Enhancement: add view_global_statistics and view_system_status permissions (#12530)

src-ui/src/app/components/admin/settings/settings.component.html

@@ -7,7 +7,7 @@
   <button class="btn btn-sm btn-outline-primary" (click)="tourService.start()">
     <i-bs class="me-2" name="airplane"></i-bs><ng-container i18n>Start tour</ng-container>
   </button>
-  @if (permissionsService.isAdmin()) {
+  @if (canViewSystemStatus) {
     <button class="btn btn-sm btn-outline-primary position-relative ms-md-5 me-1" (click)="showSystemStatus()"
       [disabled]="!systemStatus">
       @if (!systemStatus) {
@@ -26,6 +26,8 @@
       }
       <ng-container i18n>System Status</ng-container>
     </button>
+  }
+  @if (permissionsService.isAdmin()) {
     <a class="btn btn-sm btn-primary" href="admin/" target="_blank">
       <ng-container i18n>Open Django Admin</ng-container>
       <i-bs class="ms-2" name="arrow-up-right"></i-bs>

src-ui/src/app/components/admin/settings/settings.component.spec.ts

@@ -29,7 +29,11 @@ import { IfOwnerDirective } from 'src/app/directives/if-owner.directive'
 import { IfPermissionsDirective } from 'src/app/directives/if-permissions.directive'
 import { PermissionsGuard } from 'src/app/guards/permissions.guard'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
-import { PermissionsService } from 'src/app/services/permissions.service'
+import {
+  PermissionAction,
+  PermissionType,
+  PermissionsService,
+} from 'src/app/services/permissions.service'
 import { GroupService } from 'src/app/services/rest/group.service'
 import { SavedViewService } from 'src/app/services/rest/saved-view.service'
 import { UserService } from 'src/app/services/rest/user.service'
@@ -328,7 +332,13 @@ describe('SettingsComponent', () => {
 
   it('should load system status on initialize, show errors if needed', () => {
     jest.spyOn(systemStatusService, 'get').mockReturnValue(of(status))
-    jest.spyOn(permissionsService, 'isAdmin').mockReturnValue(true)
+    jest
+      .spyOn(permissionsService, 'currentUserCan')
+      .mockImplementation(
+        (action, type) =>
+          action === PermissionAction.View &&
+          type === PermissionType.SystemStatus
+      )
     completeSetup()
     expect(component['systemStatus']).toEqual(status) // private
     expect(component.systemStatusHasErrors).toBeTruthy()
@@ -344,7 +354,13 @@ describe('SettingsComponent', () => {
   it('should open system status dialog', () => {
     const modalOpenSpy = jest.spyOn(modalService, 'open')
     jest.spyOn(systemStatusService, 'get').mockReturnValue(of(status))
-    jest.spyOn(permissionsService, 'isAdmin').mockReturnValue(true)
+    jest
+      .spyOn(permissionsService, 'currentUserCan')
+      .mockImplementation(
+        (action, type) =>
+          action === PermissionAction.View &&
+          type === PermissionType.SystemStatus
+      )
     completeSetup()
     component.showSystemStatus()
     expect(modalOpenSpy).toHaveBeenCalledWith(SystemStatusDialogComponent, {

src-ui/src/app/components/admin/settings/settings.component.ts

@@ -429,7 +429,7 @@ export class SettingsComponent
       this.settingsForm.patchValue(currentFormValue)
     }
 
-    if (this.permissionsService.isAdmin()) {
+    if (this.canViewSystemStatus) {
       this.systemStatusService.get().subscribe((status) => {
         this.systemStatus = status
       })
@@ -647,6 +647,16 @@ export class SettingsComponent
       .setValue(Array.from(hiddenFields))
   }
 
+  public get canViewSystemStatus(): boolean {
+    return (
+      this.permissionsService.isAdmin() ||
+      this.permissionsService.currentUserCan(
+        PermissionAction.View,
+        PermissionType.SystemStatus
+      )
+    )
+  }
+
   showSystemStatus() {
     const modal: NgbModalRef = this.modalService.open(
       SystemStatusDialogComponent,

src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html

@@ -23,11 +23,11 @@
             </div>
             <div class="form-check form-switch form-check-inline">
               <input type="checkbox" class="form-check-input" id="is_staff" formControlName="is_staff">
-              <label class="form-check-label" for="is_staff"><ng-container i18n>Admin</ng-container> <small class="form-text text-muted ms-1" i18n>Access logs, Django backend</small></label>
+              <label class="form-check-label" for="is_staff"><ng-container i18n>Admin</ng-container> <small class="form-text text-muted ms-1" i18n>Access system status, logs, Django backend</small></label>
             </div>
             <div class="form-check form-switch form-check-inline">
               <input type="checkbox" class="form-check-input" id="is_superuser" formControlName="is_superuser" (change)="onToggleSuperUser()">
-              <label class="form-check-label" for="is_superuser"><ng-container i18n>Superuser</ng-container> <small class="form-text text-muted ms-1" i18n>(Grants all permissions and can view objects)</small></label>
+              <label class="form-check-label" for="is_superuser"><ng-container i18n>Superuser</ng-container> <small class="form-text text-muted ms-1" i18n>Grants all permissions and can view all objects</small></label>
             </div>
           </div>
 

src-ui/src/app/components/common/permissions-select/permissions-select.component.html

