[NAE-2193] Assign all roles to admin users

[renczesstefan]

Description

Implements NAE-2193

Dependencies

No new dependencies were introduced.

Third party dependencies

No new dependencies were introduced.

Blocking Pull requests

There are no dependencies on other PR

How Has Been This Tested?

This was tested manually and with unit tests.

Test Configuration

Name	Tested on
OS	macOS Sequoia 15.3.1
Runtime	Java 21
Dependency Manager	Maven 3.9.9n
Framework version	Spring Boot 3.2.5
Run parameters
Other configuration

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• My changes have been checked, personally or remotely, with @machacjozef
• I have commented my code, particularly in hard-to-understand areas
• I have resolved all conflicts with the target branch of the PR
• I have updated and synced my code with the target branch
• I have added tests that prove my fix is effective or that my feature works
• New and existing tests pass locally with my changes:
  • Lint test
  • Unit tests
  • Integration tests
• I have checked my contribution with code analysis tools:
  • SonarCloud
  • Snyk
• I have made corresponding changes to the documentation:
  • Developer documentation
  • User Guides
  • Migration Guides

Summary by CodeRabbit

• New Features
  • Added ability to update the super admin’s process roles in one step.
• Changes
  • Standardized super admin credentials: unified username-based authentication and updated default admin email to super@netgrif.com.
  • Replaced hard-coded admin identifiers with shared constants for consistency.
• Tests
  • Updated test suites to use standardized admin credentials and username-based authentication.
  • Minor cleanups to improve test stability.

[coderabbitai]

Walkthrough

Replaced hard-coded super admin identifiers with UserConstants in production and tests, added UserService.updateAdminWithRoles implementation and interface method, introduced UserRepository.countAll default method, updated ADMIN_USER_EMAIL value, and adjusted one test to use findByEmail. No public signatures removed; primarily additive and constant-driven changes.

Changes

Cohort / File(s)	Summary of Changes
Super admin bootstrap uses constants application-engine/src/main/java/com/netgrif/application/engine/startup/runner/SuperCreatorRunner.java	Switched super user lookup and creation fields from hard-coded values to UserConstants (username, first/last name, email).
User constants update nae-object-library/src/main/java/com/netgrif/application/engine/objects/auth/constants/UserConstants.java	Changed ADMIN_USER_EMAIL value to "super@netgrif.com".
User service API + impl nae-user-common/src/main/java/com/netgrif/application/engine/auth/service/UserService.java, nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java	Added updateAdminWithRoles(Collection) to interface; implemented method to load admin (by email, realmId null), replace process roles, and save. Minor whitespace tweak elsewhere.
User repository utility nae-user-common/src/main/java/com/netgrif/application/engine/auth/repository/UserRepository.java	Added default method countAll(String, MongoTemplate) to count User documents in a specified collection.
Tests — adopt admin constants application-engine/src/test/groovy/com/netgrif/application/engine/action/RemoveActionTest.groovy, application-engine/src/test/groovy/com/netgrif/application/engine/export/service/ExportServiceTest.groovy, application-engine/src/test/groovy/com/netgrif/application/engine/petrinet/domain/dataset/FileFieldTest.groovy, application-engine/src/test/groovy/com/netgrif/application/engine/petrinet/domain/dataset/FileListFieldTest.groovy, application-engine/src/test/groovy/com/netgrif/application/engine/workflow/CaseSearchTest.groovy	Imported UserConstants and replaced hard-coded admin identifiers with ADMIN_USER_USERNAME/ADMIN_USER_EMAIL; added username on admin creation in setup where applicable.
Tests — user lookup change application-engine/src/test/groovy/com/netgrif/application/engine/workflow/UserRefsTest.groovy	Replaced findUserByUsername(...).get() with findByEmail(...), adjusting retrieval of stringId.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Caller as Caller
  participant USvc as UserServiceImpl
  participant URepo as UserRepository
  participant Store as Persistence

  Caller->>USvc: updateAdminWithRoles(roles)
  USvc->>URepo: findByEmail(ADMIN_USER_EMAIL, realmId=null)
  URepo-->>USvc: adminUser
  USvc->>USvc: adminUser.setProcessRoles(new HashSet(roles))
  USvc->>Store: saveUser(adminUser)
  Store-->>USvc: savedUser
  USvc-->>Caller: void
  note right of USvc: Logs role count before/after save

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 71327e0 and 96d019c.

