refactor/remove hasOwnerViewAccess replace with specific view permissions -- added canUpdateBankAccountLabel_ permission

2026-02-06 15:06:50 +00:00 · 2023-06-23 00:17:52 +08:00 · 2023-06-23 00:17:52 +08:00 · 5d6e395e1e
commit 5d6e395e1e
parent 4443139cf9
10 changed files with 59 additions and 18 deletions
--- a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
+++ b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
@ -467,6 +467,7 @@ object ErrorMessages {

  val DeleteCounterpartyError = "OBP-30317: Could not delete the Counterparty."
  val DeleteCounterpartyMetadataError = "OBP-30318: Could not delete CounterpartyMetadata"
+  val UpdateBankAccountLabelError = "OBP-30319: Could not update Bank Account Label."
  
  // Branch related messages
  val BranchesNotFoundLicense = "OBP-32001: No branches available. License may not be set."
--- a/obp-api/src/main/scala/code/api/util/migration/MigrationOfViewDefinitionPermissions.scala
+++ b/obp-api/src/main/scala/code/api/util/migration/MigrationOfViewDefinitionPermissions.scala
@ -23,6 +23,7 @@ object MigrationOfViewDefinitionPermissions {
            .canSeeTransactionRequestTypes_(true)
            .canSeeTransactionRequests_(true)
            .canSeeAvailableViewsForBankAccount_(true)
+            .canUpdateBankAccountLabel_(true)
            .save
        ).head

