From 7e2137822595149a13cc09ac4d778094ee324a4e Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Fri, 10 May 2024 20:30:26 +0200
Subject: [PATCH 1/3] feat: introduce a new permission instead of relying on a
 role

---
 js/const.js                                   |  1 +
 .../cohort-definition-manager.js              | 11 ++-----
 js/pages/concept-sets/conceptset-manager.js   | 11 ++-----
 js/services/AuthAPI.js                        | 32 ++++++++++++-------
 js/services/ShareRoleCheck.js                 | 30 ++++++++---------
 5 files changed, 41 insertions(+), 44 deletions(-)

diff --git a/js/const.js b/js/const.js
index 9bb28330d..6df92fe7b 100644
--- a/js/const.js
+++ b/js/const.js
@@ -192,6 +192,7 @@ define([
 		const apiPaths = {
 			role: (id = '') => `${config.api.url}role/${id}`,
 			roleUsers: roleId => `${config.api.url}role/${roleId}/users`,
+			userRoles: userId => `${config.api.url}user/${userId}/roles`,
 			permissions: () => `${config.api.url}permission`,
 			rolePermissions: roleId => `${config.api.url}role/${roleId}/permissions`,
 			relations: (roleId, relation, ids = []) => `${config.api.url}role/${roleId}/${relation}/${ids.join('+')}`,
diff --git a/js/pages/cohort-definitions/cohort-definition-manager.js b/js/pages/cohort-definitions/cohort-definition-manager.js
index fe43bff49..7ceeb8360 100644
--- a/js/pages/cohort-definitions/cohort-definition-manager.js
+++ b/js/pages/cohort-definitions/cohort-definition-manager.js
@@ -208,15 +208,8 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 		        if (config.permissionManagementRoleId === "") {
 			   this.userCanShare(true);
 		        } else {
-			   shareRoleCheck.checkIfRoleCanShare(authApi.subject(), config.permissionManagementRoleId)
-				.then(res=>{
-				    this.userCanShare(res);
-				})
-				.catch(error => {
-				    console.error(error);
-				    alert(ko.i18n('cohortDefinitions.cohortDefinitionManager.shareRoleCheck', 'Error when determining if user can share cohorts')());
-				});
-			}		        
+					this.userCanShare(authApi.isPermittedGlobalShareCohort());
+				}
 		    
 			this.relatedSourcecodesOptions = globalConstants.relatedSourcecodesOptions;
 			this.commonUtils = commonUtils;
diff --git a/js/pages/concept-sets/conceptset-manager.js b/js/pages/concept-sets/conceptset-manager.js
index c1ee6f61e..43005eace 100644
--- a/js/pages/concept-sets/conceptset-manager.js
+++ b/js/pages/concept-sets/conceptset-manager.js
@@ -184,15 +184,8 @@ define([
 		        if (config.permissionManagementRoleId === "") {
 			   this.userCanShare(true);
 		        } else {
-			   shareRoleCheck.checkIfRoleCanShare(authApi.subject(), config.permissionManagementRoleId)
-				.then(res=>{
-				    this.userCanShare(res);
-				})
-				.catch(error => {
-				    console.error(error);
-				    alert(ko.i18n('conceptSets.conceptSetManager.shareRoleCheck', 'Error when determining if user can share concept sets')());
-				});
-			}		        
+					this.userCanShare(authApi.isPermittedGlobalShareCohort());
+				}
 
 		    
 			this.isSaving = ko.observable(false);
diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
index b0a28eeba..10edfebf9 100644
--- a/js/services/AuthAPI.js
+++ b/js/services/AuthAPI.js
@@ -62,6 +62,7 @@ define(function(require, exports) {
     var subject = ko.observable();
     var permissions = ko.observable();
     var fullName = ko.observable();
+    var userId = ko.observable();
     const authProvider = ko.observable();
 
     authProvider.subscribe(provider => {
@@ -82,6 +83,7 @@ define(function(require, exports) {
                 subject(info.login);
                 authProvider(jqXHR.getResponseHeader('x-auth-provider'));
                 fullName(info.name ? info.name : info.login);
+                userId(info.id);
                 resolve();
             },
             error: function (err) {
@@ -395,6 +397,12 @@ define(function(require, exports) {
         return isPermitted('cohortdefinition:' + id + ':copy:get');
     }
 
