Revert "feature/Just in Time Entitlements"

This reverts commit 41889520
2026-02-06 13:07:02 +00:00 · 2023-03-30 15:44:16 +02:00 · 2023-03-30 15:44:16 +02:00 · dc52d46c3f
commit dc52d46c3f
parent 4188952064
2 changed files with 5 additions and 39 deletions
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@ -838,13 +838,6 @@ featured_apis=elasticSearchWarehouseV300
 # i.e. instead of asking every user to have a Role, you can give the Role(s) to a Consumer in the form of a Scope
 # allow_entitlements_or_scopes=false
 # ---------------------------------------------------------------
- 
-# -- Just in Time Entitlements -------------------------------
-create_just_in_time_entitlements=false
-# if create_just_in_time_entitlements==true then do the following:
-# If a user is trying to use a Role and the user could grant them selves the required Role(s), 
-# then just automatically grant the Role(s)!
-# -------------------------------------------------------------

 # -- Database scheduler -----------------------------
 # Database scheduler interval in seconds.
--- a/obp-api/src/main/scala/code/api/util/APIUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@ -2213,48 +2213,21 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
  // i.e. does user has assigned at least one role from the list
  // when roles is empty, that means no access control, treat as pass auth check
  def handleEntitlementsAndScopes(bankId: String, userId: String, consumerId: String, roles: List[ApiRole]): Boolean = {
-    
+    // Consumer AND User has the Role
    val requireScopesForListedRoles: List[String] = getPropsValue("require_scopes_for_listed_roles", "").split(",").toList
    val requireScopesForRoles: immutable.Seq[String] = roles.map(_.toString()) intersect requireScopesForListedRoles
-
-    def userHasTheRoles: Boolean = {
-      val userHasTheRole: Boolean = roles.isEmpty || roles.exists(hasEntitlement(bankId, userId, _))
-      userHasTheRole match {
-        case true => userHasTheRole // Just forward
-        case false =>
-          // If a user is trying to use a Role and the user could grant them selves the required Role(s),
-          // then just automatically grant the Role(s)!
-          getPropsAsBoolValue("create_just_in_time_entitlements", false) match {
-            case false => userHasTheRole // Just forward
-            case true => // Try to add missing roles
-              if (hasEntitlement(bankId, userId, ApiRole.canCreateEntitlementAtOneBank) ||
-                hasEntitlement("", userId, ApiRole.canCreateEntitlementAtAnyBank)) {
-                // Add missing roles
-                roles.map {
-                  role => 
-                    val addedEntitlement = Entitlement.entitlement.vend.addEntitlement(bankId, userId, role.toString())
-                    logger.info(s"Just in Time Entitlements: $addedEntitlement")
-                    addedEntitlement
-                }.forall(_.isDefined)
-              } else {
-                userHasTheRole // Just forward
-              }
-          }
-      }
-    }
-    // Consumer AND User has the Role
    if(ApiPropsWithAlias.requireScopesForAllRoles || !requireScopesForRoles.isEmpty) {
-      roles.isEmpty || (userHasTheRoles && roles.exists(hasScope(bankId, consumerId, _)))
+      roles.isEmpty || (roles.exists(hasEntitlement(bankId, userId, _)) && roles.exists(hasScope(bankId, consumerId, _)))
    } 
    // Consumer OR User has the Role
    else if(getPropsAsBoolValue("allow_entitlements_or_scopes", false)) {
-      roles.isEmpty ||
-        userHasTheRoles || 
+      roles.isEmpty || 
+        roles.exists(hasEntitlement(bankId, userId, _)) || 
        roles.exists(role => hasScope(if (role.requiresBankId) bankId else "", consumerId, role))
    }
    // User has the Role
    else {
-      userHasTheRoles
+      roles.isEmpty || roles.exists(hasEntitlement(bankId, userId, _))
    }
    
  }