Remove unrequired permissions, but check the member id still for editing/creating

Author: timyates

server/src/main/java/com/objectcomputing/checkins/services/permissions/Permission.java

@@ -47,9 +47,7 @@ public enum Permission {
   CAN_DELETE_REVIEW_PERIOD("Delete review period", "Review Period"),
   CAN_ADMINISTER_SETTINGS("Add or edit settings", "Settings"),
   CAN_VIEW_SETTINGS("View settings", "Settings"),
-  CAN_VIEW_ALL_PULSE_RESPONSES("View all pulse responses", "Pulse"),
-  CAN_CREATE_ALL_PULSE_RESPONSES("Create pulse responses for anyone", "Pulse"),
-  CAN_UPDATE_ALL_PULSE_RESPONSES("Update pulse responses for anyone", "Pulse");
+  CAN_VIEW_ALL_PULSE_RESPONSES("View all pulse responses", "Pulse");
 
   private final String description;
   private final String category;

server/src/main/java/com/objectcomputing/checkins/services/pulseresponse/PulseResponseServicesImpl.java

@@ -40,8 +40,6 @@ public PulseResponseServicesImpl(
     @Override
     public PulseResponse save(PulseResponse pulseResponse) {
         UUID currentUserId = currentUserServices.getCurrentUser().getId();
-        boolean hasPermission = rolePermissionServices.findUserPermissions(currentUserId).contains(Permission.CAN_CREATE_ALL_PULSE_RESPONSES);
-
         PulseResponse pulseResponseRet = null;
         if (pulseResponse != null) {
             final UUID memberId = pulseResponse.getTeamMemberId();
@@ -52,7 +50,7 @@ public PulseResponse save(PulseResponse pulseResponse) {
                 throw new BadArgException(String.format("Member %s doesn't exists", memberId));
             } else if (pulseSubDate.isBefore(LocalDate.EPOCH) || pulseSubDate.isAfter(LocalDate.MAX)) {
                 throw new BadArgException(String.format("Invalid date for pulseresponse submission date %s", memberId));
-            } else if (!hasPermission && !currentUserId.equals(memberId) && !isSubordinateTo(pulseResponse.getTeamMemberId(), currentUserId)) {
+            } else if (!currentUserId.equals(memberId) && !isSubordinateTo(memberId, currentUserId)) {
                 throw new BadArgException(String.format("User %s does not have permission to create pulse response for user %s", currentUserId, memberId));
             }
             pulseResponseRet = pulseResponseRepo.save(pulseResponse);
@@ -73,8 +71,6 @@ public PulseResponse read(@NotNull UUID id) {
     @Override
     public PulseResponse update(PulseResponse pulseResponse) {
         UUID currentUserId = currentUserServices.getCurrentUser().getId();
-        boolean hasPermission = rolePermissionServices.findUserPermissions(currentUserId).contains(Permission.CAN_UPDATE_ALL_PULSE_RESPONSES);
-
         PulseResponse pulseResponseRet = null;
         if (pulseResponse != null) {
             final UUID id = pulseResponse.getId();
@@ -88,7 +84,7 @@ public PulseResponse update(PulseResponse pulseResponse) {
                 throw new BadArgException(String.format("Invalid pulseresponse %s", pulseResponse));
             } else if (pulseSubDate.isBefore(LocalDate.EPOCH) || pulseSubDate.isAfter(LocalDate.MAX)) {
                 throw new BadArgException(String.format("Invalid date for pulseresponse submission date %s", memberId));
-            } else if (!hasPermission && !currentUserId.equals(memberId) && !isSubordinateTo(pulseResponse.getTeamMemberId(), currentUserId)) {
+            } else if (!currentUserId.equals(memberId) && !isSubordinateTo(memberId, currentUserId)) {
                 throw new BadArgException(String.format("User %s does not have permission to update pulse response for user %s", currentUserId, memberId));
             }
             pulseResponseRet = pulseResponseRepo.update(pulseResponse);

server/src/main/resources/db/dev/R__Load_testing_data.sql

@@ -892,16 +892,6 @@ insert into role_permissions
 values
     ('e8a4fff8-e984-4e59-be84-a713c9fa8d23', 'CAN_VIEW_ALL_PULSE_RESPONSES');
 