+    var isPermittedGlobalShareCohort = function() {
+        // special * permission (intended for admins) that allows the
+        // user to share any cohort with a "global reader role":
+        return isPermitted('cohortdefinition:global:share:put');
+    }
+
     var isPermittedUpdateCohort = function(id) {
         var permission = 'cohortdefinition:' + id + ':put';
         return isPermitted(permission);
@@ -407,17 +415,17 @@ define(function(require, exports) {
     }
 
     var isPermittedGenerateCohort = function(cohortId, sourceKey) {
-	var v = isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
-		isPermitted('cohortdefinition:' + cohortId + ':info:get');
-
-	// By default, everyone can generate any artifact they have
-	// permission to read. If a permissionManagementRoleId has
-	// been assigned, (non- empty string assignment), the default
-	// generate functionality is not desired. Rather, users will have to
-	// have a role that allows them to update the specific cohort definition. 
-	if (config.permissionManagementRoleId !== ""){
-	    v = v && isPermitted('cohortdefinition:' + cohortId + ':put')
-	}
+        var v = isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
+            isPermitted('cohortdefinition:' + cohortId + ':info:get');
+
+        // By default, everyone can generate any artifact they have
+        // permission to read. If limitedPermissionManagement has
+        // been set to true, the default
+        // generate functionality is not desired. Rather, users will have to
+        // have a permission that allows them to update the specific cohort definition. 
+        if (config.limitedPermissionManagement){
+            v = v && isPermitted('cohortdefinition:' + cohortId + ':put')
+        }
         return v
     }
 
@@ -560,6 +568,7 @@ define(function(require, exports) {
         reloginRequired: reloginRequired,
         subject: subject,
         fullName,
+        userId,
         tokenExpirationDate: tokenExpirationDate,
         tokenExpired: tokenExpired,
         authProvider: authProvider,
@@ -586,6 +595,7 @@ define(function(require, exports) {
         isPermittedReadCohort: isPermittedReadCohort,
         isPermittedCreateCohort: isPermittedCreateCohort,
         isPermittedCopyCohort: isPermittedCopyCohort,
+        isPermittedGlobalShareCohort: isPermittedGlobalShareCohort,
         isPermittedUpdateCohort: isPermittedUpdateCohort,
         isPermittedDeleteCohort: isPermittedDeleteCohort,
         isPermittedGenerateCohort: isPermittedGenerateCohort,
diff --git a/js/services/ShareRoleCheck.js b/js/services/ShareRoleCheck.js
index eaac53a60..1644cd5c4 100644
--- a/js/services/ShareRoleCheck.js
+++ b/js/services/ShareRoleCheck.js
@@ -2,26 +2,26 @@ define(function (require, exports) {
     var $ = require('jquery');
     var constants = require('const');
     const httpService = require('services/http');
+	const authApi = require('services/AuthAPI');
     
-    async function getRoleUsers(subject, permissionManagementRoleId) {
-	return await httpService.doGet(constants.apiPaths.roleUsers(permissionManagementRoleId))
-	      .then(({ data = [] }) => data)
-	      .catch((er) => {
-		  console.error('ERROR: Can\'t find users with permissionManagementRoleId: ' + permissionManagementRoleId);
-	      });
-    };
-    
+	async function getUserRoles() {
+		return await httpService.doGet(constants.apiPaths.userRoles(authApi.userId()))
+			  .then(({ data = [] }) => data)
+			  .catch((er) => {
+			  console.error('ERROR: Can\'t find user roles for: ' + authApi.userId());
+			  });
+		};
     async function checkIfRoleCanShare(subject, permissionManagementRoleId) {
 	var isAbleToShare = false;
-	const roleUsers = await getRoleUsers(subject, permissionManagementRoleId);
-	console.log("INFO: roleUsers:" + roleUsers.toString());
+	const userRoles = await getUserRoles();
+	console.log("INFO: roleUsers:" + userRoles.toString());
 	
-	roleUsers.forEach((user) => {
-	    console.log("INFO: user.login of user that has the permissionManagementRoleId " + permissionManagementRoleId + ": " + user.login + "; subject (currently logged in user): " + subject);
-            if (subject == user.login){
-		isAbleToShare = true;		
+	userRoles.forEach((role) => {
+	    console.log("INFO: role " + role );
+            if (role.id == permissionManagementRoleId){
+				isAbleToShare = true;
 	    }
-        });
+    });
 	console.log("INFO: isAbleToShare: " + isAbleToShare);
 	return isAbleToShare;
     };

