XWIKI-22656: Add a UI for setting required rights on a document (#4158)

* Add an analyzer for analyzing just the content and title of the
  document.
* Add an analyzer for analyzing a whole document including all
  translations.
* Add a REST API to get the analysis results and the available rights.
* Add a JavaScript component for a dialog to set required rights.
* Add a UI Extension to warn users about missing rights.
* Add a UI Extension for the page information to display and set
  required rights.
* Add a dependency to the UI to the flavor.
* Reload the information and the warning above the document when the
  document is saved.
* Support updating required rights via the REST API.
* Extend the Document script API with methods that take EntityReference
  instead of String for the class name.
* Add a new JavaScript event that signals when required rights have been
  updated.
* Reload the content both in view and edit mode when required rights are
  updated.
* Add page objects.
* Add integration tests.

Author: michitux

xwiki-platform-core/xwiki-platform-ckeditor/xwiki-platform-ckeditor-plugins/src/main/webjar/xwiki-rights/plugin.js

@@ -0,0 +1,55 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+(function () {
+    'use strict';
+    const $ = jQuery;
+
+    // Reload the content of the CKEditor instances when the document rights are changed to reflect the new rights
+    // in the executed macros.
+    $(document).on('xwiki:document:requiredRightsUpdated.ckeditor', function (event, data) {
+        $.each(CKEDITOR.instances, function(key, editor) {
+            if (matchesRequiredRightsChangeEvent(editor, event, data)) {
+                maybeReload(editor);
+            }
+        });
+    });
+
+    const matchesRequiredRightsChangeEvent = function (editor, event, data) {
+        // Check if the syntax change event targets the edited document (the source document).
+        return editor.config.sourceDocument.documentReference.equals(data.documentReference) &&
+            // Check if the syntax plugin is enabled for this editor instance.
+            editor.plugins['xwiki-rights'];
+    };
+
+    const maybeReload = function (editor) {
+        // Only reload in WYSIWYG mode. In source mode, rights aren't influencing anything.
+        // TODO: it would be nice if we could mark something in source mode to ensure that on the next switch to
+        //  wysiwyg mode, the content would be reloaded regardless if it has been modified or not.
+        if (editor.mode === 'wysiwyg') {
+            editor.execCommand('xwiki-refresh');
+        }
+    };
+
+    // An empty plugin that can be used to enable / disable the reloading on required rights changes on a particular
+    // CKEditor instance.
+    CKEDITOR.plugins.add('xwiki-rights', {
+        requires: 'xwiki-macro,xwiki-source'
+    });
+})();

xwiki-platform-core/xwiki-platform-ckeditor/xwiki-platform-ckeditor-webjar/src/main/webjar/config.js

@@ -174,6 +174,7 @@ CKEDITOR.editorConfig = function(config) {
       'xwiki-maximize',
       'xwiki-office',
       'xwiki-realtime',
+      'xwiki-rights',
       'xwiki-save',
       'xwiki-selection',
       'xwiki-slash',

xwiki-platform-core/xwiki-platform-edit/xwiki-platform-edit-test/xwiki-platform-edit-test-docker/pom.xml

@@ -75,6 +75,13 @@
       <version>${project.version}</version>
       <type>xar</type>
     </dependency>
+    <!-- Used to test the integration between required rights and the editor. -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-security-requiredrights-ui</artifactId>
+      <version>${project.version}</version>
+      <scope>runtime</scope>
+    </dependency>
     <!-- ================================
          Test only dependencies
          ================================ -->

xwiki-platform-core/xwiki-platform-edit/xwiki-platform-edit-test/xwiki-platform-edit-test-docker/src/test/it/org/xwiki/edit/test/ui/InplaceEditIT.java

@@ -37,7 +37,11 @@
 import org.xwiki.test.docker.junit5.TestReference;
 import org.xwiki.test.docker.junit5.UITest;
 import org.xwiki.test.ui.TestUtils;
+import org.xwiki.test.ui.po.InformationPane;
+import org.xwiki.test.ui.po.RequiredRightsModal;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.startsWith;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNull;
@@ -439,4 +443,59 @@ void selectionRestoreOnSwitchToSource(TestUtils setup, TestReference testReferen
 