📒 Files selected for processing (1)

• nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (1)

nae-object-library/src/main/java/com/netgrif/application/engine/objects/auth/constants/UserConstants.java (1)

• UserConstants (3-11)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed

🔇 Additional comments (1)

nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (1)

216-216: LGTM — formatting-only touch.
No functional change.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 15

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

nae-object-library/src/main/java/com/netgrif/application/engine/objects/plugin/domain/Plugin.java (1)

52-63: Defensive copy and null-safety for metadata in builder ctor.

Avoid nulls and external mutations.

-    public Plugin(String identifier, String name, String version, String description, String url, int restPort, int grpcPort, Map<String, EntryPoint> entryPoints, boolean active, Map<String, String> metadata) {
+    public Plugin(String identifier, String name, String version, String description, String url, int restPort, int grpcPort, Map<String, EntryPoint> entryPoints, boolean active, Map<String, String> metadata) {
         this.identifier = identifier;
         this.name = name;
         this.version = version;
         this.description = description;
         this.url = url;
         this.restPort = restPort;
         this.grpcPort = grpcPort;
         this.entryPoints = entryPoints;
         this.active = active;
-        this.metadata = metadata;
+        this.metadata = metadata != null ? new LinkedHashMap<>(metadata) : new LinkedHashMap<>();
     }

nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (1)

296-309: Fix Optional type mismatch and guard assignment to admins only.

Optional<User> is being assigned to Optional<AbstractUser> via a no-op map, which won’t compile. Also, the method assigns all roles to any user by username; enforce admin-only to match intent.

Apply:

-    public void addAllRolesToAdminByUsername(String username) {
-        String collectionName = collectionNameProvider.getAdminRealmCollection();
-        Optional<AbstractUser> userOptional = userRepository.findByUsername(username, mongoTemplate, collectionName).map(user -> user);
-        if (userOptional.isEmpty()) {
-            throw new IllegalArgumentException("Admin user with username [%s] cannot be found.".formatted(username));
-        }
-        AbstractUser user = userOptional.get();
-
-        Page<ProcessRole> processRoles = processRoleService.findAll(Pageable.unpaged());
-        user.getProcessRoles().addAll(processRoles.getContent());
-
-        saveUser(user, user.getRealmId());
-    }
+    public void addAllRolesToAdminByUsername(String username) {
+        String collectionName = collectionNameProvider.getAdminRealmCollection();
+        Optional<User> userOptional = userRepository.findByUsername(username, mongoTemplate, collectionName);
+        if (userOptional.isEmpty()) {
+            throw new IllegalArgumentException("Admin user with username [%s] cannot be found.".formatted(username));
+        }
+        User user = userOptional.get();
+        // enforce admin-only
+        if (!user.getAuthoritySet().contains(authorityService.getOrCreate(Authority.admin))) {
+            log.warn("User [{}] is not an admin – skipping role assignment", username);
+            return;
+        }
+        Page<ProcessRole> processRoles = processRoleService.findAll(Pageable.unpaged());
+        user.getProcessRoles().addAll(processRoles.getContent());
+        saveUser(user, user.getRealmId());
+    }

application-engine/src/main/java/com/netgrif/application/engine/startup/runner/SuperCreatorRunner.java (1)

33-33: Remove unused constant.

SUPER_ADMIN_EMAIL is no longer used; delete to avoid confusion.

-    public static final String SUPER_ADMIN_EMAIL = "super@netgrif.com";

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b8abb83 and 1c830a1.

