Only link to nav items that user has access to (#7590)

* only show entities sidenav item if user has list capability on entities

* wip - link to correct paths in top navigation

* remove comment

* only link to groups page if user has list capability

* add test for checking multiple capabilities

* test when capabilities are not specified

* format jsdoc comments

* move capabilities check out of helper and into permissions service

ui/app/helpers/has-permission.js

@@ -14,8 +14,10 @@ export default Helper.extend({
     }
   ),
 
-  compute([route], { routeParams, capability }) {
+  compute([route], params) {
+    let { routeParams } = params;
     let permissions = this.permissions;
-    return permissions.hasNavPermission(route, routeParams, capability);
+
+    return permissions.hasNavPermission(route, routeParams);
   },
 });

ui/app/services/permissions.js

@@ -44,11 +44,12 @@ const API_PATHS_TO_ROUTE_PARAMS = {
 };
 
 /*
-  The Permissions service is used to gate top navigation and sidebar items. It fetches
-  a users' policy from the resultant-acl endpoint and stores their allowed exact and glob
-  paths as state. It also has methods for checking whether a user has permission for a given
-  path.
+  The Permissions service is used to gate top navigation and sidebar items.
+  It fetches a users' policy from the resultant-acl endpoint and stores their
+  allowed exact and glob paths as state. It also has methods for checking whether
+  a user has permission for a given path.
 */
+
 export default Service.extend({
   exactPaths: null,
   globPaths: null,
@@ -88,7 +89,10 @@ export default Service.extend({
 
   hasNavPermission(navItem, routeParams) {
     if (routeParams) {
-      return this.hasPermission(API_PATHS[navItem][routeParams]);
+      // viewing the entity and groups pages require the list capability, while the others require the default, which is anything other than deny
+      let capability = routeParams === 'entities' || routeParams === 'groups' ? ['list'] : [null];
+
+      return this.hasPermission(API_PATHS[navItem][routeParams], capability);
     }
     return Object.values(API_PATHS[navItem]).some(path => this.hasPermission(path));
   },

ui/tests/unit/services/permissions-test.js

@@ -157,24 +157,32 @@ module('Unit | Service | permissions', function(hooks) {
     assert.deepEqual(service.navPathParams('access'), expected);
   });
 
-  test('hasNavPermission returns true if a policy includes access to at least one path', function(assert) {
+  test('hasNavPermission returns true if a policy includes the required capabilities for at least one path', function(assert) {
     let service = this.owner.lookup('service:permissions');
     const accessPaths = {
       'sys/auth': {
         capabilities: ['deny'],
       },
-      'sys/leases/lookup': {
+      'identity/group/id': {
+        capabilities: ['list', 'read'],
+      },
+    };
+    service.set('exactPaths', accessPaths);
+    assert.equal(service.hasNavPermission('access', 'groups'), true);
+  });
+
+  test('hasNavPermission returns false if a policy does not include the required capabilities for at least one path', function(assert) {
+    let service = this.owner.lookup('service:permissions');
+    const accessPaths = {
+      'sys/auth': {
+        capabilities: ['deny'],
+      },
+      'identity/group/id': {
         capabilities: ['read'],
       },
     };
     service.set('exactPaths', accessPaths);
-    assert.equal(service.hasNavPermission('access', 'leases'), true);
-  });
-
-  test('hasNavPermission returns false if a policy does not include access to any paths', function(assert) {
-    let service = this.owner.lookup('service:permissions');
-    service.set('exactPaths', {});
-    assert.equal(service.hasNavPermission('access'), false);
+    assert.equal(service.hasNavPermission('access', 'groups'), false);
   });
 
   test('appends the namespace to the path if there is one', function(assert) {