Enabled admin to approve/reject other's work items by default. Added …

…'task add' auth to tenant admin in SaaS story sample.
Evolveum · Jun 14, 2016 · 8540663 · 8540663
1 parent cb8f7e1
commit 8540663
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 3 deletions.
diff --git a/...c/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceVisualization.html b/...c/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceVisualization.html
@@ -38,7 +38,7 @@
                 <textarea class="form-control input-sm" wicket:id="dot" rows="10"/>
                 <p/>
             </div>
-            <div wicket:id="svg" />
+            <div wicket:id="svg" style="overflow: auto" />
             <span class="button-group">
                 <button class="btn btn-default" wicket:id="back" type="submit" value="back">
                     <wicket:message key="PageBase.button.back"/>

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-workflows-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-workflows-3.xsd
@@ -68,7 +68,7 @@
                     </xsd:documentation>
                 </xsd:annotation>
             </xsd:element>
-            <xsd:element name="allowCompleteOthersItems" minOccurs="0" type="xsd:boolean" default="false">
+            <xsd:element name="allowCompleteOthersItems" minOccurs="0" type="xsd:boolean" default="true">
                 <xsd:annotation>
                     <xsd:documentation>
                         Whether appropriately privileged users (e.g. the administrator) can approve/reject work items

diff --git a/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/MiscDataUtil.java b/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/util/MiscDataUtil.java
@@ -282,7 +282,7 @@ public boolean isAuthorizedToSubmit(String taskId, String assigneeOid) {
         // 2) is the current user allowed to approve any item?
         try {
 			WfConfigurationType wfConfig = SystemConfigurationHolder.getWorkflowConfiguration();
-			boolean allowedOthersItemsApproval = wfConfig != null && wfConfig.isAllowCompleteOthersItems() != null ? wfConfig.isAllowCompleteOthersItems() : false;
+			boolean allowedOthersItemsApproval = wfConfig != null && wfConfig.isAllowCompleteOthersItems() != null ? wfConfig.isAllowCompleteOthersItems() : true;
 			if (allowedOthersItemsApproval
 					&& securityEnforcer.isAuthorized(ModelAuthorizationAction.COMPLETE_ALL_WORK_ITEMS.getUrl(), null, null, null, null, null)) {
                 return true;

diff --git a/samples/stories/multitenant-idm-saas/roles/role-customer-authz-admin.xml b/samples/stories/multitenant-idm-saas/roles/role-customer-authz-admin.xml
@@ -38,6 +38,7 @@
 <!-- to be able to see configuration objects - may be security risk to allow
      see e.g. all/foreign password policies... -->
 <!--<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#debugs</action>-->
+<!--<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#tasksAll</action>-->
     </authorization>
 
 <!-- ***** From End User role (fragments) ***** -->
@@ -364,5 +365,26 @@
             </owner>
         </object>
     </authorization>
+
+    <authorization>
+        <name>Allow creation of background tasks</name>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+        <object>
+            <type>TaskType</type>
+        </object>
+    </authorization>
+
+    <!-- doesn't work in 3.4
+    <authorization>
+        <name>Allow reading of own background tasks</name>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>TaskType</type>
+            <owner>
+                <special>self</special>
+            </owner>
+        </object>
+    </authorization> -->
+
     <requestable>false</requestable>
 </role>