Add update permission on GroupPermission to allow updates to userGrou…

…p assigned permissions

src/inttest/java/com/faforever/api/data/GroupPermissionTest.java

@@ -0,0 +1,83 @@
+package com.faforever.api.data;
+
+import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import org.junit.jupiter.api.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
+
+import static com.faforever.api.data.JsonApiMediaType.JSON_API_MEDIA_TYPE;
+import static org.hamcrest.Matchers.hasSize;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/truncateTables.sql")
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultData.sql")
+public class GroupPermissionTest extends AbstractIntegrationTest {
+  private static final String testPost = """
+  {
+      "data": {
+          "type": "groupPermission",
+          "attributes": {
+              "technicalName": "test",
+              "nameKey": "test"
+          }
+      }
+  }
+  """;
+
+  @Test
+  public void emptyResultWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/groupPermission")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_READ_USER_GROUP)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(0)));
+  }
+
+  @Test
+  public void emptyResultWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/groupPermission")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, NO_AUTHORITIES)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(0)));
+  }
+
+  @Test
+  public void canReadPermissionsWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/groupPermission")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, GroupPermission.ROLE_READ_USER_GROUP)))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(23)));
+  }
+
+  @Test
+  public void cannotCreatePermissionWithoutScope() throws Exception {
+    mockMvc.perform(post("/data/groupPermission")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_USER_GROUP))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotCreatePermissionWithoutRole() throws Exception {
+    mockMvc.perform(post("/data/groupPermission")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotCreatePermissionWithScopeAndRole() throws Exception {
+    mockMvc.perform(post("/data/groupPermission")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_USER_GROUP))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
+  }
+}

src/inttest/java/com/faforever/api/data/UserGroupTest.java

@@ -0,0 +1,163 @@
+package com.faforever.api.data;
+
+import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.security.OAuthScope;
+import org.junit.jupiter.api.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
+
+import static com.faforever.api.data.JsonApiMediaType.JSON_API_MEDIA_TYPE;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/truncateTables.sql")
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultData.sql")
+public class UserGroupTest extends AbstractIntegrationTest {
+  private static final String testPatch = """
+    {
+      "data": {
+          "type": "userGroup",
+          "id": "3",
+          "attributes": {
+              "public": false
+          },
+          "relationships": {
+              "members": {
+                  "data": [{
+                          "type": "player",
+                          "id": "1"
+                      }, {
+                          "type": "player",
+                          "id": "2"
+                      }
+                  ]
+              },
+              "permissions": {
+                  "data": [{
+                          "type": "groupPermission",
+                          "id": "17"
+                      }, {
+                          "type": "groupPermission",
+                          "id": "19"
+                      }
+                  ]
+              }
+          }
+      }
+    }
+    """;
+
+  private static final String testPost = """
+    {
+      "data": {
+          "type": "userGroup",
+          "attributes": {
+              "technicalName": "faf_test",
+              "nameKey": "faf.test",
+              "public": false
+          },
+          "relationships": {
+              "members": {
+                  "data": []
+              },
+              "permissions": {
+                  "data": [{
+                          "type": "groupPermission",
+                          "id": "17"
+                      }, {
+                          "type": "groupPermission",
+                          "id": "19"
+                      }
+                  ]
+              }
+          }
+      }
+    }
+    """;
+
+  @Test
+  public void canSeePublicGroupWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/userGroup/4")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
+      .andExpect(status().isOk());
+  }
+
+  @Test
+  public void cannotSeePrivateGroupWithoutScope() throws Exception {
+    mockMvc.perform(get("/data/userGroup/5")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, NO_AUTHORITIES)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotSeePrivateGroupWithoutRole() throws Exception {
+    mockMvc.perform(get("/data/userGroup/5")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, NO_AUTHORITIES)))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canSeePrivateGroupWithScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/userGroup/5")
+      .with(getOAuthTokenWithTestUser(OAuthScope._READ_SENSIBLE_USERDATA, GroupPermission.ROLE_READ_USER_GROUP)))
+      .andExpect(status().isOk());
+  }
+
+  @Test
+  public void cannotCreateUserGroupWithoutScope() throws Exception {
+    mockMvc.perform(post("/data/userGroup")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_READ_USER_GROUP))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotCreateUserGroupWithoutRole() throws Exception {
+    mockMvc.perform(post("/data/userGroup")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canCreateUserGroupWithScopeAndRole() throws Exception {
+    mockMvc.perform(post("/data/userGroup")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_USER_GROUP))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPost))
+      .andExpect(status().isCreated());
+  }
+
+  @Test
+  public void cannotUpdateUserGroupWithoutScope() throws Exception {
+    mockMvc.perform(patch("/data/userGroup/3")
+      .with(getOAuthTokenWithTestUser(NO_SCOPE, GroupPermission.ROLE_WRITE_USER_GROUP))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPatch))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void cannotUpdateUserGroupWithoutRole() throws Exception {
+    mockMvc.perform(patch("/data/userGroup/3")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, NO_AUTHORITIES))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPatch))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canUpdateUserGroupWithScopeAndRole() throws Exception {
+    mockMvc.perform(patch("/data/userGroup/3")
+      .with(getOAuthTokenWithTestUser(OAuthScope._ADMINISTRATIVE_ACTION, GroupPermission.ROLE_WRITE_USER_GROUP))
+      .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+      .content(testPatch))
+      .andExpect(status().isNoContent());
+  }
+}

