Skip to content

Commit 9a540f3

Browse files
jirhikerjirhiker
committed
refactor(access-control): Update permissions for 'water.locations' to restrict access for AMP.Editor and allow for Geothermal.Admin
1 parent 9a07b2b commit 9a540f3

2 files changed

Lines changed: 24 additions & 10 deletions

File tree

src/test/utils/accessControl.test.ts

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ const expectedAccessByScenario: Scenario[] = [
101101
{
102102
name: 'Geothermal.Admin',
103103
groups: ['Geothermal.Admin'],
104-
allowedResources: [],
104+
allowedResources: ['water.locations'],
105105
},
106106
{
107107
name: 'AMP.Viewer + Geothermal.Editor',
@@ -178,18 +178,32 @@ const specialResourceExpectations: Array<{
178178
expected: true,
179179
},
180180
{
181-
name: 'AMP editor can list water.locations',
181+
name: 'AMP editor cannot list water.locations',
182182
groups: ['AMP.Editor'],
183183
resource: 'water.locations',
184184
action: 'list',
185+
expected: false,
186+
},
187+
{
188+
name: 'AMP admin can list water.locations',
189+
groups: ['AMP.Admin'],
190+
resource: 'water.locations',
191+
action: 'list',
185192
expected: true,
186193
},
187194
{
188-
name: 'AMP editor can create water.locations',
195+
name: 'Geothermal admin can show water.locations',
196+
groups: ['Geothermal.Admin'],
197+
resource: 'water.locations',
198+
action: 'show',
199+
expected: true,
200+
},
201+
{
202+
name: 'AMP editor cannot create water.locations',
189203
groups: ['AMP.Editor'],
190204
resource: 'water.locations',
191205
action: 'create',
192-
expected: true,
206+
expected: false,
193207
},
194208
{
195209
name: 'AMP editor can manage water.wellinventoryform',

src/utils/accessControl.ts

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -102,12 +102,12 @@ const resourcePolicies: Record<string, ResourcePolicy> = {
102102
Sandbox: { list: adminRoles, show: adminRoles },
103103
geothermal: { list: geothermalViewerRoles, show: geothermalViewerRoles },
104104
'water.locations': {
105-
list: editorRoles,
106-
show: editorRoles,
107-
edit: editorRoles,
108-
create: editorRoles,
109-
delete: editorRoles,
110-
manage: editorRoles,
105+
list: ['AMP.Admin', 'Geothermal.Admin'],
106+
show: ['AMP.Admin', 'Geothermal.Admin'],
107+
edit: ['AMP.Admin', 'Geothermal.Admin'],
108+
create: ['AMP.Admin', 'Geothermal.Admin'],
109+
delete: ['AMP.Admin', 'Geothermal.Admin'],
110+
manage: ['AMP.Admin', 'Geothermal.Admin'],
111111
},
112112
'water.wellinventoryform': {
113113
list: editorRoles,

0 commit comments

Comments
 (0)