As a portal operator,
I want to control access to pages, overlays and actions based on the user's company roles,
so that users only see and can access resources that are granted to their company.
Company roles are not included in the user token and they must be fetched separately by calling the endpoint: /api/administration/companydata/ownCompanyDetails
This call should be made at the very beginning before the user menu is rendered on the screen as some menu points might already be removed based on company roles. We recommend to create a new service CompanyService and submit a synchronous call in the callback function of UserService.init()
https://github.com/eclipse-tractusx/portal-frontend/blob/main/src/index.tsx#L38-L47
storing the result with company roles.
In the AccessService we can then add check functions the same way user permission are handled.
userHasAccess -> check for roles in the user token
companyHasAccess -> check for roles in the company details data
Note this is only a convenience feature so users don't see and accidentally click on restricted resources. Only the backend can enforce real security by blocking access to API endpoints. Frontend side can never enforce security as any user who is able to open the browser developer tools has the option to bypass the UI and access the API directly.
Acceptance Criteria
[ ] AccessService exports function companyHasAccess
[ ] At least one resource (page, overlay, button, etc.) is protected using said function and be enabled or disabled according to the user's company roles
Addtional Info
There is an existing ticket https://github.com/eclipse-tractusx/portal-frontend/issues/1108 which describes a specific restriction but instead of implementing a solution for only one resource we suggest the generic solution that works for any resource and any company role in this ticket.
evegufy
commented
1 week ago
Description
As a portal operator, I want to control access to pages, overlays and actions based on the user's company roles, so that users only see and can access resources that are granted to their company.
Currently all frontend side permission validations are based on the roles in the user's JWT token from Keycloak https://github.com/eclipse-tractusx/portal-frontend/blob/main/src/services/AccessService.tsx#L89-L90 example access checks: https://github.com/eclipse-tractusx/portal-frontend/blob/main/src/types/Config.tsx#L113 https://github.com/eclipse-tractusx/portal-frontend/blob/main/src/components/pages/CompanyCertificates/index.tsx#L186-L188
Company roles are not included in the user token and they must be fetched separately by calling the endpoint: /api/administration/companydata/ownCompanyDetails This call should be made at the very beginning before the user menu is rendered on the screen as some menu points might already be removed based on company roles. We recommend to create a new service CompanyService and submit a synchronous call in the callback function of UserService.init() https://github.com/eclipse-tractusx/portal-frontend/blob/main/src/index.tsx#L38-L47 storing the result with company roles.
In the AccessService we can then add check functions the same way user permission are handled.
userHasAccess-> check for roles in the user tokencompanyHasAccess-> check for roles in the company details dataNote this is only a convenience feature so users don't see and accidentally click on restricted resources. Only the backend can enforce real security by blocking access to API endpoints. Frontend side can never enforce security as any user who is able to open the browser developer tools has the option to bypass the UI and access the API directly.
Acceptance Criteria
companyHasAccessAddtional Info
There is an existing ticket https://github.com/eclipse-tractusx/portal-frontend/issues/1108 which describes a specific restriction but instead of implementing a solution for only one resource we suggest the generic solution that works for any resource and any company role in this ticket.