From 8fb5ab99aac5b08880d3b06ebb7e112d7d08b4d2 Mon Sep 17 00:00:00 2001 From: Ayoub BENALI Date: Thu, 6 Jun 2013 15:50:13 +0200 Subject: [PATCH] added an API call to revoke access to all the view on a bank account for a user --- .../main/scala/code/api/v1_2/OBPAPI1.2.scala | 15 ++++++- .../main/scala/code/model/BankingData.scala | 20 +++++++++ .../code/model/dataAccess/Connectors.scala | 23 ++++++++++ .../src/test/scala/code/api/API12Test.scala | 45 ++++++++++++++++++- 4 files changed, 101 insertions(+), 2 deletions(-) diff --git a/MavLift/src/main/scala/code/api/v1_2/OBPAPI1.2.scala b/MavLift/src/main/scala/code/api/v1_2/OBPAPI1.2.scala index 6bd3aa93..654a7521 100644 --- a/MavLift/src/main/scala/code/api/v1_2/OBPAPI1.2.scala +++ b/MavLift/src/main/scala/code/api/v1_2/OBPAPI1.2.scala @@ -241,7 +241,7 @@ object OBPAPI1_2 extends OBPRestHelper with Loggable { }) oauthServe(apiPrefix{ - //delete access for specific user + //delete access for specific user to one view case "banks" :: bankId :: "accounts" :: accountId :: "users" :: userId :: "views" :: viewId :: Nil JsonDelete json => { user => for { @@ -253,6 +253,19 @@ object OBPAPI1_2 extends OBPRestHelper with Loggable { } }) + oauthServe(apiPrefix{ + //delete access for specific user to all the views + case "banks" :: bankId :: "accounts" :: accountId :: "users" :: userId :: Nil JsonDelete json => { + user => + for { + account <- BankAccount(bankId, accountId) + u <- user ?~ "user not found" + isRevoked <- account revokeAllPermission(u, userId) + if(isRevoked) + } yield noContentJsonResponse + } + }) + oauthServe(apiPrefix{ //get other accounts for one account case "banks" :: bankId :: "accounts" :: accountId :: viewId :: "other_accounts" :: Nil JsonGet json => { diff --git a/MavLift/src/main/scala/code/model/BankingData.scala b/MavLift/src/main/scala/code/model/BankingData.scala index 06f820b6..be2aa046 100644 --- a/MavLift/src/main/scala/code/model/BankingData.scala +++ b/MavLift/src/main/scala/code/model/BankingData.scala @@ -213,6 +213,26 @@ class BankAccount( Failure("user : " + user.emailAddress + " don't have access to owner view on account " + id, Empty, Empty) } + /** + * + * @param a user that want to revoke an other user access to a view + * @param the id of the other user that we want revoke access + * @return a Full(true) if everything is okay, a Failure otherwise + */ + def revokeAllPermission(user : User, otherUserId : String) : Box[Boolean] = { + //check if the user have access to the owner view in this the account + if(authorizedAccess(Owner,Full(user))) + for{ + otherUser <- User.findById(otherUserId) //check if the userId corresponds to a user + isRevoked <- LocalStorage.revokeAllPermission(id, otherUser) ?~ "could not revoke the privilege" + } yield isRevoked + else + Failure("user : " + user.emailAddress + " don't have access to owner view on account " + id, Empty, Empty) + } + + + + /** * @param the view that we want test the access to * @param the user that we want to see if he has access to the view or not diff --git a/MavLift/src/main/scala/code/model/dataAccess/Connectors.scala b/MavLift/src/main/scala/code/model/dataAccess/Connectors.scala index 9fdfdc23..c76dc254 100644 --- a/MavLift/src/main/scala/code/model/dataAccess/Connectors.scala +++ b/MavLift/src/main/scala/code/model/dataAccess/Connectors.scala @@ -647,6 +647,29 @@ class MongoDBLocalStorage extends LocalStorage { } } } + def revokeAllPermission(bankAccountId : String, user : User) : Box[Boolean] = { + user match { + case user:OBPUser => + for{ + bankAccount <- HostedAccount.find(By(HostedAccount.accountID, bankAccountId)) + } yield { + Privilege.find(By(Privilege.user, user.id), By(Privilege.account, bankAccount)) match { + case Full(privilege) => { + List(OurNetwork, Team, Board, Authorities, Owner, Management).foreach({view => + setPrivilegeFromView(privilege, view, false) + }) + privilege.save + } + //there is no privilege to this user, so there is nothing to revoke + case _ => true + } + } + case u: User => { + logger.error("OBPUser instance not found, could not revoke