         viewPage.cancel();
     }
+
+    @Test
+    @Order(8)
+    void refreshOnRequiredRightsChange(TestUtils setup, TestReference testReference)
+    {
+        // Test that updating required rights refreshes the content.
+
+        // Grant alice script right on this page to allow using the Velocity macro.
+        setup.loginAsSuperAdmin();
+        setup.setRights(testReference, null, "XWiki.alice", "script", true);
+        setup.loginAndGotoPage("alice", "pa$$word", setup.getURL(testReference));
+
+        // Enter in-place edit mode.
+        InplaceEditablePage viewPage = new InplaceEditablePage().editInplace();
+        CKEditor ckeditor = new CKEditor("content");
+        RichTextAreaElement richTextArea = ckeditor.getRichTextArea();
+        richTextArea.clear();
+
+        // Insert the Velocity macro. The macro placeholder should be displayed.
+        richTextArea.sendKeys(Keys.ENTER, "/velocity");
+        AutocompleteDropdown qa = new AutocompleteDropdown();
+        qa.waitForItemSelected("/velocity", "Velocity");
+        richTextArea.sendKeys(Keys.ENTER);
+        qa.waitForItemSubmitted();
+
+        richTextArea.waitForContentRefresh();
+
+        assertEquals("macro:velocity", richTextArea.getText());
+
+        InformationPane informationPane = viewPage.openInformationDocExtraPane();
+
+        RequiredRightsModal requiredRightsModal = informationPane.openRequiredRightsModal();
+        requiredRightsModal.setEnforceRequiredRights(true);
+        requiredRightsModal.clickSave(true);
+
+        richTextArea.waitForContentRefresh();
+
+        assertThat(richTextArea.getText(), startsWith("Failed to execute the [velocity] macro."));
+
+        viewPage.save();
+
+        assertTrue(viewPage.hasRequiredRightsWarning(true));
+
+        requiredRightsModal = viewPage.openRequiredRightsModal();
+        requiredRightsModal.setEnforcedRequiredRight("script");
+        requiredRightsModal.clickSave(true);
+
+        richTextArea.waitForContentRefresh();
+
+        assertEquals("macro:velocity", richTextArea.getText());
+
+        setup.getDriver().waitUntilCondition(driver -> !viewPage.hasRequiredRightsWarning(false));
+
+        viewPage.cancel();
+    }
 }

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/Document.java

@@ -54,6 +54,7 @@
 import org.xwiki.model.internal.document.SafeDocumentAuthors;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.model.reference.DocumentReferenceResolver;
+import org.xwiki.model.reference.EntityReference;
 import org.xwiki.model.reference.EntityReferenceSerializer;
 import org.xwiki.model.reference.ObjectReference;
 import org.xwiki.model.reference.PageReference;
@@ -1169,6 +1170,24 @@ public Object newObject(String classname) throws XWikiException
         return getObject(classname, nb);
     }
 
+    /**
+     * Creates a new XObject from the given class reference.
+     *
+     * @param classReference the reference to the class of the XObject to be created
+     * @return the object created
+     * @throws XWikiException if an error occurs while creating the XObject
+     * @since 17.4.0RC1
+     */
+    @Unstable
+    public Object newObject(EntityReference classReference) throws XWikiException
+    {
+        int index = getDoc().createXObject(classReference, getXWikiContext());
+
+        updateAuthor();
+
+        return getObject(classReference, index);
+    }
+
     /**
      * @return true of the document has been loaded from cache
      */
@@ -1229,6 +1248,21 @@ public Vector<Object> getObjects(String className)
         return getXObjects(objects);
     }
 
+    /**
+     * Retrieves and returns all objects corresponding to the class reference corresponding to the resolution of the
+     * given entity reference, or an empty list if there are none.
+     *
+     * @param classReference the reference that is resolved to an XClass for retrieving the corresponding xobjects
+     * @return a list of xobjects corresponding to the given XClass or an empty list.
+     * @since 17.4.0RC1
+     */
+    @Unstable
+    public List<Object> getObjects(EntityReference classReference)
+    {
+        List<BaseObject> objects = this.getDoc().getXObjects(classReference);
+        return getXObjects(objects);
+    }
+
     /**
      * Get the first object that contains the given fieldname
      *
@@ -1387,6 +1421,29 @@ public Object getObject(String classname, int nb)
         }
     }
 
+    /**
+     * Gets the object matching the given class reference and given object number.
+     *
+     * @param classReference the reference of the class of the object
+     * @param nb the number of the object
+     * @return the XWiki Object
+     * @since 17.4.0RC1
+     */
+    @Unstable
+    public Object getObject(EntityReference classReference, int nb)
+    {
+        try {
+            BaseObject obj = this.getDoc().getXObject(classReference, nb);
+            if (obj == null) {
+                return null;
+            } else {
+                return newObjectApi(obj, getXWikiContext());
+            }
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
     /**
      * @param objectReference the object reference
      * @return the XWiki object from this document that matches the specified object reference
@@ -1882,7 +1939,7 @@ public Attachment getAttachment(String filename)
 
     /**
      * @param filename the name of the attachment
-     * @return the attachment with the given filename or null if the attachment does not exist
+     * @return the attachment with the given filename or null if the attachment doesn’t exist
      * @since 17.2.0RC1
      */
     public Attachment removeAttachment(String filename)

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/org/xwiki/internal/document/DocumentRequiredRightsReader.java

@@ -31,6 +31,7 @@
 import org.slf4j.Logger;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.model.EntityType;
+import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.model.reference.EntityReference;
 import org.xwiki.model.reference.LocalDocumentReference;
 import org.xwiki.security.authorization.Right;
@@ -115,17 +116,24 @@ public DocumentRequiredRights readRequiredRights(XWikiDocument document)
         return new DocumentRequiredRights(enforce, rights);
     }
 
