Skip to content

fix-publisher routes are not blocked for read only user #1212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

fix-publisher routes are not blocked for read only user #1212

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e164bf7
fix-publisher routes are not blocked for read only user
GavinHemsada Oct 31, 2025
edfd06d
fix-scopes create not found error
GavinHemsada Nov 3, 2025
cff0e9d
fix/scopes-create not found error.
GavinHemsada Nov 3, 2025
68b6de6
fix-user object not initialised
GavinHemsada Nov 4, 2025
a5c6647
fix: handle null user object and allow publishers to delete their API…
GavinHemsada Nov 6, 2025
c8b51d9
fix-pair this if statement and adding JSDoc comments to the isRestric…
GavinHemsada Nov 6, 2025
62d9caf
fix error.
GavinHemsada Nov 9, 2025
7dae15f
Merge branch 'main' into bug/routes-are-not-blocked
GavinHemsada Nov 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions portals/publisher/src/main/webapp/source/src/app/data/AuthManager.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,11 +199,19 @@ class AuthManager {
}

/**
*
* @param {*} scopesAllowedToEdit
* @param {*} api
* Determines if a user is restricted from editing an API based on their scopes and the API's state.
*
* @param {string[]} scopesAllowedToEdit - Array of scope strings that are allowed to edit
* @param {Object} api - The API object containing apiType, lifeCycleStatus, etc.
* @param {string} [api.apiType] - Type of API (e.g., 'APIPRODUCT', 'MCP')
* @param {string} [api.lifeCycleStatus] - Lifecycle status (e.g., 'CREATED', 'PROTOTYPED')
* @returns {boolean} true if user is restricted, false if unrestricted
*/
static isRestricted(scopesAllowedToEdit, api = {}) {
// Block read-only users from any API modification operations
if(AuthManager.getUser() && AuthManager.isReadOnlyUser()){
return true;
}
// determines whether the apiType is API PRODUCT and user has publisher role, then allow access.
if (api.apiType === 'APIPRODUCT') {
if (AuthManager.getUser().scopes.includes('apim:api_publish')) {
Expand Down