sig#809 - enhance permission validation for Onboarding Service Provider

[MaximilianHauer]

Precondition

• sig#809 - enhance permission logic for OSP management board  portal-iam#186
• sig#809 - Implement permission for Onboarding Service Provider endpoints  portal-backend#994

Description

The Onboarding Service Provider Management Page is intended for Onboarding Service Providers (OSPs) only. Therefore, it is necessary to check not only the user's role permissions but also whether the company itself has the Onboarding Service Provider Role.

Otherwise, the page would be visible to company types that have no interest in this information.

To achieve this:

Get the company role from the endpoint GET: /api/administration/companydata/ownCompanyDetails.
Check for the ONBOARDING_SERVICE_PROVIDER role.
Check against the configure_partner_registration permission to ensure that only users of OSP companies are able to execute the endpoints and have the necessary rights.
Overall, it needs to be ensured that no company or role can see this page unless they can use it properly, to avoid frustrating the user during their journey.

Acceptance Criteria

Visibility Restriction:

• The Onboarding Service Provider Management Page is only visible to users who belong to companies with the "Onboarding Service Provider" role.
• Users from other company types cannot access or view the Onboarding Service Provider Management Page.

Role and Permission Checks:

• The system checks the user's role and the company's role when loading the menu to show the Onboarding Service Provider Management Page.
• The user must have the configure_partner_registration permission to access and perform actions on the Onboarding Service Provider Management Page.
• Users without the required role and permission are denied access to the page and any associated endpoints.

Endpoint Response Handling:

• If a user without the required role and permission attempts to access the Onboarding Service Provider Management Page directly the system responds with an appropriate HTTP status code (e.g., 403 Forbidden) and a clear error message.

Test Cases

--

1. Verify that the Onboarding Service Provider Management Page is only visible to users who belong to companies with the "Onboarding Service Provider" role.

   • Test Case 1.1: Log in as a user who belongs to a company with the "Onboarding Service Provider" role.
     • Expected Result: The Onboarding Service Provider Management Page is visible in the user interface.
   • Test Case 1.2: Log in as a user who belongs to a company without the "Onboarding Service Provider" role.
     • Expected Result: The Onboarding Service Provider Management Page is not visible in the user interface.

2. Verify that users from other company types cannot access or view the Onboarding Service Provider Management Page.

   • Test Case 2.1: Attempt to access the Onboarding Service Provider Management Page directly via the URL while logged in as a user who belongs to a company without the "Onboarding Service Provider" role.
     • Expected Result: The user is denied access to the page, and an appropriate error message is displayed.

3. Verify that the system checks the user's role and the company's role when loading the menu to show the Onboarding Service Provider Management Page.

   • Test Case 3.1: Log in as a user who belongs to a company with the "Onboarding Service Provider" role and has a role with the permission configure_partner_registration (CX Admin/Company Admin/IT Admin).
     • Expected Result: The Onboarding Service Provider Management Page is displayed in the menu.
   • Test Case 3.2: Log in as a user who belongs to a company with the "Onboarding Service Provider" role but has has a role without the permission configure_partner_registration.
     • Expected Result: The Onboarding Service Provider Management Page is not displayed in the menu.

4. Verify that if a user without the required role and permission attempts to access the Onboarding Service Provider Management Page directly, the system responds with an appropriate HTTP status code (e.g., 403 Forbidden) and a clear error message.

   • Test Case 5.1: Attempt to access the Onboarding Service Provider Management Page directly via the URL while logged in as a user who belongs to a company without the "Onboarding Service Provider" role.
     • Expected Result: The system responds with an HTTP status code of 403 Forbidden and a clear error message.
   • Test Case 5.2: Attempt to access the Onboarding Service Provider Management Page directly via the URL while logged in as a user who belongs to a company with the "Onboarding Service Provider" role but does not have the configure_partner_registration permission.
     • Expected Result: The system responds with an HTTP status code of 403 Forbidden and a clear error message.

[MaximilianHauer]

@lavanya-bmw is this done and can be tested by @gopalreddy-bmw then please update the status

[lavanya-bmw]

@MaximilianHauer after discussing with @oyo, martin will further implement generic company role validation mechanism.
Once these changes are available, I will revert the company role permission changes for #1176

[MaximilianHauer]

@gopalreddy-bmw can you retest this please.

[MaximilianHauer]

@lavanya-bmw / @oyo
we aligned today that the current implementation is sufficient. @oyo will create a new issue to improve the company role handling in a proper and secure manner.

@evegufy fyi