WIP for #649

oharsta · oharsta · commit 1d1b93ebddb6 · 2026-02-25T17:20:46.000+01:00
diff --git a/client/src/api/index.js b/client/src/api/index.js
@@ -95,6 +95,10 @@ export function other(id) {
     return fetchJson(`/api/v1/users/other/${id}`, {}, {}, false);
 }
 
+export function institutionAdminsbyRole(roleId) {
+    return fetchJson(`/api/v1/users/institution-admins/${roleId}`, {}, {}, false);
+}
+
 export function searchUsers(pagination = {}) {
     const queryPart = paginationQueryParams(pagination, {})
     return fetchJson(`/api/v1/users/search?${queryPart}`);
diff --git a/client/src/locale/en.js b/client/src/locale/en.js
@@ -134,7 +134,9 @@ const en = {
         userInfo: "{{nbr}} member(s) & invalid {{period}}",
         roleInfo: "Role valid for <strong>{{days}} days</strong>",
         roleInfoNoEndDate: "Role has <strong>no end date</strong>",
-        contactAdmin: "Contact role manager(s)"
+        contactAdmin: "Contact role manager(s)",
+        institutionAdmin: "Institution admins: {{names}}",
+        noInstitutionAdmin: "There is not institution admins"
     },
     roles: {
         title: "Access Roles",
diff --git a/client/src/locale/nl.js b/client/src/locale/nl.js
@@ -134,7 +134,10 @@ const nl = {
         userInfo: "{{nbr}} leden & verloopt {{period}}",
         roleInfo: "Rol geldig voor <strong>{{days}} dagen</strong>",
         roleInfoNoEndDate: "Rol heeft <strong>geen einddatum</strong>",
-        contactAdmin: "Contact rolmanager(s)"
+        contactAdmin: "Contact rolmanager(s)",
+        institutionAdmin: "Institution admins: {{names}}",
+        noInstitutionAdmin: "There is not institution admins"
+
     },
     roles: {
         title: "Toegangsrollen",
diff --git a/client/src/locale/pt.js b/client/src/locale/pt.js
@@ -134,7 +134,9 @@ const pt = {
         userInfo: "{{nbr}} member(s) & invalid {{period}}",
         roleInfo: "Role valid for <strong>{{days}} days</strong>",
         roleInfoNoEndDate: "Role has <strong>no end date</strong>",
-        contactAdmin: "Contact role manager(s)"
+        contactAdmin: "Contact role manager(s)",
+        institutionAdmin: "Institution admins: {{names}}",
+        noInstitutionAdmin: "There is not institution admins"
     },
     roles: {
         title: "Access Roles",
diff --git a/client/src/pages/Role.jsx b/client/src/pages/Role.jsx
@@ -1,5 +1,5 @@
 import React, {useEffect, useState} from "react";
-import {managersByRoleId, roleByID} from "../api";
+import {institutionAdminsbyRole, managersByRoleId, roleByID} from "../api";
 import I18n from "../locale/I18n";
 import "./Role.scss";
 import {ButtonType, Loader, Tooltip} from "@surfnet/sds";
@@ -8,6 +8,7 @@ import {useAppStore} from "../stores/AppStore";
 import {UnitHeader} from "../components/UnitHeader";
 import WebsiteIcon from "../icons/network-information.svg";
 import PersonIcon from "../icons/persons.svg";
+import InstitutionAdminIcon from "@surfnet/sds/icons/illustrative-icons/presentation-amphitheater.svg";
 import {allowedToEditRole, AUTHORITIES, highestAuthority, isUserAllowed, urnFromRole} from "../utils/UserRole";
 import Tabs from "../components/Tabs";
 import {Page} from "../components/Page";
@@ -17,7 +18,7 @@ import ClipBoardCopy from "../components/ClipBoardCopy";
 import {deriveApplicationAttributes} from "../utils/Manage";
 import DOMPurify from "dompurify";
 import {UnitHeaderInviter} from "../components/UnitHeaderInviter";
-import {isEmpty} from "../utils/Utils";
+import {isEmpty, splitListSemantically} from "../utils/Utils";
 import {displayExpiryDate, futureDate} from "../utils/Date";
 
 export const Role = () => {
@@ -30,6 +31,7 @@ export const Role = () => {
     const [currentTab, setCurrentTab] = useState(tab);
     const [tabs, setTabs] = useState([]);
     const [managerEmails, setManagerEmails] = useState([]);
+    const [institutionAdmins, setInstitutionAdmins] = useState([]);
 