-insert into role_permissions
-(roleid, permission)
-values
-    ('e8a4fff8-e984-4e59-be84-a713c9fa8d23', 'CAN_CREATE_ALL_PULSE_RESPONSES');
-
-insert into role_permissions
-(roleid, permission)
-values
-    ('e8a4fff8-e984-4e59-be84-a713c9fa8d23', 'CAN_UPDATE_ALL_PULSE_RESPONSES');
-
 -- PDL Permissions
 insert into role_permissions
     (roleid, permission)

server/src/test/java/com/objectcomputing/checkins/services/fixture/PermissionFixture.java

@@ -83,9 +83,7 @@ public interface PermissionFixture extends RolePermissionFixture {
         Permission.CAN_LAUNCH_REVIEW_PERIOD,
         Permission.CAN_CLOSE_REVIEW_PERIOD,
         Permission.CAN_DELETE_REVIEW_PERIOD,
-        Permission.CAN_VIEW_ALL_PULSE_RESPONSES,
-        Permission.CAN_CREATE_ALL_PULSE_RESPONSES,
-        Permission.CAN_UPDATE_ALL_PULSE_RESPONSES
+        Permission.CAN_VIEW_ALL_PULSE_RESPONSES
     );
 
     default void setPermissionsForAdmin(UUID roleID) {

server/src/test/java/com/objectcomputing/checkins/services/pulseresponse/PulseResponseControllerTest.java

@@ -130,22 +130,6 @@ void testCreatePulseResponseForSomeoneInHierarchy() {
         assertEquals(String.format("%s/%s", request.getPath(), pulseResponseResponse.getId()), response.getHeaders().get("location"));
     }
 
-    @Test
-    void testCreatePulseResponseForSomeoneUnrelatedWithRole() {
-        MemberProfile memberProfile = createADefaultMemberProfile();
-        PulseResponseCreateDTO pulseResponseCreateDTO = createPulseResponseCreateDTO(id(HIERARCHY_LEAD2));
-
-        HttpRequest<PulseResponseCreateDTO> request = HttpRequest.POST("", pulseResponseCreateDTO).basicAuth(ADMIN_ROLE, ADMIN_ROLE);
-        final HttpResponse<PulseResponse> response = client.toBlocking().exchange(request, PulseResponse.class);
-
-        PulseResponse pulseResponseResponse = response.body();
-
-        Assertions.assertNotNull(pulseResponseResponse);
-        assertEquals(HttpStatus.CREATED, response.getStatus());
-        assertEquals(pulseResponseCreateDTO.getTeamMemberId(), pulseResponseResponse.getTeamMemberId());
-        assertEquals(String.format("%s/%s", request.getPath(), pulseResponseResponse.getId()), response.getHeaders().get("location"));
-    }
-
     @Test
     void testCreateANullPulseResponse() {
         final HttpRequest<String> request = HttpRequest.POST("", "").basicAuth(MEMBER_ROLE, MEMBER_ROLE);
@@ -348,18 +332,6 @@ void testUpdatePulseResponse() {
         assertEquals(String.format("%s/%s", request.getPath(), pulseResponse.getId()), response.getHeaders().get("location"));
     }
 
-    @Test
-    void testUpdatePulseResponseForUnrelatedMemberWithRole() {
-        PulseResponse pulseResponse = createADefaultPulseResponse(profile(HIERARCHY_LEAD2));
-
-        final HttpRequest<PulseResponse> request = HttpRequest.PUT("", pulseResponse).basicAuth(ADMIN_ROLE, ADMIN_ROLE);
-        final HttpResponse<PulseResponse> response = client.toBlocking().exchange(request, PulseResponse.class);
-
-        assertEquals(pulseResponse, response.body());
-        assertEquals(HttpStatus.OK, response.getStatus());
-        assertEquals(String.format("%s/%s", request.getPath(), pulseResponse.getId()), response.getHeaders().get("location"));
-    }
-
     @Test
     void testUpdatePulseResponseForSubordinateMember() {
         PulseResponse pulseResponse = createADefaultPulseResponse(profile(HIERARCHY_LEAD2_SUB1_SUB1));