This is an automated email from the ASF dual-hosted git repository.
xiaozhenliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/texera.git
The following commit(s) were added to refs/heads/main by this push:
new 27041a2b3c feat(gui): allow changing workflow access level (#4161)
27041a2b3c is described below
commit 27041a2b3c964a1445979a3b50f592ba6ea27eb7
Author: Seongjin Yoon <[email protected]>
AuthorDate: Wed Jan 21 09:44:36 2026 -0800
feat(gui): allow changing workflow access level (#4161)
<!--
Thanks for sending a pull request (PR)! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines:
[Contributing to
Texera](https://github.com/apache/texera/blob/main/CONTRIBUTING.md)
2. Ensure you have added or run the appropriate tests for your PR
3. If the PR is work in progress, mark it a draft on GitHub.
4. Please write your PR title to summarize what this PR proposes, we
are following Conventional Commits style for PR titles as well.
5. Be sure to keep the PR description updated to reflect all changes.
-->
### What changes were proposed in this PR?
<!--
Please clarify what changes you are proposing. The purpose of this
section
is to outline the changes. Here are some tips for you:
1. If you propose a new API, clarify the use case for a new API.
2. If you fix a bug, you can clarify why it is a bug.
3. If it is a refactoring, clarify what has been changed.
3. It would be helpful to include a before-and-after comparison using
screenshots or GIFs.
4. Please consider writing useful notes for better and faster reviews.
-->
Previously, when a user was given access to a workflow, the access level
(READ/WRITE) could not be changed directly. Users had to revoke access
and re-add with the new level. This PR adds the ability for users with
write access to change the access level of other users via a dropdown.
**Frontend (`share-access.component.ts` /
`share-access.component.html`):**
- Added `hasWriteAccess` that checks write access.
- Added `changeAccessLevel()` method with confirmation warning when a
user downgrades their own access from WRITE to READ.
- Dropdown disabled for users without write access.
**Backend (`WorkflowAccessResource.scala`):**
- Modified `grantAccess` endpoint to allow users with WRITE access to
modify their own access level
**Behavior:**
- Users with WRITE access can change other users' access levels via
dropdown
- Users with WRITE access can downgrade their own access to READ
- Owner's access cannot be changed
**Demo:**
https://github.com/user-attachments/assets/cca50be0-b086-47c1-b4ae-2f10a60b51e9
### Any related issues, documentation, discussions?
<!--
Please use this section to link other resources if not mentioned
already.
1. If this PR fixes an issue, please include `Fixes #1234`, `Resolves
#1234`
or `Closes #1234`. If it is only related, simply mention the issue
number.
2. If there is design documentation, please add the link.
3. If there is a discussion in the mailing list, please add the link.
-->
No
### How was this PR tested?
<!--
If tests were added, say they were added here. Or simply mention that if
the PR
is tested with existing test cases. Make sure to include/update test
cases that
check the changes thoroughly including negative and positive cases if
possible.
If it was tested in a way different from regular unit tests, please
clarify how
you tested step by step, ideally copy and paste-able, so that other
reviewers can
test and check, and descendants can verify in the future. If tests were
not added,
please describe why they were not added and/or why it was difficult to
add.
-->
Manually tested.
### Was this PR authored or co-authored using generative AI tooling?
<!--
If generative AI tooling has been used in the process of authoring this
PR,
please include the phrase: 'Generated-by: ' followed by the name of the
tool
and its version. If no, write 'No'.
Please refer to the [ASF Generative Tooling
Guidance](https://www.apache.org/legal/generative-tooling.html) for
details.
-->
Revised with Claude Code.
---------
Co-authored-by: Xiaozhen Liu <[email protected]>
---
.../user/workflow/WorkflowAccessResource.scala | 9 ++-
.../user/share-access/share-access.component.html | 17 ++++--
.../user/share-access/share-access.component.ts | 65 +++++++++++++++++++++-
3 files changed, 83 insertions(+), 8 deletions(-)
diff --git
a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
index 2c92352a08..799e3d7c5d 100644
---
a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
+++
b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
@@ -33,6 +33,7 @@ import
org.apache.texera.dao.jooq.generated.tables.pojos.WorkflowUserAccess
import org.apache.texera.web.model.common.AccessEntry
import
org.apache.texera.web.resource.dashboard.user.workflow.WorkflowAccessResource.{
context,
+ getPrivilege,
hasWriteAccess
}
import org.jooq.DSLContext
@@ -174,10 +175,16 @@ class WorkflowAccessResource() {
@PathParam("privilege") privilege: String,
@Auth user: SessionUser
): Unit = {
- if (email.equals(user.getEmail)) {
+ val isModifyingOwnAccess = email.equals(user.getEmail)
+ val currentPrivilege = getPrivilege(wid, user.getUid)
+ val hasExistingAccess = !currentPrivilege.eq(PrivilegeEnum.NONE)
+
+ // Users can only modify their own access if they already have access
+ if (isModifyingOwnAccess && !hasExistingAccess) {
throw new BadRequestException("You cannot grant access to yourself!")
