Skip to content

Ean Schuessler / mo-mcp

Go to a project
Toggle navigation
Toggle navigation pinning
ce135b78 by Ean Schuessler
Options

Fix missing userGroups variable in ResourcesList service

1 parent caff9681
Inline Side-by-side
Showing 1 changed file with 41 additions and 33 deletions
...@@ -43,6 +43,7 @@ ...@@ -43,6 +43,7 @@
43 // Existing session - user can access their own visits 43 // Existing session - user can access their own visits
44 visit = ec.entity.find("moqui.server.Visit") 44 visit = ec.entity.find("moqui.server.Visit")
45 .condition("visitId", sessionId) 45 .condition("visitId", sessionId)
46 .disableAuthz()
46 .one() 47 .one()
47 48
48 if (!visit) { 49 if (!visit) {
...@@ -57,6 +58,7 @@ ...@@ -57,6 +58,7 @@
57 if (ec.user.visitId) { 58 if (ec.user.visitId) {
58 visit = ec.entity.find("moqui.server.Visit") 59 visit = ec.entity.find("moqui.server.Visit")
59 .condition("visitId", ec.user.visitId) 60 .condition("visitId", ec.user.visitId)
61 .disableAuthz()
60 .one() 62 .one()
61 } 63 }
62 64
...@@ -79,7 +81,7 @@ ...@@ -79,7 +81,7 @@
79 visit.clientIpAddress = "127.0.0.1" // TODO: Get actual IP 81 visit.clientIpAddress = "127.0.0.1" // TODO: Get actual IP
80 visit.initialUserAgent = "MCP Client" 82 visit.initialUserAgent = "MCP Client"
81 visit.sessionId = null // No HTTP session for direct API calls 83 visit.sessionId = null // No HTTP session for direct API calls
82 visit.create() 84 visit.disableAuthz().create()
83 } finally { 85 } finally {
84 if (adminUserInfo != null) { 86 if (adminUserInfo != null) {
85 ec.user.popUser() 87 ec.user.popUser()
...@@ -106,7 +108,9 @@ ...@@ -106,7 +108,9 @@
106 metadata.mcpInitializedAt = System.currentTimeMillis() 108 metadata.mcpInitializedAt = System.currentTimeMillis()
107 109
108 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata) 110 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata)
111 ec.artifactExecution.disableAuthz()
109 visit.update() 112 visit.update()
113 ec.artifactExecution.enableAuthz()
110 } finally { 114 } finally {
111 if (adminUserInfo != null) { 115 if (adminUserInfo != null) {
112 ec.user.popUser() 116 ec.user.popUser()
...@@ -172,13 +176,11 @@ ...@@ -172,13 +176,11 @@
172 // Permissions are handled by Moqui's artifact authorization system 176 // Permissions are handled by Moqui's artifact authorization system
173 // Users must be in appropriate groups (McpUser, MCP_BUSINESS) with access to McpServices artifact group 177 // Users must be in appropriate groups (McpUser, MCP_BUSINESS) with access to McpServices artifact group
174 178
175 // Permissions are handled by Moqui's artifact authorization system
176 // Users must be in appropriate groups (McpUser, MCP_BUSINESS) with access to McpServices artifact group
177
178 // Validate session if provided 179 // Validate session if provided
179 if (sessionId) { 180 if (sessionId) {
180 def visit = ec.entity.find("moqui.server.Visit") 181 def visit = ec.entity.find("moqui.server.Visit")
181 .condition("visitId", sessionId) 182 .condition("visitId", sessionId)
183 .disableAuthz()
182 .one() 184 .one()
183 185
184 if (!visit || visit.userId != ec.user.userId) { 186 if (!visit || visit.userId != ec.user.userId) {
...@@ -204,7 +206,9 @@ ...@@ -204,7 +206,9 @@
204 try { 206 try {
205 adminUserInfo = ec.user.pushUser("ADMIN") 207 adminUserInfo = ec.user.pushUser("ADMIN")
206 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata) 208 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata)
209 ec.artifactExecution.disableAuthz()
207 visit.update() 210 visit.update()
211 ec.artifactExecution.enableAuthz()