@@ -26,8 +26,8 @@
           <input type="checkbox" class="form-check-input" id="{{type}}_all" (change)="toggleAll($event, type)" [checked]="typesWithAllActions.has(type) || isInherited(type)" [attr.disabled]="disabled || isInherited(type) ? true : null">
           <label class="form-check-label visually-hidden" for="{{type}}_all" i18n>All</label>
         </div>
-        @for (action of PermissionAction | keyvalue; track action) {
-          <div class="col form-check form-check-inline" [ngbPopover]="inheritedWarning" [disablePopover]="!isInherited(type, action.key)" placement="left" triggers="mouseenter:mouseleave">
+        @for (action of PermissionAction | keyvalue: sortActions; track action.key) {
+          <div class="col form-check form-check-inline" [class.invisible]="!isActionSupported(PermissionType[type], action.value)" [ngbPopover]="inheritedWarning" [disablePopover]="!isInherited(type, action.key)" placement="left" triggers="mouseenter:mouseleave">
             <input type="checkbox" class="form-check-input" id="{{type}}_{{action.key}}" formControlName="{{action.key}}">
             <label class="form-check-label visually-hidden" for="{{type}}_{{action.key}}">{{action.key}}</label>
           </div>

src-ui/src/app/components/common/permissions-select/permissions-select.component.spec.ts

@@ -26,7 +26,6 @@ const inheritedPermissions = ['change_tag', 'view_documenttype']
 describe('PermissionsSelectComponent', () => {
   let component: PermissionsSelectComponent
   let fixture: ComponentFixture<PermissionsSelectComponent>
-  let permissionsChangeResult: Permissions
   let settingsService: SettingsService
 
   beforeEach(async () => {
@@ -45,7 +44,7 @@ describe('PermissionsSelectComponent', () => {
     fixture = TestBed.createComponent(PermissionsSelectComponent)
     fixture.debugElement.injector.get(NG_VALUE_ACCESSOR)
     component = fixture.componentInstance
-    component.registerOnChange((r) => (permissionsChangeResult = r))
+    component.registerOnChange((r) => r)
     fixture.detectChanges()
   })
 
@@ -75,7 +74,6 @@ describe('PermissionsSelectComponent', () => {
   it('should update on permissions set', () => {
     component.ngOnInit()
     component.writeValue(permissions)
-    expect(permissionsChangeResult).toEqual(permissions)
     expect(component.typesWithAllActions).toContain('Document')
   })
 
@@ -92,13 +90,12 @@ describe('PermissionsSelectComponent', () => {
   it('disable checkboxes when permissions are inherited', () => {
     component.ngOnInit()
     component.inheritedPermissions = inheritedPermissions
+    fixture.detectChanges()
     expect(component.isInherited('Document', 'Add')).toBeFalsy()
     expect(component.isInherited('Document')).toBeFalsy()
     expect(component.isInherited('Tag', 'Change')).toBeTruthy()
-    const input1 = fixture.debugElement.query(By.css('input#Document_Add'))
-    expect(input1.nativeElement.disabled).toBeFalsy()
-    const input2 = fixture.debugElement.query(By.css('input#Tag_Change'))
-    expect(input2.nativeElement.disabled).toBeTruthy()
+    expect(component.form.get('Document').get('Add').disabled).toBeFalsy()
+    expect(component.form.get('Tag').get('Change').disabled).toBeTruthy()
   })
 