src/inttest/resources/sql/prepDefaultData.sql

@@ -17,7 +17,8 @@ INSERT INTO user_group (id, technical_name, name_key, parent_group_id, public)
 VALUES (1, 'ADMINISTRATOR', 'administrator', null, true),
        (2, 'MODERATOR', 'moderator', null, true),
        (3, 'faf_server_administrators', 'user_group.faf.server_administrators', null, true),
-       (4, 'faf_moderators_global', 'user_group.faf.moderators.global', null, true);
+       (4, 'faf_moderators_global', 'user_group.faf.moderators.global', null, true),
+       (5, 'faf_illuminati', 'user_group.faf.illuminati', null, false);
 
 INSERT INTO user_group (technical_name, name_key, public, parent_group_id)
 VALUES ('', 'user_group.faf.server_administrators', 1, @devops_id);

src/main/java/com/faforever/api/data/domain/GroupPermission.java

@@ -1,8 +1,10 @@
 package com.faforever.api.data.domain;
 
 import com.faforever.api.security.elide.permission.ReadUserGroupCheck;
+import com.faforever.api.security.elide.permission.WriteUserGroupCheck;
 import com.yahoo.elide.annotation.Include;
 import com.yahoo.elide.annotation.ReadPermission;
+import com.yahoo.elide.annotation.UpdatePermission;
 import lombok.Setter;
 import org.springframework.security.core.GrantedAuthority;
 
@@ -72,6 +74,7 @@ public String getNameKey() {
   }
 
   @ManyToMany(mappedBy = "permissions")
+  @UpdatePermission(expression = WriteUserGroupCheck.EXPRESSION)
   public Set<UserGroup> getUserGroups() {
     return userGroups;
   }

src/main/java/com/faforever/api/data/domain/UserGroup.java

@@ -2,6 +2,7 @@
 
 
 import com.faforever.api.data.checks.UserGroupPublicCheck;
+import com.faforever.api.security.elide.permission.ReadUserGroupCheck;
 import com.faforever.api.security.elide.permission.WriteUserGroupCheck;
 import com.yahoo.elide.annotation.CreatePermission;
 import com.yahoo.elide.annotation.Include;
@@ -27,7 +28,7 @@
 @Include(name = "userGroup")
 @UpdatePermission(expression = WriteUserGroupCheck.EXPRESSION)
 @CreatePermission(expression = WriteUserGroupCheck.EXPRESSION)
-@ReadPermission(expression = UserGroupPublicCheck.EXPRESSION + " or " + WriteUserGroupCheck.EXPRESSION)
+@ReadPermission(expression = UserGroupPublicCheck.EXPRESSION + " or " + ReadUserGroupCheck.EXPRESSION)
 @Setter
 public class
 UserGroup extends AbstractEntity<UserGroup> {