From 649cc7e9da002984cb3b44164be9ac1498275665 Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Tue, 14 May 2024 20:02:37 +0200
Subject: [PATCH 2/3] fix: correct styling for sharing buttons on access modal
 ui

---
 js/components/security/access/configure-access-modal.html | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/js/components/security/access/configure-access-modal.html b/js/components/security/access/configure-access-modal.html
index 672339db7..b437d938f 100644
--- a/js/components/security/access/configure-access-modal.html
+++ b/js/components/security/access/configure-access-modal.html
@@ -92,15 +92,14 @@
 		<label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.globalReadStatus', 'Status of global READ access:')"></label>
 		<div/>
 		<div class="btn-group" data-toggle="buttons">
-		    <label data-bind="css: { active: !shareFlag()},
+		    <label data-bind="css: { active: shareFlag()},
 				      click: function () { shareFlag(false); grantGlobalReadAccess();},
 				      clickBubble: false,
 				      text: ko.i18n('common.configureAccessModal.globalReadStatusNotGranted', 'Granted')
 				      "
 			   class="btn btn-primary",		   
 		    />
-		    <label data-bind="css: { 
-				      active: shareFlag()}, 
+		    <label data-bind="css: { active: !shareFlag()}, 
 				      click: function () { shareFlag(true); revokeGlobalReadAccess();},
 				      clickBubble: false,
 				      text: ko.i18n('common.configureAccessModal.globalReadStatusIsGranted', 'Not Granted')

From 09465598458f0982b7a769692a4962ecfe692ae8 Mon Sep 17 00:00:00 2001
From: pieterlukasse <pieterlukasse@gmail.com>
Date: Tue, 14 May 2024 22:00:53 +0200
Subject: [PATCH 3/3] fix: cleanup/remove unnecessary parts

---
 js/const.js                                   |  1 -
 .../cohort-definition-manager.js              | 21 ++++++------
 js/pages/concept-sets/conceptset-manager.js   | 24 ++++++--------
 js/services/AuthAPI.js                        |  3 --
 js/services/ShareRoleCheck.js                 | 32 -------------------
 5 files changed, 19 insertions(+), 62 deletions(-)
 delete mode 100644 js/services/ShareRoleCheck.js

diff --git a/js/const.js b/js/const.js
index 6df92fe7b..9bb28330d 100644
--- a/js/const.js
+++ b/js/const.js
@@ -192,7 +192,6 @@ define([
 		const apiPaths = {
 			role: (id = '') => `${config.api.url}role/${id}`,
 			roleUsers: roleId => `${config.api.url}role/${roleId}/users`,
-			userRoles: userId => `${config.api.url}user/${userId}/roles`,
 			permissions: () => `${config.api.url}permission`,
 			rolePermissions: roleId => `${config.api.url}role/${roleId}/permissions`,
 			relations: (roleId, relation, ids = []) => `${config.api.url}role/${roleId}/${relation}/${ids.join('+')}`,
diff --git a/js/pages/cohort-definitions/cohort-definition-manager.js b/js/pages/cohort-definitions/cohort-definition-manager.js
index 7ceeb8360..d8040396d 100644
--- a/js/pages/cohort-definitions/cohort-definition-manager.js
+++ b/js/pages/cohort-definitions/cohort-definition-manager.js
@@ -2,7 +2,6 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 	'appConfig',
 	'components/cohortbuilder/CohortDefinition',
 	'services/CohortDefinition',
-	'services/ShareRoleCheck',
 	'services/MomentAPI',
 	'services/ConceptSet',
 	'services/Permission',
@@ -66,8 +65,7 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 	view,
 	config,
 	CohortDefinition,
-        cohortDefinitionService,
-        shareRoleCheck,
+	cohortDefinitionService,
 	momentApi,
 	conceptSetService,
 	PermissionService,
@@ -201,15 +199,14 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 			this.authApi = authApi;
 			this.config = config;
 