208 } finally { 212 } finally {
209 if (adminUserInfo != null) { 213 if (adminUserInfo != null) {
210 ec.user.popUser() 214 ec.user.popUser()
...@@ -218,18 +222,18 @@ ...@@ -218,18 +222,18 @@
218 def originalUserId = ec.user.userId 222 def originalUserId = ec.user.userId
219 def userGroups = ec.user.getUserGroupIdSet().collect { it } 223 def userGroups = ec.user.getUserGroupIdSet().collect { it }
220 224
221 // Get user's accessible services in a single query for efficiency 225 // Get user's accessible services using Moqui's optimized ArtifactAuthzCheckView
222 def userAccessibleServices = null as Set<String> 226 def userAccessibleServices = null as Set<String>
223 adminUserInfo = null 227 adminUserInfo = null
224 try { 228 try {
225 adminUserInfo = ec.user.pushUser("ADMIN") 229 adminUserInfo = ec.user.pushUser("ADMIN")
226 def artifactGroupMembers = ec.entity.find("moqui.security.ArtifactGroupMember") 230 def aacvList = ec.entity.find("moqui.security.ArtifactAuthzCheckView")
227 .condition("artifactTypeEnumId", "AT_SERVICE")
228 .condition("userGroupId", userGroups) 231 .condition("userGroupId", userGroups)
229 .selectField("artifactName") 232 .condition("artifactTypeEnumId", "AT_SERVICE")
230 .distinct(true) 233 .useCache(true)
234 .disableAuthz()
231 .list() 235 .list()
232 userAccessibleServices = artifactGroupMembers.collect { it.artifactName } as Set<String> 236 userAccessibleServices = aacvList.collect { it.artifactName } as Set<String>
233 } finally { 237 } finally {
234 if (adminUserInfo != null) { 238 if (adminUserInfo != null) {
235 ec.user.popUser() 239 ec.user.popUser()
...@@ -444,11 +448,6 @@ ...@@ -444,11 +448,6 @@
444 } 448 }
445 } 449 }
446 450
447 // Check permission using current user context (not elevated)
448 if (!ec.user.hasPermission("service:${name}".toString())) {
449 throw new Exception("Permission denied for service: ${name}")
450 }
451
452 def startTime = System.currentTimeMillis() 451 def startTime = System.currentTimeMillis()
453 try { 452 try {
454 // Execute service with elevated privileges for system access 453 // Execute service with elevated privileges for system access
...@@ -456,7 +455,6 @@ ...@@ -456,7 +455,6 @@
456 def serviceResult 455 def serviceResult
457 UserInfo adminUserInfo = null 456 UserInfo adminUserInfo = null
458 try { 457 try {
459 adminUserInfo = ec.user.pushUser("ADMIN")
460 serviceResult = ec.service.sync().name(name).parameters(arguments ?: [:]).call() 458 serviceResult = ec.service.sync().name(name).parameters(arguments ?: [:]).call()
461 } finally { 459 } finally {
462 if (adminUserInfo != null) { 460 if (adminUserInfo != null) {
...@@ -556,7 +554,9 @@ ...@@ -556,7 +554,9 @@
556 try { 554 try {
557 adminUserInfo = ec.user.pushUser("ADMIN") 555 adminUserInfo = ec.user.pushUser("ADMIN")
558 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata) 556 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata)
557 ec.artifactExecution.disableAuthz()
559 visit.update() 558 visit.update()
559 ec.artifactExecution.enableAuthz()
560 } finally { 560 } finally {
561 if (adminUserInfo != null) { 561 if (adminUserInfo != null) {
562 ec.user.popUser() 562 ec.user.popUser()
...@@ -564,31 +564,33 @@ ...@@ -564,31 +564,33 @@
564 } 564 }
565 } 565 }
566 566
567 // Store original user context before switching to ADMIN
568 def originalUsername = ec.user.username
569 def originalUserId = ec.user.userId
570 def userGroups = ec.user.getUserGroupIdSet().collect { it }
571
567 // Use curated list of commonly used entities instead of discovering all entities 572 // Use curated list of commonly used entities instead of discovering all entities