📒 Files selected for processing (16)

• application-engine/pom.xml (1 hunks)
• application-engine/src/main/groovy/com/netgrif/application/engine/petrinet/domain/dataset/logic/action/ActionDelegate.groovy (3 hunks)
• application-engine/src/main/java/com/netgrif/application/engine/configuration/groovy/GroovyShellConfiguration.java (3 hunks)
• application-engine/src/main/java/com/netgrif/application/engine/startup/runner/SuperCreatorRunner.java (2 hunks)
• application-engine/src/main/resources/application.yaml (1 hunks)
• nae-object-library/pom.xml (1 hunks)
• nae-object-library/src/main/java/com/netgrif/application/engine/objects/auth/constants/UserConstants.java (1 hunks)
• nae-object-library/src/main/java/com/netgrif/application/engine/objects/plugin/domain/Plugin.java (3 hunks)
• nae-object-library/src/main/java/com/netgrif/application/engine/objects/utils/Nullable.java (1 hunks)
• nae-spring-core-adapter/pom.xml (1 hunks)
• nae-user-ce/pom.xml (1 hunks)
• nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (1 hunks)
• nae-user-common/pom.xml (1 hunks)
• nae-user-common/src/main/java/com/netgrif/application/engine/auth/repository/UserRepository.java (1 hunks)
• nae-user-common/src/main/java/com/netgrif/application/engine/auth/service/UserService.java (1 hunks)
• pom.xml (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

application-engine/src/main/java/com/netgrif/application/engine/startup/runner/SuperCreatorRunner.java (1)

nae-object-library/src/main/java/com/netgrif/application/engine/objects/auth/constants/UserConstants.java (1)

• UserConstants (3-11)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: Build
• GitHub Check: task-list-completed

🔇 Additional comments (13)

nae-object-library/pom.xml (1)

10-10: RC6.1 parent align looks good.

No issues spotted with the version bump here.

application-engine/pom.xml (1)

9-9: Parent version updated to RC6.1 — OK.

Assuming the root POM is also RC6.1 (it is in this PR), inheritance will resolve correctly.

nae-user-common/pom.xml (1)

9-9: Consistent parent version — OK.

Module will inherit dependency management from the updated parent as expected.

pom.xml (1)

9-9: All parent POM versions aligned to 7.0.0-RC6.1 with no SNAPSHOTs remaining
No 7.0.0-SNAPSHOT found; all module parent versions are consistently set to 7.0.0-RC6.1.

nae-user-ce/pom.xml (1)

9-9: Parent bump to RC6.1 — looks good.

No additional changes required here.

nae-spring-core-adapter/pom.xml (1)

10-10: Version alignment confirmed. All modules use 7.0.0-RC6.1; no SNAPSHOT or mismatched RC versions found.

application-engine/src/main/java/com/netgrif/application/engine/configuration/groovy/GroovyShellConfiguration.java (1)

23-23: Registering default star imports — LGTM.

nae-object-library/src/main/java/com/netgrif/application/engine/objects/plugin/domain/Plugin.java (1)

44-45: Equality/HashCode semantics changed due to new field.

@DaTa now includes metadata in equals/hashCode. Confirm this won’t break caches/collections or API compatibility.

application-engine/src/main/resources/application.yaml (1)

162-162: Add Nullable to actions.imports — LGTM.

Import enables Nullable in scripts; no concerns.

nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (1)

596-596: Order-preserving dedup — verify paging semantics.

Using LinkedHashSet preserves order (good), but dedup can shrink page content while totalElements stays unchanged. Confirm consumers tolerate this.

nae-object-library/src/main/java/com/netgrif/application/engine/objects/auth/constants/UserConstants.java (1)

8-8: Admin email change — LGTM; check rollout.

Switching to super@netgrif.com looks fine. Ensure docs and any ops automation expecting the old value are updated.

application-engine/src/main/groovy/com/netgrif/application/engine/petrinet/domain/dataset/logic/action/ActionDelegate.groovy (2)

93-93: Nullable helper for scripts — LGTM.

Import and nullable(T) wrapper are consistent with the new utility.

Also applies to: 911-913

---

2771-2776: Exception messages — LGTM.

Clear, actionable errors for missing/wrong field types.

[Retoocs]

There are test errors

[coderabbitai]

Actionable comments posted: 11

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1c830a1 and 9187379.