access ") + Empty + } + } + } private def setPrivilegeFromView(privilege : Privilege, view : View, value : Boolean ) = { view match { case OurNetwork => privilege.ourNetworkPermission(value) diff --git a/MavLift/src/test/scala/code/api/API12Test.scala b/MavLift/src/test/scala/code/api/API12Test.scala index 923e5a98..1810b681 100644 --- a/MavLift/src/test/scala/code/api/API12Test.scala +++ b/MavLift/src/test/scala/code/api/API12Test.scala @@ -153,6 +153,7 @@ class API1_2Test extends ServerSetup{ object GetPermission extends Tag("getPermission") object PostPermission extends Tag("postPermission") object DeletePermission extends Tag("deletePermission") + object DeletePermissions extends Tag("deletePermissions") object GetOtherBankAccounts extends Tag("getOtherBankAccounts") object GetOtherBankAccount extends Tag("getOtherBankAccount") object GetOtherBankAccountMetadata extends Tag("getOtherBankAccountMetadata") @@ -360,6 +361,16 @@ class API1_2Test extends ServerSetup{ makeDeleteRequest(request) } + def revokeUserAccessToAllViews(bankId : String, accountId : String, userId : String) : h.HttpPackage[APIResponse]= { + val request = (v1_2Request / "banks" / bankId / "accounts" / accountId / "users"/ userId ).DELETE.<@(consumer,token) + makeDeleteRequest(request) + } + + def revokeUserAccessToAllViewsWithoutOwnerAccess(bankId : String, accountId : String, userId : String) : h.HttpPackage[APIResponse]= { + val request = (v1_2Request / "banks" / bankId / "accounts" / accountId / "users"/ userId ).DELETE.<@(consumer,token3) + makeDeleteRequest(request) + } + def getTheOtherBankAccounts(bankId : String, accountId : String, viewId : String) : h.HttpPackage[APIResponse] = { val request = v1_2Request / "banks" / bankId / "accounts" / accountId / viewId / "other_accounts" <@(consumer,token) makeGetRequest(request) @@ -1416,7 +1427,7 @@ class API1_2Test extends ServerSetup{ } feature("Grant a user access to a view on a bank account"){ - scenario("we will grant a user access to a view on an bank account", API1_2, PostPermission, CurrentTest) { + scenario("we will grant a user access to a view on an bank account", API1_2, PostPermission) { Given("We will use an access token") val bankId = randomBank val bankAccount : AccountJSON = randomPrivateAccount(bankId) @@ -1513,7 +1524,39 @@ class API1_2Test extends ServerSetup{ reply.code should equal (400) } } + feature("Revoke a user access to all the views on a bank account"){ + scenario("we will revoke the access of a user to all the views on an bank account", API1_2, DeletePermissions) { + Given("We will use an access token") + val bankId = randomBank + val bankAccount : AccountJSON = randomPrivateAccount(bankId) + val userId = urlEncode(user2.email) + When("the request is sent") + val reply = revokeUserAccessToAllViews(bankId, bankAccount.id, userId) + Then("we should get a 204 no content code") + reply.code should equal (204) + } + scenario("we cannot revoke the access to a user that does not exist", API1_2, DeletePermissions) { + Given("We will use an access token with a random user Id") + val bankId = randomBank + val bankAccount : AccountJSON = randomPrivateAccount(bankId) + When("the request is sent") + val reply = revokeUserAccessToAllViews(bankId, bankAccount.id, randomString(5)) + Then("we should get a 400 ok code") + reply.code should equal (400) + } + + scenario("we cannot revoke a user access to a view on an bank account because the user does not have owner view access", API1_2, DeletePermissions) { + Given("We will use an access token") + val bankId = randomBank + val bankAccount : AccountJSON = randomPrivateAccount(bankId) + val userId = urlEncode(user2.email) + When("the request is sent") + val reply = revokeUserAccessToAllViewsWithoutOwnerAccess(bankId, bankAccount.id, userId) + Then("we should get a 400 ok code") + reply.code should equal (400) + } + } feature("We get the list of the other bank accounts linked with a bank account"){ scenario("we will get the other bank accounts of a bank account", API1_2, GetOtherBankAccounts) { Given("We will use an access token")