   it('should exclude history permissions if disabled', () => {
@@ -107,4 +104,60 @@ describe('PermissionsSelectComponent', () => {
     component = fixture.componentInstance
     expect(component.allowedTypes).not.toContain('History')
   })
+
+  it('should treat global statistics as view-only', () => {
+    component.ngOnInit()
+    fixture.detectChanges()
+
+    expect(
+      component.isActionSupported(
+        PermissionType.GlobalStatistics,
+        PermissionAction.View
+      )
+    ).toBeTruthy()
+    expect(
+      component.isActionSupported(
+        PermissionType.GlobalStatistics,
+        PermissionAction.Add
+      )
+    ).toBeFalsy()
+
+    const addInput = fixture.debugElement.query(
+      By.css('input#GlobalStatistics_Add')
+    )
+    const viewInput = fixture.debugElement.query(
+      By.css('input#GlobalStatistics_View')
+    )
+
+    expect(addInput.nativeElement.disabled).toBeTruthy()
+    expect(viewInput.nativeElement.disabled).toBeFalsy()
+  })
+
+  it('should treat system status as view-only', () => {
+    component.ngOnInit()
+    fixture.detectChanges()
+
+    expect(
+      component.isActionSupported(
+        PermissionType.SystemStatus,
+        PermissionAction.View
+      )
+    ).toBeTruthy()
+    expect(
+      component.isActionSupported(
+        PermissionType.SystemStatus,
+        PermissionAction.Change
+      )
+    ).toBeFalsy()
+
+    const changeInput = fixture.debugElement.query(
+      By.css('input#SystemStatus_Change')
+    )
+    const viewInput = fixture.debugElement.query(
+      By.css('input#SystemStatus_View')
+    )
+
+    expect(changeInput.nativeElement.disabled).toBeTruthy()
+    expect(viewInput.nativeElement.disabled).toBeFalsy()
+  })
 })

src-ui/src/app/components/common/permissions-select/permissions-select.component.ts

@@ -1,4 +1,4 @@
-import { KeyValuePipe } from '@angular/common'
+import { KeyValue, KeyValuePipe } from '@angular/common'
 import { Component, forwardRef, inject, Input, OnInit } from '@angular/core'
 import {
   AbstractControl,
@@ -58,6 +58,13 @@ export class PermissionsSelectComponent
 
   typesWithAllActions: Set<string> = new Set()
 
+  private readonly actionOrder = [
+    PermissionAction.Add,
+    PermissionAction.Change,
+    PermissionAction.Delete,
+    PermissionAction.View,
+  ]
+
   _inheritedPermissions: string[] = []
 
   @Input()
@@ -86,7 +93,7 @@ export class PermissionsSelectComponent
     }
     this.allowedTypes.forEach((type) => {
       const control = new FormGroup({})
-      for (const action in PermissionAction) {
+      for (const action of Object.keys(PermissionAction)) {
         control.addControl(action, new FormControl(null))
       }
       this.form.addControl(type, control)
@@ -106,18 +113,14 @@ export class PermissionsSelectComponent
         this.permissionsService.getPermissionKeys(permissionStr)
 
       if (actionKey && typeKey) {
-        if (this.form.get(typeKey)?.get(actionKey)) {
-          this.form
-            .get(typeKey)
-            .get(actionKey)
-            .patchValue(true, { emitEvent: false })
-        }
+        this.form
+          .get(typeKey)
+          ?.get(actionKey)
+          ?.patchValue(true, { emitEvent: false })
       }
     })
     this.allowedTypes.forEach((type) => {
-      if (
-        Object.values(this.form.get(type).value).every((val) => val == true)
-      ) {
+      if (this.typeHasAllActionsSelected(type)) {
         this.typesWithAllActions.add(type)
       } else {
         this.typesWithAllActions.delete(type)
@@ -149,12 +152,16 @@ export class PermissionsSelectComponent
     this.form.valueChanges.subscribe((newValue) => {
       let permissions = []
       Object.entries(newValue).forEach(([typeKey, typeValue]) => {
-        // e.g. [Document, { Add: true, View: true ... }]
         const selectedActions = Object.entries(typeValue).filter(
-          ([actionKey, actionValue]) => actionValue == true
+          ([actionKey, actionValue]) =>
+            actionValue &&
+            this.isActionSupported(
+              PermissionType[typeKey],
+              PermissionAction[actionKey]
+            )
         )
 
-        selectedActions.forEach(([actionKey, actionValue]) => {
+        selectedActions.forEach(([actionKey]) => {
           permissions.push(
             (PermissionType[typeKey] as string).replace(
               '%s',
@@ -163,7 +170,7 @@ export class PermissionsSelectComponent
           )
         })
 
