Merge pull request #4191 from alkem-io/develop

Release: Fixes
alkem-io · Jul 1, 2024 · 3c4965b · 3c4965b
2 parents 2ea98a7 + f61c640
commit 3c4965b
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 69 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "alkemio-server",
-  "version": "0.82.6",
+  "version": "0.82.7",
   "description": "Alkemio server, responsible for managing the shared Alkemio platform",
   "author": "Alkemio Foundation",
   "private": false,

diff --git a/src/domain/space/account/account.resolver.mutations.ts b/src/domain/space/account/account.resolver.mutations.ts
@@ -279,10 +279,16 @@ export class AccountResolverMutations {
       virtualContributorData
     );
 
+    const clonedAccountAuth =
+      await this.accountAuthorizationService.getClonedAccountAuthExtendedForChildEntities(
+        account
+      );
+
+    // Need
     virtual =
       await this.virtualContributorAuthorizationService.applyAuthorizationPolicy(
         virtual,
-        account.authorization
+        clonedAccountAuth
       );
 
     virtual = await this.virtualContributorService.save(virtual);

diff --git a/src/domain/space/account/account.service.authorization.ts b/src/domain/space/account/account.service.authorization.ts
@@ -52,43 +52,27 @@ export class AccountAuthorizationService {
   ) {}
 
   async applyAuthorizationPolicy(accountInput: IAccount): Promise<IAccount> {
-    const account = await this.accountService.getAccountOrFail(
-      accountInput.id,
-      {
-        relations: {
-          agent: true,
-          space: {
-            community: {
-              policy: true,
-            },
+    let account = await this.accountService.getAccountOrFail(accountInput.id, {
+      relations: {
+        agent: true,
+        space: {
+          community: {
+            policy: true,
           },
-          license: true,
-          library: true,
-          defaults: true,
-          virtualContributors: true,
-          storageAggregator: true,
         },
-      }
-    );
-    if (
-      !account.agent ||
-      !account.space ||
-      !account.space.community ||
-      !account.space.community.policy ||
-      !account.library ||
-      !account.license ||
-      !account.defaults ||
-      !account.virtualContributors ||
-      !account.storageAggregator
-    ) {
+        license: true,
+        library: true,
+        defaults: true,
+        virtualContributors: true,
+        storageAggregator: true,
+      },
+    });
+    if (!account.space) {
       throw new RelationshipNotFoundException(
         `Unable to load Account with entities at start of auth reset: ${account.id} `,
         LogContext.ACCOUNT
       );
     }
-    const hostCredentials = await this.accountHostService.getHostCredentials(
-      account
-    );
 
     // Ensure always applying from a clean state
     account.authorization = this.authorizationPolicyService.reset(
@@ -100,16 +84,84 @@ export class AccountAuthorizationService {
         account.authorization
       );
 
-    // For now also use the root space admins to have some access
+    account.authorization = await this.extendAuthorizationPolicy(
+      account,
+      account.authorization
+    );
+    account.authorization = this.appendPrivilegeRules(account.authorization);
+
+    account = await this.applyAuthorizationPolicyForChildEntities(account);
+
+    // Need to save as there is still a circular dependency from space auth to account auth reset
+    const savedAccount = await this.accountService.save(account);
+
+    // And cascade into the space if there is one
+    if (!account.space) {
+      throw new RelationshipNotFoundException(
+        `No space on account for resetting: ${account.id} `,
+        LogContext.ACCOUNT
+      );
+    }
+    savedAccount.space =
+      await this.spaceAuthorizationService.applyAuthorizationPolicy(
+        account.space
+      );
+
+    return savedAccount;
+  }
+  public async getClonedAccountAuthExtendedForChildEntities(
+    account: IAccount
+  ): Promise<IAuthorizationPolicy> {
+    if (!account.space) {
+      throw new RelationshipNotFoundException(
+        `Unable to load Account with entities at start of auth reset: ${account.id} `,
+        LogContext.ACCOUNT
+      );
+    }
+    let clonedAccountAuth =
+      this.authorizationPolicyService.cloneAuthorizationPolicy(
+        account.authorization
+      );
+
     const communityPolicyWithSettings =
       this.spaceAuthorizationService.getCommunityPolicyWithSettings(
         account.space
       );
-    account.authorization = this.extendAuthorizationPolicy(
-      account.authorization,
+
+    const hostCredentials = await this.accountHostService.getHostCredentials(
+      account
+    );
+
+    clonedAccountAuth = this.extendAuthorizationPolicyForChildEntities(
+      clonedAccountAuth,
+      communityPolicyWithSettings,
       hostCredentials
     );
-    account.authorization = this.appendPrivilegeRules(account.authorization);
+    return clonedAccountAuth;
+  }
+
+  public async applyAuthorizationPolicyForChildEntities(
+    account: IAccount
+  ): Promise<IAccount> {
+    if (
+      !account.agent ||
+      !account.space ||
+      !account.space.community ||
+      !account.space.community.policy ||
+      !account.library ||
+      !account.license ||
+      !account.defaults ||
+      !account.virtualContributors ||
+      !account.storageAggregator
+    ) {
+      throw new RelationshipNotFoundException(
+        `Unable to load Account with entities at start of auth reset: ${account.id} `,
+        LogContext.ACCOUNT
+      );
+    }
+
+    const clonedAccountAuth =
+      await this.getClonedAccountAuthExtendedForChildEntities(account);
 
     account.agent = this.agentAuthorizationService.applyAuthorizationPolicy(
       account.agent,
@@ -121,16 +173,6 @@ export class AccountAuthorizationService {
       account.authorization
     );
 
-    let clonedAccountAuth =
-      this.authorizationPolicyService.cloneAuthorizationPolicy(
-        account.authorization
-      );
-    clonedAccountAuth = this.extendAuthorizationPolicyForChildEntities(
-      clonedAccountAuth,
-      communityPolicyWithSettings,
-      hostCredentials
-    );
-
     // For certain child entities allow the space admin also pretty much full control
     account.library =
       await this.templatesSetAuthorizationService.applyAuthorizationPolicy(
@@ -160,36 +202,24 @@ export class AccountAuthorizationService {
       updatedVCs.push(udpatedVC);
     }
     account.virtualContributors = updatedVCs;
-
-    // Need to save as there is still a circular dependency from space auth to account auth reset
-    const savedAccount = await this.accountService.save(account);
-
-    // And cascade into the space if there is one
-    if (!account.space) {
-      throw new RelationshipNotFoundException(
-        `No space on account for resetting: ${account.id} `,
-        LogContext.ACCOUNT
-      );
-    }
-    savedAccount.space =
-      await this.spaceAuthorizationService.applyAuthorizationPolicy(
-        account.space
-      );
-
-    return savedAccount;
+    return account;
   }
 
-  private extendAuthorizationPolicy(
-    authorization: IAuthorizationPolicy | undefined,
-    hostCredentials: ICredentialDefinition[]
-  ): IAuthorizationPolicy {
+  private async extendAuthorizationPolicy(
+    account: IAccount,
+    authorization: IAuthorizationPolicy | undefined
+  ): Promise<IAuthorizationPolicy> {
     if (!authorization) {
       throw new EntityNotInitializedException(
         'Authorization definition not found for account',
         LogContext.ACCOUNT
       );
     }
 
+    const hostCredentials = await this.accountHostService.getHostCredentials(
+      account
+    );
+
     const newRules: IAuthorizationPolicyRuleCredential[] = [];
     // By default it is world visible. TODO: work through the logic on this
     authorization.anonymousReadAccess = true;