📒 Files selected for processing (6)

• application-engine/src/test/groovy/com/netgrif/application/engine/action/RemoveActionTest.groovy (2 hunks)
• application-engine/src/test/groovy/com/netgrif/application/engine/export/service/ExportServiceTest.groovy (6 hunks)
• application-engine/src/test/groovy/com/netgrif/application/engine/petrinet/domain/dataset/FileFieldTest.groovy (5 hunks)
• application-engine/src/test/groovy/com/netgrif/application/engine/petrinet/domain/dataset/FileListFieldTest.groovy (4 hunks)
• application-engine/src/test/groovy/com/netgrif/application/engine/workflow/CaseSearchTest.groovy (2 hunks)
• application-engine/src/test/groovy/com/netgrif/application/engine/workflow/UserRefsTest.groovy (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Test
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed

🔇 Additional comments (5)

application-engine/src/test/groovy/com/netgrif/application/engine/action/RemoveActionTest.groovy (2)

6-6: LGTM: centralized admin identity import

Using UserConstants removes hard-coded credentials.

---

120-120: Authentication token misses authorities — may 403 on admin-only endpoint

Build an authenticated token with admin authorities instead of a bare username.

Apply:

-        auth = new UsernamePasswordAuthenticationToken(UserConstants.ADMIN_USER_USERNAME, "password")
+        auth = new UsernamePasswordAuthenticationToken(
+                superCreator.getLoggedSuper(),
+                "password",
+                superCreator.getLoggedSuper().getAuthorities()
+        )

application-engine/src/test/groovy/com/netgrif/application/engine/workflow/CaseSearchTest.groovy (1)

6-6: LGTM: replaced hard-coded admin with UserConstants and basic auth

Good move to centralize credentials; basic auth now uses ADMIN_USER_USERNAME.

Also applies to: 170-170

application-engine/src/test/groovy/com/netgrif/application/engine/export/service/ExportServiceTest.groovy (2)

7-7: Good: replace magic literals with UserConstants.

Prevents drift when admin username/email change in one place.

---

97-97: Ignore suggestion to use adminActor()
No adminActor() helper exists in the codebase; either keep using userService.findByEmail(...) or add a common helper first.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

nae-user-common/src/main/java/com/netgrif/application/engine/auth/service/UserService.java (3)

404-409: Fix Javadoc grammar and align param type; document union behavior

Current Javadoc has grammar issues and says “role identifiers” while the type is Collection<ProcessRole>. Also clarify that roles are added (union), not replaced, to avoid ambiguity with the implementation.

Apply:

-    /**
-     * Updates the admin user or users with the specified roles.
-     * This method assigns the provided roles to all the admin user of system, updating their current set of roles.
-     *
-     * @param roles a list of role identifiers to assign to the admin user
-     */
+    /**
+     * Assigns the provided process roles to all admin users in the system.
+     * Behavior: roles are added (union); existing roles are retained; duplicates are ignored.
+     *
+     * @param roles collection of process roles to assign to admin users; must not be null
+     */

---

404-409: Clarify API scope and naming (all admins vs one; realm awareness)

Name suggests singular “Admin” while text implies “all admin users”; method is not realm-aware unlike adjacent APIs. Either (a) rename to assignRolesToAllAdmins and document cross-realm behavior, or (b) add a realm-scoped overload and keep this as convenience.

Would you like an overload proposal that mirrors other realm-aware methods?

---

404-409: Prefer identifiers over domain objects in service boundary

Accepting Collection<ProcessRole> couples the interface to Petri-net domain objects. Consider Collection<ProcessResourceId> or Collection<String> and resolve roles in the implementation.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d135afb and 71327e0.

📒 Files selected for processing (2)

• nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (2 hunks)
• nae-user-common/src/main/java/com/netgrif/application/engine/auth/service/UserService.java (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (1)

nae-object-library/src/main/java/com/netgrif/application/engine/objects/auth/constants/UserConstants.java (1)

• UserConstants (3-11)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed
• GitHub Check: task-list-completed

🔇 Additional comments (2)

nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java (2)

603-603: Preserving iteration order is good here

Switch to LinkedHashSet deduplicates while keeping page order before mapping to List. Looks good.

---

567-573: Verify and add usage/tests for updateAdminWithRoles

• No external callers of updateAdminWithRoles found beyond its interface and own impl; update any consumers to use this new API.
• Add unit/integration tests covering repeated invocations (idempotency), union semantics, and multiple-admin scenarios.