@ -35,6 +36,7 @@ object MigrationOfViewDefinitionPermissions {
             |${ViewDefinition.canSeeTransactionRequestTypes_.dbColumnName}
             |${ViewDefinition.canSeeTransactionRequests_.dbColumnName}
             |${ViewDefinition.canSeeAvailableViewsForBankAccount_.dbColumnName}
+             |${ViewDefinition.canUpdateBankAccountLabel_.dbColumnName}
             |Duration: ${endDate - startDate} ms;
             """.stripMargin
        saveLog(name, commitId, isSuccessful, startDate, endDate, comment)
--- a/obp-api/src/main/scala/code/api/v1_2_1/APIMethods121.scala
+++ b/obp-api/src/main/scala/code/api/v1_2_1/APIMethods121.scala
@ -494,8 +494,21 @@ trait APIMethods121 {
            (Full(u), callContext) <- authenticatedAccess(cc)
            json <- NewStyle.function.tryons(InvalidJsonFormat, 400, callContext) { json.extract[UpdateAccountJSON] }
            (account, callContext) <- NewStyle.function.checkBankAccountExists(bankId, accountId, callContext)
+            anyViewContainsCanUpdateBankAccountLabelPermission = Views.views.vend.permission(BankIdAccountId(account.bankId, account.accountId), u)
+              .map(_.views.map(_.canUpdateBankAccountLabel).find(_.==(true)).getOrElse(false)).getOrElse(false)
+            _ <- Helper.booleanToFuture(
+              s"${ErrorMessages.ViewDoesNotPermitAccess} You need the `${ViewDefinition.canUpdateBankAccountLabel_.dbColumnName}` permission on any your views",
+              cc = callContext
+            ) {
+              anyViewContainsCanUpdateBankAccountLabelPermission
+            }
+            (success, callContext) <- Future{
+              Connector.connector.vend.updateAccountLabel(bankId, accountId, json.label)
+            } map { i =>
+              (unboxFullOrFail(i, callContext, 
+                s"$UpdateBankAccountLabelError Current BankId is $bankId and Current AccountId is $accountId", 404), callContext)
+            }
          } yield {
-            account.updateLabel(u, json.label,callContext)
            (successMessage, HttpCode.`200`(callContext))
          }
      }
--- a/obp-api/src/main/scala/code/api/v4_0_0/APIMethods400.scala
+++ b/obp-api/src/main/scala/code/api/v4_0_0/APIMethods400.scala
@ -2779,8 +2779,20 @@ trait APIMethods400 {
            json <- NewStyle.function.tryons(failMsg, 400, callContext) {
              json.extract[UpdateAccountJsonV400]
            }
+            anyViewContainsCanUpdateBankAccountLabelPermission = Views.views.vend.permission(BankIdAccountId(account.bankId, account.accountId), u)
+              .map(_.views.map(_.canUpdateBankAccountLabel).find(_.==(true)).getOrElse(false)).getOrElse(false)
+            _ <- Helper.booleanToFuture(
+              s"${ErrorMessages.ViewDoesNotPermitAccess} You need the `${ViewDefinition.canUpdateBankAccountLabel_.dbColumnName}` permission on any your views",
+              cc = callContext
+            ) {
+              anyViewContainsCanUpdateBankAccountLabelPermission
+            }
+            (success, callContext) <- Future {
+              Connector.connector.vend.updateAccountLabel(bankId, accountId, json.label)
+            } map { i =>
+              (unboxFullOrFail(i, callContext, s"$UpdateBankAccountLabelError Current BankId is $bankId and Current AccountId is $accountId", 404), callContext)
+            }
          } yield {
-            account.updateLabel(u, json.label, callContext)
            (Extraction.decompose(successMessage), HttpCode.`200`(callContext))
          }
      }
--- a/obp-api/src/main/scala/code/model/BankingData.scala
+++ b/obp-api/src/main/scala/code/model/BankingData.scala
@ -162,15 +162,7 @@ case class BankAccountExtended(val bankAccount: BankAccount) extends MdcLoggable
      Failure(UserNoOwnerView+"user's email : " + user.emailAddress + ". account : " + accountId, Empty, Empty)
    }
  }
-
-  final def updateLabel(user : User, label : String, callContext: Option[CallContext]): Box[Boolean] = {
-    if(user.hasOwnerViewAccess(BankIdAccountId(bankId, accountId), callContext)){
-      Connector.connector.vend.updateAccountLabel(bankId, accountId, label)
-    } else {
-      Failure(UserNoOwnerView+"user's email : " + user.emailAddress + ". account : " + accountId, Empty, Empty)
-    }
-  }
-
+  
  /**
    * Note: There are two types of account-owners in OBP: the OBP users and the customers(in a real bank, these should from Main Frame)
    *
--- a/obp-api/src/main/scala/code/model/dataAccess/MappedView.scala
+++ b/obp-api/src/main/scala/code/model/dataAccess/MappedView.scala
@ -271,6 +271,9 @@ class ViewImpl extends View with LongKeyedMapper[ViewImpl] with ManyToMany with
  object canSeeBankAccountLabel_ extends MappedBoolean(this){
    override def defaultValue = false
  }
+  object canUpdateBankAccountLabel_ extends MappedBoolean(this){
+    override def defaultValue = false
+  }
  object canSeeBankAccountNationalIdentifier_ extends MappedBoolean(this){
    override def defaultValue = false
  }
@ -485,6 +488,7 @@ class ViewImpl extends View with LongKeyedMapper[ViewImpl] with ManyToMany with
  def canSeeBankAccountCurrency : Boolean = canSeeBankAccountCurrency_.get
  def canQueryAvailableFunds : Boolean = canQueryAvailableFunds_.get
  def canSeeBankAccountLabel : Boolean = canSeeBankAccountLabel_.get
+  def canUpdateBankAccountLabel : Boolean = canUpdateBankAccountLabel_.get
  def canSeeBankAccountNationalIdentifier : Boolean = canSeeBankAccountNationalIdentifier_.get
  def canSeeBankAccountSwift_bic : Boolean = canSeeBankAccountSwift_bic_.get
  def canSeeBankAccountIban : Boolean = canSeeBankAccountIban_.get
--- a/obp-api/src/main/scala/code/views/MapperViews.scala
+++ b/obp-api/src/main/scala/code/views/MapperViews.scala
@ -793,6 +793,7 @@ object MapperViews extends Views with MdcLoggable {
      .canSeeAvailableViewsForBankAccount_(false)
      .canSeeTransactionRequests_(true)
      .canSeeTransactionRequestTypes_(true)
+      .canUpdateBankAccountLabel_(true)

