alkem-io · valentinyanakiev · Dec 11, 2024 · Sep 29, 2024 · Sep 29, 2024 · Sep 29, 2024
diff --git a/src/core/bootstrap/bootstrap.service.ts b/src/core/bootstrap/bootstrap.service.ts
@@ -520,7 +520,7 @@ export class BootstrapService {
 
       const space = await this.accountService.createSpaceOnAccount(spaceInput);
       const spaceAuthorizations =
-        await this.spaceAuthorizationService.applyAuthorizationPolicy(space);
+        await this.spaceAuthorizationService.applyAuthorizationPolicy(space.id);
       await this.authorizationPolicyService.saveAll(spaceAuthorizations);
 
       const accountEntitlements =

diff --git a/src/domain/common/authorization-policy/authorization.policy.entity.ts b/src/domain/common/authorization-policy/authorization.policy.entity.ts
@@ -1,5 +1,5 @@
 import { BaseAlkemioEntity } from '@domain/common/entity/base-entity';
-import { Column, Entity } from 'typeorm';
+import { Column, Entity, ManyToOne } from 'typeorm';
 import { IAuthorizationPolicy } from './authorization.policy.interface';
 import { AuthorizationPolicyType } from '@common/enums/authorization.policy.type';
 import { ENUM_LENGTH } from '@common/constants';
@@ -24,6 +24,16 @@ export class AuthorizationPolicy
   @Column('varchar', { length: ENUM_LENGTH, nullable: false })
   type!: AuthorizationPolicyType;
 
+  // An authorization can optionally choose to store a reference to the parent authorization from which it inherits
+  // This is useful for when the entity wants to adjust its settings + may no longer have access without hacky code
+  // to the authorization of the containing entity
+  @ManyToOne(() => AuthorizationPolicy, {
+    eager: false,
+    cascade: false, // MUST not cascade
+    onDelete: 'SET NULL',
+  })
+  parentAuthorizationPolicy?: AuthorizationPolicy;
+
   constructor(type: AuthorizationPolicyType) {
     super();
     this.anonymousReadAccess = false;

diff --git a/src/domain/common/authorization-policy/authorization.policy.interface.ts b/src/domain/common/authorization-policy/authorization.policy.interface.ts
@@ -12,6 +12,8 @@ export abstract class IAuthorizationPolicy extends IBaseAlkemio {
   verifiedCredentialRules!: string;
   privilegeRules!: string;
 
+  parentAuthorizationPolicy?: IAuthorizationPolicy;
+
   @Field(() => AuthorizationPolicyType, {
     nullable: true,
     description:

diff --git a/src/domain/common/authorization-policy/authorization.policy.service.ts b/src/domain/common/authorization-policy/authorization.policy.service.ts
@@ -151,7 +151,7 @@ export class AuthorizationPolicyService {
     return authorization;
   }
 
-  reset(
+  public reset(
     authorizationPolicy: IAuthorizationPolicy | undefined
   ): IAuthorizationPolicy {
     if (!authorizationPolicy) {

diff --git a/src/domain/space/account/account.resolver.mutations.ts b/src/domain/space/account/account.resolver.mutations.ts
@@ -101,7 +101,7 @@ export class AccountResolverMutations {
     space = await this.spaceService.save(space);
 
     const spaceAuthorizations =
-      await this.spaceAuthorizationService.applyAuthorizationPolicy(space);
+      await this.spaceAuthorizationService.applyAuthorizationPolicy(space.id);
     await this.authorizationPolicyService.saveAll(spaceAuthorizations);
 
     const updatedLicenses = await this.spaceLicenseService.applyLicensePolicy(
@@ -424,7 +424,7 @@ export class AccountResolverMutations {
     space = await this.spaceService.save(space);
 
     const spaceAuthorizations =
-      await this.spaceAuthorizationService.applyAuthorizationPolicy(space);
+      await this.spaceAuthorizationService.applyAuthorizationPolicy(space.id);
     await this.authorizationPolicyService.saveAll(spaceAuthorizations);
     // TODO: check if still needed later
     return await this.spaceService.getSpaceOrFail(space.id);

diff --git a/src/domain/space/account/account.service.authorization.ts b/src/domain/space/account/account.service.authorization.ts
@@ -144,12 +144,9 @@ export class AccountAuthorizationService {
     }
     const updatedAuthorizations: IAuthorizationPolicy[] = [];
 
-    const clonedAccountAuth =
-      await this.getClonedAccountAuthExtendedForChildEntities(account);
-
     for (const space of account.spaces) {
       const spaceAuthorizations =
-        await this.spaceAuthorizationService.applyAuthorizationPolicy(space);
+        await this.spaceAuthorizationService.applyAuthorizationPolicy(space.id);
       this.logger.verbose?.(
         `space nameID ${space.nameID}: authorizations to reset count = ${spaceAuthorizations.length}`,
         LogContext.AUTH
@@ -178,6 +175,10 @@ export class AccountAuthorizationService {
       );
     updatedAuthorizations.push(...storageAggregatorAuthorizations);
 
+    // For the VCs, InnovationPacks + InnovationHubs use a cloned + extended authorization
+    const clonedAccountAuth =
+      await this.getClonedAccountAuthExtendedForChildEntities(account);
+
     for (const vc of account.virtualContributors) {
       const updatedVcAuthorizations =
         await this.virtualContributorAuthorizationService.applyAuthorizationPolicy(
@@ -281,7 +282,6 @@ export class AccountAuthorizationService {
     accountHostManage.cascade = true;
     newRules.push(accountHostManage);
 
-    // If the user is a beta tester or part of VC campaign then can create the resources
     const createSpace = this.authorizationPolicyService.createCredentialRule(
       [AuthorizationPrivilege.CREATE_SPACE],
       [...hostCredentials],

diff --git a/src/domain/space/space/space.resolver.mutations.ts b/src/domain/space/space/space.resolver.mutations.ts
@@ -138,7 +138,7 @@ export class SpaceResolverMutations {
     // but not all settings will require this, so only update if necessary
     if (shouldUpdateAuthorization) {
       const updatedAuthorizations =
-        await this.spaceAuthorizationService.applyAuthorizationPolicy(space);
+        await this.spaceAuthorizationService.applyAuthorizationPolicy(space.id);
       await this.authorizationPolicyService.saveAll(updatedAuthorizations);
     }
 
@@ -168,7 +168,7 @@ export class SpaceResolverMutations {
     );
     space = await this.spaceService.save(space);
     const updatedAuthorizations =
-      await this.spaceAuthorizationService.applyAuthorizationPolicy(space);
+      await this.spaceAuthorizationService.applyAuthorizationPolicy(space.id);
     await this.authorizationPolicyService.saveAll(updatedAuthorizations);
 
     return await this.spaceService.getSpaceOrFail(space.id);
@@ -200,7 +200,10 @@ export class SpaceResolverMutations {
     // Save here so can reuse it later without another load
     const displayName = subspace.profile.displayName;
     const updatedAuthorizations =
-      await this.spaceAuthorizationService.applyAuthorizationPolicy(subspace);
+      await this.spaceAuthorizationService.applyAuthorizationPolicy(
+        subspace.id,
+        space.authorization // Important, and will be stored
+      );
 
     await this.authorizationPolicyService.saveAll(updatedAuthorizations);