-        if (selectedActions.length == Object.entries(typeValue).length) {
+        if (this.typeHasAllActionsSelected(typeKey)) {
           this.typesWithAllActions.add(typeKey)
         } else {
           this.typesWithAllActions.delete(typeKey)
@@ -174,19 +181,23 @@ export class PermissionsSelectComponent
         permissions.filter((p) => !this._inheritedPermissions.includes(p))
       )
     })
+
+    this.updateDisabledStates()
   }
 
   toggleAll(event, type) {
     const typeGroup = this.form.get(type)
-    if (event.target.checked) {
-      Object.keys(PermissionAction).forEach((action) => {
-        typeGroup.get(action).patchValue(true)
+    Object.keys(PermissionAction)
+      .filter((action) =>
+        this.isActionSupported(PermissionType[type], PermissionAction[action])
+      )
+      .forEach((action) => {
+        typeGroup.get(action).patchValue(event.target.checked)
       })
+
+    if (this.typeHasAllActionsSelected(type)) {
       this.typesWithAllActions.add(type)
     } else {
-      Object.keys(PermissionAction).forEach((action) => {
-        typeGroup.get(action).patchValue(false)
-      })
       this.typesWithAllActions.delete(type)
     }
   }
@@ -201,14 +212,21 @@ export class PermissionsSelectComponent
         )
       )
     } else {
-      return Object.values(PermissionAction).every((action) => {
-        return this._inheritedPermissions.includes(
-          this.permissionsService.getPermissionCode(
-            action as PermissionAction,
-            PermissionType[typeKey]
+      return Object.keys(PermissionAction)
+        .filter((action) =>
+          this.isActionSupported(
+            PermissionType[typeKey],
+            PermissionAction[action]
           )
         )
-      })
+        .every((action) => {
+          return this._inheritedPermissions.includes(
+            this.permissionsService.getPermissionCode(
+              PermissionAction[action],
+              PermissionType[typeKey]
+            )
+          )
+        })
     }
   }
 
@@ -216,12 +234,55 @@ export class PermissionsSelectComponent
     this.allowedTypes.forEach((type) => {
       const control = this.form.get(type)
       let actionControl: AbstractControl
-      for (const action in PermissionAction) {
+      for (const action of Object.keys(PermissionAction)) {
         actionControl = control.get(action)
+        if (
+          !this.isActionSupported(
+            PermissionType[type],
+            PermissionAction[action]
+          )
+        ) {
+          actionControl.patchValue(false, { emitEvent: false })
+          actionControl.disable({ emitEvent: false })
+          continue
+        }
+
         this.isInherited(type, action) || this.disabled
-          ? actionControl.disable()
-          : actionControl.enable()
+          ? actionControl.disable({ emitEvent: false })
+          : actionControl.enable({ emitEvent: false })
       }
     })
   }
+
+  public isActionSupported(
+    type: PermissionType,
+    action: PermissionAction
+  ): boolean {
+    // Global statistics and system status only support view
+    if (
+      type === PermissionType.GlobalStatistics ||
+      type === PermissionType.SystemStatus
+    ) {
+      return action === PermissionAction.View
+    }
+
+    return true
+  }
+
+  private typeHasAllActionsSelected(typeKey: string): boolean {
+    return Object.keys(PermissionAction)
+      .filter((action) =>
+        this.isActionSupported(
+          PermissionType[typeKey],
+          PermissionAction[action]
+        )
+      )
+      .every((action) => !!this.form.get(typeKey)?.get(action)?.value)
+  }
+
+  public sortActions = (
+    a: KeyValue<string, PermissionAction>,
+    b: KeyValue<string, PermissionAction>
+  ): number =>
+    this.actionOrder.indexOf(a.value) - this.actionOrder.indexOf(b.value)
 }

src-ui/src/app/services/permissions.service.spec.ts

@@ -6,6 +6,11 @@ import {
   PermissionsService,
 } from './permissions.service'
 
+const VIEW_ONLY_PERMISSION_TYPES = new Set<PermissionType>([
+  PermissionType.GlobalStatistics,
+  PermissionType.SystemStatus,
+])
+
 describe('PermissionsService', () => {
   let permissionsService: PermissionsService
 
@@ -264,6 +269,8 @@ describe('PermissionsService', () => {
         'change_applicationconfiguration',
         'delete_applicationconfiguration',
         'view_applicationconfiguration',
+        'view_global_statistics',
+        'view_system_status',
       ],
       {
         username: 'testuser',
@@ -274,7 +281,10 @@ describe('PermissionsService', () => {
 
     Object.values(PermissionType).forEach((type) => {
       Object.values(PermissionAction).forEach((action) => {
-        expect(permissionsService.currentUserCan(action, type)).toBeTruthy()
+        expect(permissionsService.currentUserCan(action, type)).toBe(
+          !VIEW_ONLY_PERMISSION_TYPES.has(type) ||
+            action === PermissionAction.View
+        )
       })
     })
 

src-ui/src/app/services/permissions.service.ts

@@ -29,6 +29,8 @@ export enum PermissionType {
   CustomField = '%s_customfield',
   Workflow = '%s_workflow',
   ProcessedMail = '%s_processedmail',
+  GlobalStatistics = '%s_global_statistics',
+  SystemStatus = '%s_system_status',
 }
 
 @Injectable({