}
+ // Must have write access to modify access levels (including your own)
if (!hasWriteAccess(wid, user.getUid)) {
throw new ForbiddenException(s"You do not have permission to modify
workflow $wid")
}
diff --git
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
index 717c1cbc18..2c155f1a5a 100644
---
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
+++
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
@@ -25,7 +25,7 @@
class="access-button"
[nzType]="isPublic ? 'default' : 'primary'"
(click)="verifyUnpublish()"
- [disabled]="!writeAccess">
+ [disabled]="!hasWriteAccess">
<div
nz-icon
nzType="lock"
@@ -42,7 +42,7 @@
class="access-button"
[nzType]="isPublic ? 'primary' : 'default'"
(click)="verifyPublish()"
- [disabled]="!writeAccess">
+ [disabled]="!hasWriteAccess">
<div
nz-icon
nzType="user"
@@ -123,7 +123,7 @@
</select>
</div>
<button
- [disabled]="!writeAccess"
+ [disabled]="!hasWriteAccess"
style="width: 100%"
nz-button
nzType="primary"
@@ -151,9 +151,16 @@
id="current-share">
<li><nz-tag nzColor="green">OWNER</nz-tag> {{ owner }}</li>
<li *ngFor="let entry of accessList">
- <nz-tag nzColor="blue">{{ entry.privilege }}</nz-tag> {{ entry.email }}
({{ entry.name }})
+ <select
+ [value]="entry.privilege"
+ [disabled]="!hasWriteAccess"
+ (change)="changeAccessLevel(entry.email, $any($event.target).value)">
+ <option value="READ">READ</option>
+ <option value="WRITE">WRITE</option>
+ </select>
+ {{ entry.email }} ({{ entry.name }})
<button
- [disabled]="!writeAccess && entry.email !== currentEmail"
+ [disabled]="!hasWriteAccess && entry.email !== currentEmail"
(click)="verifyRevokeAccess(entry.email)"
nz-button
nz-tooltip="revoke access"
diff --git
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
index de7d83531f..3a42129165 100644
---
a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
+++
b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
@@ -20,7 +20,7 @@
import { Component, EventEmitter, inject, OnDestroy, OnInit, Output } from
"@angular/core";
import { FormBuilder, FormControl, FormGroup, Validators } from
"@angular/forms";
import { ShareAccessService } from
"../../../service/user/share-access/share-access.service";
-import { ShareAccess } from "../../../type/share-access.interface";
+import { Privilege, ShareAccess } from "../../../type/share-access.interface";
import { UntilDestroy, untilDestroyed } from "@ngneat/until-destroy";
import { UserService } from "../../../../common/service/user/user.service";
import { GmailService } from "../../../../common/service/gmail/gmail.service";
@@ -40,7 +40,6 @@ import { WorkflowActionService } from
"src/app/workspace/service/workflow-graph/
})
export class ShareAccessComponent implements OnInit, OnDestroy {
readonly nzModalData = inject(NZ_MODAL_DATA);
- readonly writeAccess: boolean = this.nzModalData.writeAccess;
readonly type: string = this.nzModalData.type;
readonly id: number = this.nzModalData.id;
readonly allOwners: string[] = this.nzModalData.allOwners;
@@ -76,6 +75,17 @@ export class ShareAccessComponent implements OnInit,
OnDestroy {
this.currentEmail = this.userService.getCurrentUser()?.email;
}
+ get hasWriteAccess(): boolean {
+ if (!this.currentEmail) {
+ return false;
+ }
+ if (this.currentEmail === this.owner) {
+ return true;
+ }
+ const currentUserAccess = this.accessList.find(entry => entry.email ===
this.currentEmail);
+ return currentUserAccess?.privilege === Privilege.WRITE;
+ }
+
ngOnInit(): void {
this.accessService
.getAccessList(this.type, this.id)
@@ -238,6 +248,57 @@ export class ShareAccessComponent implements OnInit,
OnDestroy {
});
}
+ public changeAccessLevel(email: string, newPrivilege: string): void {
+ const isOwnAccess = email === this.currentEmail;
+ const currentUserAccess = this.accessList.find(entry => entry.email ===
email);
+ const isDowngrade = currentUserAccess?.privilege === Privilege.WRITE &&
newPrivilege === "READ";
+
+ if (isOwnAccess && isDowngrade) {
+ const modal: NzModalRef = this.modalService.create({
+ nzTitle: "Downgrade Your Access",
+ nzContent: `Are you sure you want to change your own access to READ?
You will no longer be able to edit this ${this.type} or manage access.`,
+ nzFooter: [
+ {
+ label: "Cancel",
+ onClick: () => {
+ modal.close();
+ this.ngOnInit();
+ },
+ },
+ {
+ label: "Confirm",
+ type: "primary",
+ danger: true,
+ onClick: () => {
+ this.applyAccessLevelChange(email, newPrivilege);
+ modal.close();
+ },
+ },
+ ],
+ });
+ } else {
+ this.applyAccessLevelChange(email, newPrivilege);
+ }
+ }
+
+ private applyAccessLevelChange(email: string, newPrivilege: string): void {
+ this.accessService
+ .grantAccess(this.type, this.id, email, newPrivilege)
+ .pipe(untilDestroyed(this))
+ .subscribe({
+ next: () => {
+ this.notificationService.success(`Access level for ${email} changed
to ${newPrivilege}.`);
+ this.ngOnInit();
+ },
+ error: (error: unknown) => {
+ if (error instanceof HttpErrorResponse) {
+ this.notificationService.error(error.error.message);
+ }
+ this.ngOnInit();
+ },
+ });
+ }
+
public verifyPublish(): void {
if (!this.isPublic) {
const modal: NzModalRef = this.modalService.create({
