For #2753: new ignore-admin-permissions parameter

orbeon · Nov 30, 2022 · 30f06fa · 30f06fa
1 parent 7a33f0d
commit 30f06fa
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 8 deletions.
diff --git a/form-runner/jvm/src/main/resources/apps/fr/home/home.xhtml b/form-runner/jvm/src/main/resources/apps/fr/home/home.xhtml
@@ -302,7 +302,7 @@
                 id="read-local-metadata"
                 method="get"
                 serialization="none"
-                resource="/fr/service/persistence/form?all-versions={$is-admin}"
+                resource="/fr/service/persistence/form?all-versions={$is-admin}&amp;ignore-admin-permissions={not($is-admin)}"
                 replace="instance"
                 targetref="instance('fr-metadata-local')">
 

diff --git a/form-runner/jvm/src/main/scala/org/orbeon/oxf/fr/FormBuilderPermissionsOps.scala b/form-runner/jvm/src/main/scala/org/orbeon/oxf/fr/FormBuilderPermissionsOps.scala
@@ -96,7 +96,11 @@ trait FormBuilderPermissionsOps {
    *  - annotates the `<form>` with an `operations="…"` attribute,
    *  - filters out forms the current user can perform no operation on.
    */
-  def filterFormsAndAnnotateWithOperations(formsEls: List[NodeInfo], allForms: Boolean): List[NodeInfo] = {
+  def filterFormsAndAnnotateWithOperations(
+    formsEls              : List[NodeInfo],
+    allForms              : Boolean,
+    ignoreAdminPermissions: Boolean
+  ): List[NodeInfo] = {
 
     // We only need one wrapper; create it when we encounter the first <form>
     var wrapperOpt: Option[DocumentWrapper] = None
@@ -118,7 +122,7 @@ trait FormBuilderPermissionsOps {
 
       val appName  = formEl.elemValue(Names.AppName)
       val formName = formEl.elemValue(Names.FormName)
-      val isAdmin  = {
+      val hasAdminPermissionForAppForm  = {
         def canAccessEverything = fbPermissions.contains("*")
         def canAccessAppForm = {
           val formsUserCanAccess = fbPermissions.getOrElse(appName, Set.empty)
@@ -129,16 +133,16 @@ trait FormBuilderPermissionsOps {
 
       // For each form, compute the operations the user can potentially perform
       val operations = {
-        val adminOperation = isAdmin.list("admin")
+        val adminOperation = hasAdminPermissionForAppForm.list("admin")
         val permissionsElement = formEl.child(Names.Permissions).headOption.orNull
         val otherOperations = FormRunner.allAuthorizedOperationsAssumingOwnerGroupMember(permissionsElement, appName, formName)
         adminOperation ++ otherOperations
       }
 
       // Is this form metadata returned by the API?
       val keepForm =
-        allForms ||                                // all forms are explicitly requested
-        isAdmin  ||                                // admins can see everything
+        allForms                                                   || // all forms are explicitly requested
+        (hasAdminPermissionForAppForm && ! ignoreAdminPermissions) || // admins can see everything
         ! (
           formName == Names.LibraryFormName ||     // filter libraries
           operations.isEmpty                ||     // filter forms on which user can't possibly do anything

diff --git a/...er/jvm/src/main/scala/org/orbeon/oxf/fr/persistence/proxy/PersistenceProxyProcessor.scala b/...er/jvm/src/main/scala/org/orbeon/oxf/fr/persistence/proxy/PersistenceProxyProcessor.scala
@@ -382,8 +382,9 @@ private object PersistenceProxyProcessor {
       root     = "forms",
       content  =
         FormRunner.filterFormsAndAnnotateWithOperations(
-          formsEls = allFormElements.flatten,
-          allForms = request.getFirstParamAsString("all-forms") contains "true"
+          formsEls               = allFormElements.flatten,
+          allForms               = request.getFirstParamAsString("all-forms")                contains "true",
+          ignoreAdminPermissions = request.getFirstParamAsString("ignore-admin-permissions") contains "true"
         ),
       response = response
     )