added an API call to revoke access to all the view on a bank account for a user

2026-02-06 10:47:23 +00:00 · 2013-06-06 15:50:13 +02:00 · 2013-06-06 15:50:13 +02:00 · 8fb5ab99aa
commit 8fb5ab99aa
parent 4d64b42983
4 changed files with 101 additions and 2 deletions
--- a/MavLift/src/main/scala/code/api/v1_2/OBPAPI1.2.scala
+++ b/MavLift/src/main/scala/code/api/v1_2/OBPAPI1.2.scala
@ -241,7 +241,7 @@ object OBPAPI1_2 extends OBPRestHelper with Loggable {
  })

  oauthServe(apiPrefix{
-  //delete access for specific user
+  //delete access for specific user to one view
    case "banks" :: bankId :: "accounts" :: accountId :: "users" :: userId :: "views" :: viewId :: Nil JsonDelete json => {
      user =>
        for {
@ -253,6 +253,19 @@ object OBPAPI1_2 extends OBPRestHelper with Loggable {
    }
  })

+  oauthServe(apiPrefix{
+  //delete access for specific user to all the views
+    case "banks" :: bankId :: "accounts" :: accountId :: "users" :: userId :: Nil JsonDelete json => {
+      user =>
+        for {
+          account <- BankAccount(bankId, accountId)
+          u <- user ?~ "user not found"
+          isRevoked <- account revokeAllPermission(u, userId)
+          if(isRevoked)
+        } yield noContentJsonResponse
+    }
+  })
+
  oauthServe(apiPrefix{
  //get other accounts for one account
    case "banks" :: bankId :: "accounts" :: accountId :: viewId :: "other_accounts" :: Nil JsonGet json => {
--- a/MavLift/src/main/scala/code/model/BankingData.scala
+++ b/MavLift/src/main/scala/code/model/BankingData.scala
@ -213,6 +213,26 @@ class BankAccount(
      Failure("user : " + user.emailAddress + " don't have access to owner view on account " + id, Empty, Empty)
  }

+  /**
+  *
+  * @param a user that want to revoke an other user access to a view
+  * @param the id of the other user that we want revoke access
+  * @return a Full(true) if everything is okay, a Failure otherwise
+  */
+  def revokeAllPermission(user : User, otherUserId : String) : Box[Boolean] = {
+    //check if the user have access to the owner view in this the account
+    if(authorizedAccess(Owner,Full(user)))
+      for{
+        otherUser <- User.findById(otherUserId) //check if the userId corresponds to a user
+        isRevoked <- LocalStorage.revokeAllPermission(id, otherUser) ?~ "could not revoke the privilege"
+      } yield isRevoked
+    else
+      Failure("user : " + user.emailAddress + " don't have access to owner view on account " + id, Empty, Empty)
+  }
+
+
+
+
  /**
  * @param the view that we want test the access to
  * @param the user that we want to see if he has access to the view or not
--- a/MavLift/src/main/scala/code/model/dataAccess/Connectors.scala
+++ b/MavLift/src/main/scala/code/model/dataAccess/Connectors.scala
@ -647,6 +647,29 @@ class MongoDBLocalStorage extends LocalStorage {
      }
    }
  }
+  def revokeAllPermission(bankAccountId : String, user : User) : Box[Boolean] = {
+    user match {
+      case user:OBPUser =>
+        for{
+          bankAccount <- HostedAccount.find(By(HostedAccount.accountID, bankAccountId))
+        } yield {
+            Privilege.find(By(Privilege.user, user.id), By(Privilege.account, bankAccount)) match {
+              case Full(privilege) => {
+                List(OurNetwork, Team, Board, Authorities, Owner, Management).foreach({view =>
+                  setPrivilegeFromView(privilege, view, false)
+                })
+                privilege.save
+              }
+              //there is no privilege to this user, so there is nothing to revoke
+              case _ => true
+            }
+          }
+      case u: User => {
+        logger.error("OBPUser instance not found, could not revoke access ")
+        Empty
+      }
+    }
+  }
  private def setPrivilegeFromView(privilege : Privilege, view : View, value : Boolean ) = {
    view match {
      case OurNetwork => privilege.ourNetworkPermission(value)
--- a/MavLift/src/test/scala/code/api/API12Test.scala
+++ b/MavLift/src/test/scala/code/api/API12Test.scala
@ -153,6 +153,7 @@ class API1_2Test extends ServerSetup{
  object GetPermission extends Tag("getPermission")
  object PostPermission extends Tag("postPermission")
  object DeletePermission extends Tag("deletePermission")
+  object DeletePermissions extends Tag("deletePermissions")
  object GetOtherBankAccounts extends Tag("getOtherBankAccounts")
  object GetOtherBankAccount extends Tag("getOtherBankAccount")
  object GetOtherBankAccountMetadata extends Tag("getOtherBankAccountMetadata")
@ -360,6 +361,16 @@ class API1_2Test extends ServerSetup{
    makeDeleteRequest(request)
  }