-    private DocumentRequiredRight readRequiredRight(BaseObject object)
+    /**
+     * Read the required right from an XObject.
+     *
+     * @param object the XObject to read the required right from. Must not be {@code null}
+     * @return the required right. Can be an illegal right if the value of the property is not a valid right
+     * @since 17.4.0RC1
+     */
+    public DocumentRequiredRight readRequiredRight(BaseObject object)
     {
         String value = object.getStringValue(PROPERTY_NAME);
-        EntityType entityType = EntityType.DOCUMENT;
+        EntityType initialEntityType = EntityType.DOCUMENT;
         Right right = Right.toRight(value);
         if (right.equals(Right.ILLEGAL)) {
             String[] levelRight = StringUtils.split(value, "_", 2);
             if (levelRight.length == 2) {
                 right = Right.toRight(levelRight[1]);
                 try {
-                    entityType = EntityType.valueOf(levelRight[0].toUpperCase());
+                    initialEntityType = EntityType.valueOf(levelRight[0].toUpperCase());
                 } catch (IllegalArgumentException e) {
                     // Ensure that we return an illegal right even if the right part of the value could be parsed.
                     right = Right.ILLEGAL;
@@ -134,15 +142,35 @@ private DocumentRequiredRight readRequiredRight(BaseObject object)
             }
         }
 
+        EntityType entityType = getEffectiveEntityType(right, initialEntityType, object.getDocumentReference());
+
+        return new DocumentRequiredRight(right, entityType);
+    }
+
+    /**
+     * Determines the most specific effective {@link EntityType} based on the specified parameters. It adjusts
+     * the entity type according to the rights' targeted entity types and the provided base document reference.
+     *
+     * @param right the {@link Right} being analyzed; it defines the targeted entity types to consider
+     * @param initialEntityType the initial {@link EntityType} to be evaluated
+     * @param baseDocumentReference the base {@link DocumentReference} used to adjust and validate the entity type
+     * @return the most specific {@link EntityType} that is targeted by the {@link Right} and the same level or above
+     * the given initial entity type in the hierarchy of the document reference. If no suitable entity type is found,
+     * it defaults to {@link EntityType#DOCUMENT}, or null if the right targets only the farm level
+     */
+    public EntityType getEffectiveEntityType(Right right, EntityType initialEntityType,
+        DocumentReference baseDocumentReference)
+    {
+        EntityType entityType = initialEntityType;
         Set<EntityType> targetedEntityTypes = right.getTargetedEntityType();
         if (targetedEntityTypes == null) {
             // This means the right targets only the farm level, which is null.
             entityType = null;
         } else {
-            EntityReference entityReference = object.getDocumentReference().extractReference(entityType);
+            EntityReference entityReference = baseDocumentReference.extractReference(entityType);
             // The specified entity type seems to be below the document level. Fall back to document level instead.
             if (entityReference == null) {
-                entityReference = object.getDocumentReference();
+                entityReference = baseDocumentReference;
             }
             // Try to get the lowest level where this right can be assigned. This is done to ensure that, e.g.,
             // programming right can imply admin right on the wiki level even if programming right is only specified on
@@ -157,7 +185,6 @@ private DocumentRequiredRight readRequiredRight(BaseObject object)
                 entityType = EntityType.DOCUMENT;
             }
         }
-
-        return new DocumentRequiredRight(right, entityType);
+        return entityType;
     }
 }

xwiki-platform-core/xwiki-platform-security/pom.xml

@@ -35,5 +35,6 @@
     <module>xwiki-platform-security-authentication</module>
     <module>xwiki-platform-security-authorization</module>
     <module>xwiki-platform-security-requiredrights</module>
+    <module>xwiki-platform-security-test</module>
   </modules>
 </project>

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-requiredrights/pom.xml

@@ -33,6 +33,8 @@
     <module>xwiki-platform-security-requiredrights-api</module>
     <module>xwiki-platform-security-requiredrights-default</module>
     <module>xwiki-platform-security-requiredrights-macro</module>
+    <module>xwiki-platform-security-requiredrights-rest</module>
+    <module>xwiki-platform-security-requiredrights-ui</module>
   </modules>
   <profiles>
     <profile>

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-requiredrights/xwiki-platform-security-requiredrights-default/src/main/java/org/xwiki/platform/security/requiredrights/internal/RequiredRightChangeSuggestion.java

@@ -0,0 +1,41 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.platform.security.requiredrights.internal;
+
+import org.xwiki.security.authorization.requiredrights.DocumentRequiredRight;
+
+/**
+ * A suggestion for an operation that removes or adds rights to a document.
+ *
+ * @param increasesRights if more rights are granted due to this change
+ * @param rightToRemove the right to replace
+ * @param rightToAdd the right to add
+ * @param requiresManualReview if the analysis is certain that the right is needed/not needed or the user needs to
+ * @param hasPermission if the current user has the permission to perform the proposed change manually review the
+ *     analysis result to determine if the right is actually needed/not needed
+ *
+ * @version $Id$
+ * @since 17.4.0RC1
+ */
+public record RequiredRightChangeSuggestion(boolean increasesRights, DocumentRequiredRight rightToRemove,
+                                            DocumentRequiredRight rightToAdd, boolean requiresManualReview,
+                                            boolean hasPermission)
+{
+}