Initial Authorizer role missing facilities

US-EPA-CAMD / easey-ui

Project Management repo for EPA Clean Air Markets Division (CAMD) Business Suite of applications

MIT License

0 stars 0 forks source link

Initial Authorizer role missing facilities #6190

Open maheese opened 3 months ago

maheese commented 3 months ago

I have an account in CDX Test with the initial authorizer role (mheese-ia). I made this account the DR for Barry in CBSSTAGEI. When I log into ECMPS test I do not see any facilities. Here is what is returned when I validate the token in the auth-api:

{ "userId": "mheese-ia", "sessionId": "f4dd98a3-e6e6-409a-b77e-e1fedad50ca9", "expiration": "3/28/2024, 10:34:50 AM", "clientIp": "2620:117:5010:19b::d055", "facilities": [], "roles": [ "Initial Authorizer" ], "uid": "mheese-ia", "issuer": "easey.camd.oar.test@epa.gov", "sa": "easey.camd.oar.test@epa.gov", "domain": "default" }

Here's a screenshot from CBS that illustrates this account is the DR for Barry:

mark-hayward-erg commented 3 months ago

This issue is caused by logic in easey-auth-api/src/permissions/Permissions.service.ts (line 120) that is currently not calling the responsibility API for users that only have the IA role.

This code needs to be updated to include the IA role in the list of roles for which the responsibility API is called:

if ( bypassEnabled || this.configService.get<boolean>('app.mockPermissionsEnabled') || roles.includes(this.configService.get<string>('app.sponsorRole')) || roles.includes(this.configService.get<string>('app.preparerRole')) || roles.includes(this.configService.get<string>('app.submitterRole')) )

esaber76 commented 1 week ago

Confirmed in tst environment (dev is bypassing CBS Responsibilities API) that an initial authorizer only account can view facilities that they are a primary or alternate representative for.

Note: Opened #6312 to handle import/revert issues for this type of account.