestTarget target) {
+					deleteMemberPerformed(QueryScope.SELECTED, null, target, "TreeTablePanel.menu.deleteMember.confirm");
+				}
+			}));
+
+			headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.deleteAllMembers"),
+					false, new HeaderMenuAction(this) {
+
+				@Override
+				public void onClick(AjaxRequestTarget target) {
+					deleteMemberPerformed(QueryScope.ALL, null, target, "TreeTablePanel.menu.deleteAllMembers.confirm");
+				}
+			}));
+		}
 		return headerMenuItems;
 	}
-
+
+	protected List<InlineMenuItem> createNewMemberInlineMenuItems() {
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADD_MEMBER_ACTION_URI)) {
+			return super.createNewMemberInlineMenuItems();
+		}
+		return new ArrayList<>();
+	}
+
+	protected List<InlineMenuItem> assignNewMemberInlineMenuItems() {
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ASSIGN_MEMBER_ACTION_URI)) {
+			return super.assignNewMemberInlineMenuItems();
+		}
+		return new ArrayList<>();
+	}
+
 	private void deleteMemberPerformed(final QueryScope scope, final QName relation, final AjaxRequestTarget target, String confirmMessageKey) {
 		ConfirmationPanel confirmDelete = new ConfirmationPanel(getPageBase().getMainPopupBodyId(), createStringResource(confirmMessageKey)) {
 			@Override
@@ -429,60 +446,69 @@ private void deleteMemberConfirmPerformed(QueryScope scope, QName relation, Ajax
 	private List<InlineMenuItem> createManagersHeaderInlineMenu() {
 		List<InlineMenuItem> headerMenuItems = new ArrayList<>();
 
-		headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.createManager"),
-				false, new HeaderMenuAction(this) {
-					private static final long serialVersionUID = 1L;
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADD_MEMBER_ACTION_URI)) {
+			headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.createManager"),
+					false, new HeaderMenuAction(this) {
+				private static final long serialVersionUID = 1L;
 
-					@Override
-					public void onClick(AjaxRequestTarget target) {
-						OrgMemberPanel.this.createFocusMemberPerformed(SchemaConstants.ORG_MANAGER, target);
-					}
-				}));
-		headerMenuItems.add(new InlineMenuItem());
+				@Override
+				public void onClick(AjaxRequestTarget target) {
+					OrgMemberPanel.this.createFocusMemberPerformed(SchemaConstants.ORG_MANAGER, target);
+				}
+			}));
+			headerMenuItems.add(new InlineMenuItem());
+		}
 
-		headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.addManagers"), false,
-				new HeaderMenuAction(this) {
-					private static final long serialVersionUID = 1L;
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ASSIGN_MEMBER_ACTION_URI)) {
+			headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.addManagers"), false,
+					new HeaderMenuAction(this) {
+						private static final long serialVersionUID = 1L;
+
+						@Override
+						public void onClick(AjaxRequestTarget target) {
+							OrgMemberPanel.this.addMembers(SchemaConstants.ORG_MANAGER, target);
+						}
+					}));
+			headerMenuItems.add(new InlineMenuItem());
+		}
 
-					@Override
-					public void onClick(AjaxRequestTarget target) {
-						OrgMemberPanel.this.addMembers(SchemaConstants.ORG_MANAGER, target);
-					}
-				}));
-		headerMenuItems.add(new InlineMenuItem());
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_UNASSIGN_MEMBER_ACTION_URI)) {
+			headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.removeManagersAll"),
+					false, new HeaderMenuAction(this) {
+				private static final long serialVersionUID = 1L;
 
-		headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.removeManagersAll"),
-				false, new HeaderMenuAction(this) {
-					private static final long serialVersionUID = 1L;
+				@Override
+				public void onClick(AjaxRequestTarget target) {
+					removeManagersPerformed(QueryScope.ALL, target);
+				}
+			}));
+		}
 
-					@Override
-					public void onClick(AjaxRequestTarget target) {
-						removeManagersPerformed(QueryScope.ALL, target);
-					}
-				}));
-
-		headerMenuItems
-				.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.recomputeManagersAll"),
-						false, new HeaderMenuAction(this) {
-							private static final long serialVersionUID = 1L;
-
-							@Override
-							public void onClick(AjaxRequestTarget target) {
-								recomputeManagersPerformed(QueryScope.ALL, target);
-							}
-						}));
-
-		headerMenuItems
-		.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.deleteManagersAll"),
-				false, new HeaderMenuAction(this) {
-					private static final long serialVersionUID = 1L;
-
-					@Override
-					public void onClick(AjaxRequestTarget target) {
-						OrgMemberPanel.this.deleteMemberPerformed(QueryScope.ALL, SchemaConstants.ORG_MANAGER, target, "TreeTablePanel.menu.deleteManagersAll.confirm");
-					}
-				}));
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_RECOMPUTE_MEMBER_ACTION_URI)) {
+			headerMenuItems
+					.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.recomputeManagersAll"),
+							false, new HeaderMenuAction(this) {
+						private static final long serialVersionUID = 1L;
+
+						@Override
+						public void onClick(AjaxRequestTarget target) {
+							recomputeManagersPerformed(QueryScope.ALL, target);
+						}
+					}));
+		}
 
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_DELETE_MEMBER_ACTION_URI)) {
+			headerMenuItems
+					.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.deleteManagersAll"),
+							false, new HeaderMenuAction(this) {
+						private static final long serialVersionUID = 1L;
+
+						@Override
+						public void onClick(AjaxRequestTarget target) {
+							OrgMemberPanel.this.deleteMemberPerformed(QueryScope.ALL, SchemaConstants.ORG_MANAGER, target, "TreeTablePanel.menu.deleteManagersAll.confirm");
+						}
+					}));
+		}
 		return headerMenuItems;
 	}
 

repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java

@@ -358,4 +358,20 @@ public class AuthorizationConstants {
     public static final QName AUTZ_UI_DELEGATE_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "delegate");
     public static final String AUTZ_UI_DELEGATE_ACTION_URL = QNameUtil.qNameToUri(AUTZ_UI_DELEGATE_ACTION_QNAME);
 
+	//ui authorizations for menu items on the org members/managers panel
+	public static final QName AUTZ_UI_ASSIGN_MEMBER_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "assignMember");
+    public static final String AUTZ_UI_ASSIGN_MEMBER_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_ASSIGN_MEMBER_ACTION_QNAME);
+
+	public static final QName AUTZ_UI_UNASSIGN_MEMBER_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "unassignMember");
+    public static final String AUTZ_UI_UNASSIGN_MEMBER_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_UNASSIGN_MEMBER_ACTION_QNAME);
+
+	public static final QName AUTZ_UI_ADD_MEMBER_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "addMember");
+    public static final String AUTZ_UI_ADD_MEMBER_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_ADD_MEMBER_ACTION_QNAME);
+
+	public static final QName AUTZ_UI_DELETE_MEMBER_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "deleteMember");
+    public static final String AUTZ_UI_DELETE_MEMBER_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_DELETE_MEMBER_ACTION_QNAME);
+
+	public static final QName AUTZ_UI_RECOMPUTE_MEMBER_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "recomputeMember");
+    public static final String AUTZ_UI_RECOMPUTE_MEMBER_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_RECOMPUTE_MEMBER_ACTION_QNAME);
+
 }