     useEffect(() => {
             const isInviter = highestAuthority(user) === AUTHORITIES.INVITER;
@@ -54,10 +56,12 @@ export const Role = () => {
             navigate("/404");
             return;
         }
-        roleByID(id, false)
-            .then(res => {
+        Promise.all([roleByID(id, false), institutionAdminsbyRole(id)])
+            .then(results => {
+                const res = results[0];
                 deriveApplicationAttributes(res, I18n.locale, I18n.t("roles.multiple"), I18n.t("forms.and"))
                 setRole(res);
+                setInstitutionAdmins(results[1]);
                 const isInviter = highestAuthority(user) === AUTHORITIES.INVITER;
                 if (isInviter) {
                     managersByRoleId(id).then(emails => setManagerEmails(emails));
@@ -173,6 +177,17 @@ export const Role = () => {
                         <ClipBoardCopy txt={urn} transparentBackground={true}/>
                     </div>
                     <div className={"meta-data"}>
+                        <div className={"meta-data-row"}>
+                            <InstitutionAdminIcon/>
+                            {isEmpty(institutionAdmins) && <span>
+                                {I18n.t("role.noInstitutionAdmin")}
+                            </span>}
+                            {!isEmpty(institutionAdmins) && <span dangerouslySetInnerHTML={{
+                                __html: DOMPurify.sanitize(I18n.t("role.institutionAdmin", {
+                                    names: splitListSemantically(institutionAdmins.map(u => u.name), I18n.t("forms.and"))
+                                }))
+                            }}/>}
+                        </div>
                         <div className={"meta-data-row"}>
                             <PersonIcon/>
                             <span dangerouslySetInnerHTML={{
diff --git a/server/src/main/java/invite/api/UserController.java b/server/src/main/java/invite/api/UserController.java
@@ -32,7 +32,6 @@
 import org.springframework.data.domain.Sort;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.StringUtils;
@@ -66,6 +65,7 @@ public class UserController {
     private final Config config;
     private final UserRepository userRepository;
     private final InvitationRepository invitationRepository;
+    private final RoleRepository roleRepository;
     private final Manage manage;
     private final ObjectMapper objectMapper;
     private final RemoteProvisionedUserRepository remoteProvisionedUserRepository;
@@ -75,7 +75,7 @@ public class UserController {
     @Autowired
     public UserController(Config config,
                           UserRepository userRepository,
-                          InvitationRepository invitationRepository,
+                          InvitationRepository invitationRepository, RoleRepository roleRepository,
                           Manage manage,
                           ObjectMapper objectMapper,
                           RemoteProvisionedUserRepository remoteProvisionedUserRepository,
@@ -85,6 +85,7 @@ public UserController(Config config,
                           @Value("${voot.group_urn_domain}") String groupUrnPrefix,
                           ProvisioningService provisioningService) {
         this.invitationRepository = invitationRepository;
+        this.roleRepository = roleRepository;
         this.provisioningService = provisioningService;
         this.config = config.withGroupUrnPrefix(groupUrnPrefix);
         this.userRepository = userRepository;
@@ -251,8 +252,22 @@ public ResponseEntity<Void> delete(@PathVariable("userId") Long userId, @Paramet
         return Results.deleteResult();
     }
 
+    @GetMapping("/institution-admins/{roleId}")
+    @Transactional(readOnly = true)
+    public ResponseEntity<List<User>> institutionAdminsbyRole(@PathVariable Long roleId,
+                                                   @Parameter(hidden = true) User user) {
+        LOG.debug(String.format("GET institution-admins/%s for user %s", roleId, user.getEduPersonPrincipalName()));
+
+        Role role = roleRepository.findById(roleId).orElseThrow(() -> new NotFoundException("Role not found"));
+
+        UserPermissions.assertRoleAccess(user, role, Authority.INVITER);
+
+        List<User> users = userRepository.findInstitutionAdminsPerRole(role.getId());
+
+        return ResponseEntity.ok(users);
+    }
 
-    @PostMapping("error")
+        @PostMapping("error")
     public ResponseEntity<Map<String, Integer>> error(@RequestBody Map<String, Object> payload,
                                                       @Parameter(hidden = true) User user) throws
             JsonProcessingException, UnknownHostException {
diff --git a/server/src/main/java/invite/repository/UserRepository.java b/server/src/main/java/invite/repository/UserRepository.java
@@ -117,6 +117,14 @@ SELECT distinct(u.id), u.email, u.name, u.schac_home_organization, u.created_at,
             nativeQuery = true)
     List<User> findNonSuperUserWithoutUserRoles();
 
+    @Query(value = """
+            SELECT u.* FROM users u
+                    INNER JOIN roles r on r.organization_guid = u.organization_guid
+                    WHERE r.id = ?1 AND u.institution_admin = 1
+            """,
+            nativeQuery = true)
+    List<User> findInstitutionAdminsPerRole(Long roleId);
+
     @Override
     default String rewrite(String query, Sort sort) {
         Sort.Order authoritySort = sort.getOrderFor("authority");
diff --git a/server/src/test/java/invite/api/UserControllerTest.java b/server/src/test/java/invite/api/UserControllerTest.java
@@ -8,6 +8,7 @@
 import invite.manage.EntityType;
 import invite.model.Authority;
 import invite.model.RemoteProvisionedUser;
+import invite.model.Role;
 import invite.model.User;
 import invite.model.UserRole;
 import io.restassured.common.mapper.TypeRef;
@@ -19,6 +20,7 @@
 import org.springframework.web.util.UriComponentsBuilder;
 
 import java.io.IOException;
+import java.lang.reflect.Type;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.util.*;
@@ -551,6 +553,26 @@ void other() throws Exception {
         assertEquals(List.of("5", "5"), userRoles.stream().map(userRole -> userRole.getRole().getApplicationMaps().get(0).get("id")).toList());
     }
 
+    @Test
+    void institutionAdminsbyRole() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", INVITER_WIKI_SUB);
+        Role role = roleRepository.findByName("Wiki").get();
+
+        List<User> users = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .pathParams("roleId", role.getId())
+                .get("/api/v1/users/institution-admins/{roleId}")
+                .as(new TypeRef<>() {
+                });
+        assertEquals(1, users.size());
+        User user = users.getFirst();
+        assertTrue(user.isInstitutionAdmin());
+        assertEquals(user.getOrganizationGUID(), role.getOrganizationGUID());
+    }
+
     @Test
     void msAcceptReturn() throws Exception {
         super.stubForUpdateGraphUser(GUEST_SUB);