+  def revokeUserAccessToAllViews(bankId : String, accountId : String, userId : String) : h.HttpPackage[APIResponse]= {
+    val request = (v1_2Request / "banks" / bankId / "accounts" / accountId / "users"/ userId ).DELETE.<@(consumer,token)
+    makeDeleteRequest(request)
+  }
+
+  def revokeUserAccessToAllViewsWithoutOwnerAccess(bankId : String, accountId : String, userId : String) : h.HttpPackage[APIResponse]= {
+    val request = (v1_2Request / "banks" / bankId / "accounts" / accountId / "users"/ userId ).DELETE.<@(consumer,token3)
+    makeDeleteRequest(request)
+  }
+
  def getTheOtherBankAccounts(bankId : String, accountId : String, viewId : String) : h.HttpPackage[APIResponse] = {
    val request = v1_2Request / "banks" / bankId / "accounts" / accountId / viewId / "other_accounts" <@(consumer,token)
    makeGetRequest(request)
@ -1416,7 +1427,7 @@ class API1_2Test extends ServerSetup{
  }

  feature("Grant a user access to a view on a bank account"){
-    scenario("we will grant a user access to a view on an bank account", API1_2, PostPermission, CurrentTest) {
+    scenario("we will grant a user access to a view on an bank account", API1_2, PostPermission) {
      Given("We will use an access token")
      val bankId = randomBank
      val bankAccount : AccountJSON = randomPrivateAccount(bankId)
@ -1513,7 +1524,39 @@ class API1_2Test extends ServerSetup{
      reply.code should equal (400)
    }
  }
+  feature("Revoke a user access to all the views on a bank account"){
+    scenario("we will revoke the access of a user to all the views on an bank account", API1_2, DeletePermissions) {
+      Given("We will use an access token")
+      val bankId = randomBank
+      val bankAccount : AccountJSON = randomPrivateAccount(bankId)
+      val userId = urlEncode(user2.email)
+      When("the request is sent")
+      val reply = revokeUserAccessToAllViews(bankId, bankAccount.id, userId)
+      Then("we should get a 204 no content code")
+      reply.code should equal (204)
+    }

+    scenario("we cannot revoke the access to a user that does not exist", API1_2, DeletePermissions) {
+      Given("We will use an access token with a random user Id")
+      val bankId = randomBank
+      val bankAccount : AccountJSON = randomPrivateAccount(bankId)
+      When("the request is sent")
+      val reply = revokeUserAccessToAllViews(bankId, bankAccount.id, randomString(5))
+      Then("we should get a 400 ok code")
+      reply.code should equal (400)
+    }
+
+    scenario("we cannot revoke a user access to a view on an bank account because the user does not have owner view access", API1_2, DeletePermissions) {
+      Given("We will use an access token")
+      val bankId = randomBank
+      val bankAccount : AccountJSON = randomPrivateAccount(bankId)
+      val userId = urlEncode(user2.email)
+      When("the request is sent")
+      val reply = revokeUserAccessToAllViewsWithoutOwnerAccess(bankId, bankAccount.id, userId)
+      Then("we should get a 400 ok code")
+      reply.code should equal (400)
+    }
+  }
  feature("We get the list of the other bank accounts linked with a bank account"){
    scenario("we will get the other bank accounts of a bank account", API1_2, GetOtherBankAccounts) {
      Given("We will use an access token")