    viewId match {
      case SYSTEM_OWNER_VIEW_ID =>
@ -879,16 +880,16 @@ object MapperViews extends Views with MdcLoggable {
      canAddPrivateAlias_(true).
      canAddCounterparty_(true).
      canGetCounterparty_(true).
-      canDeleteCounterparty_(true).
-      canDeleteCorporateLocation_(true).
-      canDeletePhysicalLocation_(true).
+      canDeleteCounterparty_(false).
+      canDeleteCorporateLocation_(false).
+      canDeletePhysicalLocation_(false).
      canEditOwnerComment_(true).
      canAddComment_(true).
-      canDeleteComment_(true).
+      canDeleteComment_(false).
      canAddTag_(true).
-      canDeleteTag_(true).
+      canDeleteTag_(false).
      canAddImage_(true).
-      canDeleteImage_(true).
+      canDeleteImage_(false).
      canAddWhereTag_(true).
      canSeeWhereTag_(true).
      canSeeBankRoutingScheme_(true). //added following in V300
@ -900,7 +901,10 @@ object MapperViews extends Views with MdcLoggable {
      canSeeOtherAccountRoutingScheme_(true).
      canSeeOtherAccountRoutingAddress_(true).
      canAddTransactionRequestToOwnAccount_(false). //added following two for payments
-      canAddTransactionRequestToAnyAccount_(false)
+      canAddTransactionRequestToAnyAccount_(false).
+      canSeeTransactionRequests_(false).
+      canSeeTransactionRequestTypes_(false).
+      canUpdateBankAccountLabel_(false)
  }

  def createAndSaveDefaultPublicCustomView(bankId : BankId, accountId: AccountId, description: String) : Box[View] = {
--- a/obp-api/src/main/scala/code/views/system/ViewDefinition.scala
+++ b/obp-api/src/main/scala/code/views/system/ViewDefinition.scala
@ -126,6 +126,9 @@ class ViewDefinition extends View with LongKeyedMapper[ViewDefinition] with Many
  object canSeeBankAccountLabel_ extends MappedBoolean(this){
    override def defaultValue = false
  }
+  object canUpdateBankAccountLabel_ extends MappedBoolean(this){
+    override def defaultValue = false
+  }
  object canSeeBankAccountNationalIdentifier_ extends MappedBoolean(this){
    override def defaultValue = false
  }
@ -403,6 +406,10 @@ class ViewDefinition extends View with LongKeyedMapper[ViewDefinition] with Many
    canSeeBankAccountCreditLimit_(actions.exists(_ == "can_see_bank_account_credit_limit"))
    canCreateDirectDebit_(actions.exists(_ == "can_create_direct_debit"))
    canCreateStandingOrder_(actions.exists(_ == "can_create_standing_order"))
+    canSeeTransactionRequests_(actions.exists(_ == "can_see_transaction_requests"))
+    canSeeTransactionRequestTypes_(actions.exists(_ == "can_see_transaction_request_types"))
+    canUpdateBankAccountLabel_(actions.exists(_ == "can_update_bank_account_label"))
+    canSeeAvailableViewsForBankAccount_(actions.exists(_ == "can_see_available_views_for_bank_account"))
  }

  
@ -471,6 +478,7 @@ class ViewDefinition extends View with LongKeyedMapper[ViewDefinition] with Many
  def canSeeBankAccountCurrency : Boolean = canSeeBankAccountCurrency_.get
  def canQueryAvailableFunds : Boolean = canQueryAvailableFunds_.get
  def canSeeBankAccountLabel : Boolean = canSeeBankAccountLabel_.get
+  def canUpdateBankAccountLabel : Boolean = canUpdateBankAccountLabel_.get
  def canSeeBankAccountNationalIdentifier : Boolean = canSeeBankAccountNationalIdentifier_.get
  def canSeeBankAccountSwift_bic : Boolean = canSeeBankAccountSwift_bic_.get
  def canSeeBankAccountIban : Boolean = canSeeBankAccountIban_.get
--- a/obp-api/src/test/scala/code/setup/TestConnectorSetupWithStandardPermissions.scala
+++ b/obp-api/src/test/scala/code/setup/TestConnectorSetupWithStandardPermissions.scala
@ -131,6 +131,10 @@ trait TestConnectorSetupWithStandardPermissions extends TestConnectorSetup {
              canAddTransactionRequestToOwnAccount_(false). //added following two for payments
              canAddTransactionRequestToAnyAccount_(false).
              canSeeBankAccountCreditLimit_(true).
+              canSeeTransactionRequests_(false).
+              canSeeTransactionRequestTypes_(false).
+              canUpdateBankAccountLabel_(false).
+              canSeeAvailableViewsForBankAccount_(false).
              saveMe
          }
        }
--- a/obp-commons/src/main/scala/com/openbankproject/commons/model/ViewModel.scala
+++ b/obp-commons/src/main/scala/com/openbankproject/commons/model/ViewModel.scala
@ -297,6 +297,7 @@ trait View {
  def canSeeBankAccountOwners: Boolean

  def canSeeBankAccountType: Boolean
+  def canUpdateBankAccountLabel: Boolean

  def canSeeBankAccountBalance: Boolean