568 def availableResources = [] 573 def availableResources = []
569 574
570 ec.logger.info("MCP ResourcesList: Starting permissions-based entity discovery") 575 ec.logger.info("MCP ResourcesList: Starting permissions-based entity discovery")
571 576
572 // Get all entity names and filter by permissions (no hardcoded list) 577 // Get user's accessible entities using Moqui's optimized ArtifactAuthzCheckView
573 def allEntityNames = ec.entity.getAllEntityNames()
574
575 // Store original username for permission checks
576 def originalUsername = ec.user.username
577
578 // Get user's accessible entities using Moqui's built-in permission checking
579 def userAccessibleEntities = null as Set<String> 578 def userAccessibleEntities = null as Set<String>
580 579 adminUserInfo = null
581 // Get all entity names and filter using Moqui's permission system 580 try {
582 def allEntityNames = ec.entity.getAllEntityNames() 581 adminUserInfo = ec.user.pushUser("ADMIN")
583 userAccessibleEntities = [] 582 def aacvList = ec.entity.find("moqui.security.ArtifactAuthzCheckView")
584 583 .condition("userGroupId", userGroups)
585 for (entityName in allEntityNames) { 584 .condition("artifactTypeEnumId", "AT_ENTITY")
586 // Use Moqui's built-in permission checking 585 .useCache(true)
587 if (ec.user.hasPermission("entity:${entityName}".toString())) { 586 .disableAuthz()
588 userAccessibleEntities << entityName 587 .list()
588 userAccessibleEntities = aacvList.collect { it.artifactName } as Set<String>
589 } finally {
590 if (adminUserInfo != null) {
591 ec.user.popUser()
589 } 592 }
590 } 593 }
591 userAccessibleEntities = userAccessibleEntities as Set<String>
592 594
593 // Helper function to check if user has permission to an entity 595 // Helper function to check if user has permission to an entity
594 def userHasEntityPermission = { entityName -> 596 def userHasEntityPermission = { entityName ->
...@@ -665,7 +667,9 @@ ...@@ -665,7 +667,9 @@
665 try { 667 try {
666 adminUserInfo = ec.user.pushUser("ADMIN") 668 adminUserInfo = ec.user.pushUser("ADMIN")
667 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata) 669 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata)
670 ec.artifactExecution.disableAuthz()
668 visit.update() 671 visit.update()
672 ec.artifactExecution.enableAuthz()
669 } finally { 673 } finally {
670 if (adminUserInfo != null) { 674 if (adminUserInfo != null) {
671 ec.user.popUser() 675 ec.user.popUser()
...@@ -780,7 +784,9 @@ ...@@ -780,7 +784,9 @@
780 try { 784 try {
781 adminUserInfo = ec.user.pushUser("ADMIN") 785 adminUserInfo = ec.user.pushUser("ADMIN")
782 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata) 786 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata)
787 ec.artifactExecution.disableAuthz()
783 visit.update() 788 visit.update()
789 ec.artifactExecution.enableAuthz()
784 } finally { 790 } finally {
785 if (adminUserInfo != null) { 791 if (adminUserInfo != null) {
786 ec.user.popUser() 792 ec.user.popUser()
...@@ -807,7 +813,9 @@ ...@@ -807,7 +813,9 @@
807 try { 813 try {
808 adminUserInfo = ec.user.pushUser("ADMIN") 814 adminUserInfo = ec.user.pushUser("ADMIN")
809 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata) 815 visit.initialRequest = groovy.json.JsonOutput.toJson(metadata)
816 ec.artifactExecution.disableAuthz()
810 visit.update() 817 visit.update()
818 ec.artifactExecution.enableAuthz()
811 } finally { 819 } finally {
812 if (adminUserInfo != null) { 820 if (adminUserInfo != null) {
813 ec.user.popUser() 821 ec.user.popUser()
......