Making possible to edit content within the Edit Page, regardless of t…

…he portlets you have assigned. (#26447) * #22698 adding fix * #22698 adding test * #22698 improving code readability * #22698 gh feedback * #22698 improving code * #22698 refactoring code --------- Co-authored-by: erickgonzalez <erick.gonzalez@dotcms.com>
dotCMS · Nov 6, 2023 · b71be86 · b71be86
1 parent f2bb424
commit b71be86
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 12 deletions.
diff --git a/dotCMS/src/integration-test/java/com/dotmarketing/business/LayoutAPITest.java b/dotCMS/src/integration-test/java/com/dotmarketing/business/LayoutAPITest.java
@@ -7,18 +7,25 @@
 import com.dotcms.mock.request.MockHttpRequestIntegrationTest;
 import com.dotcms.mock.request.MockParameterRequest;
 import com.dotcms.util.IntegrationTestInitService;
+import com.dotmarketing.beans.Host;
+import com.dotmarketing.business.ajax.RoleAjax;
 import com.dotmarketing.exception.DotDataException;
+import com.dotmarketing.exception.DotSecurityException;
 import com.dotmarketing.util.UUIDGenerator;
 import com.dotmarketing.util.UtilMethods;
 import com.google.common.collect.ImmutableMap;
+import com.liferay.portal.PortalException;
+import com.liferay.portal.SystemException;
 import com.liferay.portal.model.User;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 
 import org.junit.Assert;
@@ -143,6 +150,52 @@ public void test_doesUserHaveAccessToPortlet() throws DotDataException {
 
   }
 
+    /**
+     * Method to test: {@link LayoutAPI#doesUserHaveAccessToPortlet(String, User)}
+     * Given Scenario:  You should be able to edit content within the Edit Page, regardless of the portlets you have assigned.
+     * ExpectedResult: If the user has. edit permissions, they should be given access to the portlet.
+     *
+     */
+    @Test
+    public void test_doesUserHaveAccessToPortlet_editPagePortletShouldBeAccessedIfValidPermission() throws DotDataException, DotSecurityException, SystemException, PortalException {
+        final RoleAPI roleAPI = APILocator.getRoleAPI();
+        //limited user
+        final User newUser = new UserDataGen().roles(TestUserUtils.getBackendRole()).nextPersisted();
+        final User systemUser = APILocator.systemUser();
+
+        //create a host
+        Host host = new Host();
+        host.setHostname("testHost"+System.currentTimeMillis());
+        host = APILocator.getHostAPI().save(host, systemUser, false);
+
+        //create a role
+        final String roleName = "testRole"+System.currentTimeMillis();
+        Role nrole = new Role();
+        nrole.setName(roleName);
+        nrole.setRoleKey(roleName);
+        nrole.setEditUsers(true);
+        nrole.setEditPermissions(true);
+        nrole.setEditLayouts(true);
+        nrole.setDescription(roleName);
+        nrole = APILocator.getRoleAPI().save(nrole);
+
+        //validate that user does not have access to the portlet until the permissions are assigned
+        assertFalse("The user should not have access to the portlet" , layoutAPI.doesUserHaveAccessToPortlet("edit-page", newUser));
+
+        //assign the role to the user
+        roleAPI.addRoleToUser(nrole, newUser);
+
+        //assign the permissions to the role
+        Map<String,String> permList=new HashMap<>();
+        permList.put("pages", Integer.toString(PermissionAPI.PERMISSION_READ | PermissionAPI.PERMISSION_EDIT));
+        permList.put("content", Integer.toString(PermissionAPI.PERMISSION_READ | PermissionAPI.PERMISSION_EDIT));
+        RoleAjax roleAjax = new RoleAjax();
+        roleAjax.saveRolePermission(nrole.getId(), host.getIdentifier(), permList, false);
+
+        //validate that user does have access to the portlet
+        assertTrue("The user should have access to the portlet", layoutAPI.doesUserHaveAccessToPortlet("edit-page", newUser));
+    }
+
     /**
      * Method to test: {@link LayoutAPI#findGettingStartedLayout()}
      * Given Scenario: Try to get the Getting Started Layout, if exists remove it. And call the

diff --git a/dotCMS/src/main/java/com/dotmarketing/business/LayoutAPIImpl.java b/dotCMS/src/main/java/com/dotmarketing/business/LayoutAPIImpl.java
@@ -5,30 +5,26 @@
 
 import com.dotcms.util.CollectionsUtils;
 import com.dotmarketing.util.Logger;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Optional;
-import java.util.Set;
+
+import java.util.*;
 
 import javax.servlet.http.HttpServletRequest;
 import com.dotcms.api.system.event.Payload;
 import com.dotcms.api.system.event.SystemEventType;
 import com.dotcms.business.CloseDBIfOpened;
 import com.dotcms.business.WrapInTransaction;
-import com.dotmarketing.db.DotRunnableFlusherThread;
 import com.dotmarketing.exception.DotDataException;
 import com.dotmarketing.exception.DotRuntimeException;
 import com.dotmarketing.util.UtilMethods;
 import com.dotmarketing.util.WebKeys;
 import com.google.common.base.Splitter;
 import com.liferay.portal.model.Portlet;
 import com.liferay.portal.model.User;
-import io.vavr.API;
 import io.vavr.control.Try;
 
+import static com.dotmarketing.business.PermissionAPI.PermissionableType.CONTENTLETS;
+import static com.dotmarketing.business.PermissionAPI.PermissionableType.HTMLPAGES;
+
 /**
  * @author jasontesser
  *
@@ -171,14 +167,28 @@ public int compare(Layout l1, Layout l2) {
 		return layouts;
 	}
 
+
+	/* This method is used to check if the user has access to edit the page portlet.
+	 * All the users should have access to Edit Page, regardless of the assigned portlets.
+	 * To determine if the user has access to edit page, we check if the user can edit HTMLPAGES or CONTENTLETS
+	 */
+	private boolean doesUserHaveAccessEditPagePortlet(User user) throws DotDataException {
+		final PermissionAPI permAPI = APILocator.getPermissionAPI();
+		return permAPI.doesUserHavePermissions(HTMLPAGES, PermissionAPI.PERMISSION_EDIT, user) ||
+				permAPI.doesUserHavePermissions(CONTENTLETS, PermissionAPI.PERMISSION_EDIT, user);
+	}
+
 	@Override
 	public boolean doesUserHaveAccessToPortlet(final String portletId, final User user) throws DotDataException {
-          if(portletId==null || user==null || !user.isBackendUser()) {
-              return false;
-          }
+		if(portletId==null || user==null || !user.isBackendUser()) {
+		  return false;
+		}
 		if(loadLayoutsForUser(user).stream(). anyMatch(layout -> layout.getPortletIds().contains(portletId))){
 			return true;
 		}
+		if("edit-page".equals(portletId) && doesUserHaveAccessEditPagePortlet(user)){
+			return true;
+		}
 		return APILocator.getRoleAPI().doesUserHaveRole(user, APILocator.getRoleAPI().loadCMSAdminRole());
 	}