Company Subscriptions | App & Service Subscriptions -> Details page responds 403

tfjanjua commented 1 month ago

Current Behavior

App & Service Subscriptions -> Details page is responding 403 error code.

Expected Behavior

Portal should display detailed information about the selected subscription. OR Details column should not be there for the role who does not have access to details page or we should disable details Icon for Restricted Users.

Steps To Reproduce

Login to Portal App using App Manager or Service Manager user.
Go to Profile icon, right-top-corner
Click on ‘Company Subscriptions’
Click on Details Arrow.

Findings

So, I have following findings related to the ‘App & Service Subscriptions' and ‘Details’ pages

User: App Manager App Manager can see all the apps on 'App & Service Subscriptions' page API: /api/Apps/subscribed/subscription-status

But App Manager is not able to see the ‘Details’ of Apps because of not having subscribe_apps role API: /api/apps/{appId}/subscription/{subscriptionId}/subscriber

User: Service Manager In case of ‘Service Manager’ user, frontend has also been calling the same API as App Manager and see all Apps instead of Services

Currently calling the same API as App Manager: 
/api/Apps/subscribed/subscription-status

Whereas API exists for Service Manager to see the list of Services: 
/api/Services/subscribed/subscription-status

and same is happening with 'Details' page that frontend has been calling the same API as App Manager

Currently calling the same API as App Manager: 
/api/apps/{appId}/subscription/{subscriptionId}/subscriber

Whereas API exists for Service Manager to see the Details of a Service: 
/api/services/{serviceId}/subscription/{subscriptionId}/subscriber

Although Service Manager doesnt have subscribe_service role to see the Details.

So, I feel like first we need to decide if we should call APIs related to Services for Service Manager or not? OR we can keep calling Apps related API for Service Manager? and then we can decide if App or Service Manager can see the details from 'App & Service Subscriptions' page or not?

If App or Service Manager is supposed to see the details of Apps or Services from 'App & Service Subscriptions' page, then we can assign subscribe_apps role to App Manager and subscribe_service role to Service Manager from keycloak side and if not, then we can hide Details Button from 'App & Service Subscriptions' frontend page in case of not having proper roles.

@evegufy | @MaximilianHauer | @ybidois please suggest the workaround as per the business logic/case. thanks

ybidois commented 1 month ago

Hi @tfjanjua, thanks for the detailed investigation!

As per the role names, I would expect the App Manager to see only apps and Service Manager to see only services.

I let @MaximilianHauer and @evegufy confirm whether they agree with this logic.

MaximilianHauer commented 1 month ago

@ybidois got this story in my backlog but want to take my time to have a concentrated look

typecastcloud commented 3 weeks ago

@ybidois got this story in my backlog but want to take my time to have a concentrated look

I think role requirement for GET endpoints in portal-backend is wrong. (Retrieves the details of a subscription):

{appId}/subscription/{subscriptionId}/subscriber {serviceId}/subscription/{subscriptionId}/subscriber

Currently requires "subscribe_app" / "subscribe_service".

Should be the same as GET endpoint: subscribed/subscription-status for apps / services (Retrieves subscription statuses of apps) Which have "view_subscription" / "view_service_subscriptions" as requirement. Which is the same role required to see the list of subscribed apps / services.

Another option would be to hide detail button for user without the role if App Manager does not need access.

@MaximilianHauer did you guys already talk about this topic internally?

eclipse-tractusx / portal-backend