Skip to content

Commit 93df63f

Browse files
authored
Merge pull request #20 from topcoder-platform/PM-4847
Updates for M2M
2 parents 196911e + 8e1bd2a commit 93df63f

4 files changed

Lines changed: 45 additions & 1 deletion

File tree

src/shared/services/permission.service.spec.ts

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -346,6 +346,28 @@ describe('PermissionService', () => {
346346
expect(allowed).toBe(true);
347347
});
348348

349+
it('allows reading any project for machine token with project read scope', () => {
350+
const allowed = service.hasNamedPermission(Permission.READ_PROJECT_ANY, {
351+
scopes: [Scope.PROJECTS_READ],
352+
isMachine: true,
353+
});
354+
355+
expect(allowed).toBe(true);
356+
});
357+
358+
it('allows reading any project when machine scope is inferred from token claims', () => {
359+
const allowed = service.hasNamedPermission(Permission.READ_PROJECT_ANY, {
360+
scopes: [],
361+
isMachine: false,
362+
tokenPayload: {
363+
gty: 'client-credentials',
364+
scope: Scope.PROJECTS_READ,
365+
},
366+
});
367+
368+
expect(allowed).toBe(true);
369+
});
370+
349371
it.each([
350372
UserRole.TOPCODER_MANAGER,
351373
UserRole.PROJECT_MANAGER,

src/shared/services/permission.service.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -254,7 +254,7 @@ export class PermissionService {
254254
switch (permission) {
255255
// Project read/write lifecycle permissions.
256256
case NamedPermission.READ_PROJECT_ANY:
257-
return hasProjectReadTopcoderRole;
257+
return hasProjectReadTopcoderRole || hasProjectReadScope;
258258

259259
case NamedPermission.VIEW_PROJECT:
260260
return (

src/shared/utils/permission-docs.utils.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,7 @@ function getNamedPermissionDocumentation(
236236
case NamedPermission.READ_PROJECT_ANY:
237237
return createSummary({
238238
userRoles: ADMIN_AND_MANAGER_ROLES,
239+
scopes: PROJECT_READ_SCOPES,
239240
});
240241

241242
case NamedPermission.VIEW_PROJECT:

src/shared/utils/swagger.utils.spec.ts

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,27 @@ describe('enrichSwaggerAuthDocumentation', () => {
7676
);
7777
});
7878

79+
it('documents project-read machine scopes for global project access routes', () => {
80+
const document = createDocument({
81+
description: 'List projects.',
82+
[SWAGGER_REQUIRED_ROLES_KEY]: Object.values(UserRole),
83+
[SWAGGER_REQUIRED_SCOPES_KEY]: [
84+
Scope.PROJECTS_READ,
85+
Scope.PROJECTS_WRITE,
86+
Scope.PROJECTS_ALL,
87+
],
88+
[SWAGGER_REQUIRED_PERMISSIONS_KEY]: [Permission.READ_PROJECT_ANY],
89+
});
90+
91+
enrichSwaggerAuthDocumentation(document);
92+
93+
const description = document.paths['/test'].get?.description;
94+
95+
expect(description).toContain(
96+
'Policy allows token scopes (any): all:connect_project, all:projects, read:projects, write:projects',
97+
);
98+
});
99+
79100
it('documents permission-specific machine scopes when policy narrows route access', () => {
80101
const document = createDocument({
81102
description: 'Get project billing account details.',

0 commit comments

Comments
 (0)