-		        this.enablePermissionManagement = ko.observable(false);
- 		        this.enablePermissionManagement(config.enablePermissionManagement);
-
-		        this.userCanShare = ko.observable(false);
-		        if (config.permissionManagementRoleId === "") {
-			   this.userCanShare(true);
-		        } else {
-					this.userCanShare(authApi.isPermittedGlobalShareCohort());
-				}
+			this.enablePermissionManagement = ko.observable(config.enablePermissionManagement);
+			if (config.enablePermissionManagement) {
+				this.userCanShare = ko.observable(
+						!config.limitedPermissionManagement ||
+						authApi.isPermittedGlobalShareCohort());
+			} else {
+				this.userCanShare = ko.observable(false);
+			}
 		    
 			this.relatedSourcecodesOptions = globalConstants.relatedSourcecodesOptions;
 			this.commonUtils = commonUtils;
diff --git a/js/pages/concept-sets/conceptset-manager.js b/js/pages/concept-sets/conceptset-manager.js
index 43005eace..8704fad6b 100644
--- a/js/pages/concept-sets/conceptset-manager.js
+++ b/js/pages/concept-sets/conceptset-manager.js
@@ -8,8 +8,7 @@ define([
 	'./const',
 	'const',
 	'components/conceptset/utils',
-        'services/Vocabulary',
-    	'services/ShareRoleCheck',
+	'services/Vocabulary',
 	'services/Permission',
 	'services/Tags',
 	'components/security/access/const',
@@ -56,8 +55,7 @@ define([
 	constants,
 	globalConstants,
 	utils,
-        vocabularyAPI,
-        shareRoleCheck,
+	vocabularyAPI,
 	GlobalPermissionService,
 	TagsService,
 	{ entityType },
@@ -177,17 +175,15 @@ define([
 				return this.currentConceptSet() && this.currentConceptSet().id > 0;
 			});
 
-		        this.enablePermissionManagement = ko.observable(false);
- 		        this.enablePermissionManagement(config.enablePermissionManagement);
-
-		        this.userCanShare = ko.observable(false);
-		        if (config.permissionManagementRoleId === "") {
-			   this.userCanShare(true);
-		        } else {
-					this.userCanShare(authApi.isPermittedGlobalShareCohort());
-				}
+			this.enablePermissionManagement = ko.observable(config.enablePermissionManagement);
+			if (config.enablePermissionManagement) {
+				this.userCanShare = ko.observable(
+						!config.limitedPermissionManagement ||
+						authApi.isPermittedGlobalShareCohort());
+			} else {
+				this.userCanShare = ko.observable(false);
+			}
 
-		    
 			this.isSaving = ko.observable(false);
 			this.isDeleting = ko.observable(false);
 			this.isOptimizing = ko.observable(false);
diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
index 10edfebf9..9f5371ca7 100644
--- a/js/services/AuthAPI.js
+++ b/js/services/AuthAPI.js
@@ -62,7 +62,6 @@ define(function(require, exports) {
     var subject = ko.observable();
     var permissions = ko.observable();
     var fullName = ko.observable();
-    var userId = ko.observable();
     const authProvider = ko.observable();
 
     authProvider.subscribe(provider => {
@@ -83,7 +82,6 @@ define(function(require, exports) {
                 subject(info.login);
                 authProvider(jqXHR.getResponseHeader('x-auth-provider'));
                 fullName(info.name ? info.name : info.login);
-                userId(info.id);
                 resolve();
             },
             error: function (err) {
@@ -568,7 +566,6 @@ define(function(require, exports) {
         reloginRequired: reloginRequired,
         subject: subject,
         fullName,
-        userId,
         tokenExpirationDate: tokenExpirationDate,
         tokenExpired: tokenExpired,
         authProvider: authProvider,
diff --git a/js/services/ShareRoleCheck.js b/js/services/ShareRoleCheck.js
deleted file mode 100644
index 1644cd5c4..000000000
--- a/js/services/ShareRoleCheck.js
+++ /dev/null
@@ -1,32 +0,0 @@
-define(function (require, exports) {
-    var $ = require('jquery');
-    var constants = require('const');
-    const httpService = require('services/http');
-	const authApi = require('services/AuthAPI');
-    
-	async function getUserRoles() {
-		return await httpService.doGet(constants.apiPaths.userRoles(authApi.userId()))
-			  .then(({ data = [] }) => data)
-			  .catch((er) => {
-			  console.error('ERROR: Can\'t find user roles for: ' + authApi.userId());
-			  });
-		};
-    async function checkIfRoleCanShare(subject, permissionManagementRoleId) {
-	var isAbleToShare = false;
-	const userRoles = await getUserRoles();
-	console.log("INFO: roleUsers:" + userRoles.toString());
-	
-	userRoles.forEach((role) => {
-	    console.log("INFO: role " + role );
-            if (role.id == permissionManagementRoleId){
-				isAbleToShare = true;
-	    }
-    });
-	console.log("INFO: isAbleToShare: " + isAbleToShare);
-	return isAbleToShare;
-    };
-
-    return {
-	checkIfRoleCanShare,
-    };
-});