Access control for teams and service page #5633 (#5636)

* restricted normal user to claim ownership for team and service

* miner fix

* miner fix

openmetadata-ui/src/main/resources/ui/src/components/ManageTab/ManageTab.component.tsx

@@ -65,6 +65,7 @@ const ManageTab: FunctionComponent<ManageProps> = ({
   deletEntityMessage,
   handleIsJoinable,
   afterDeleteAction,
+  manageSectionType,
 }: ManageProps) => {
   const { userPermissions, isAdminUser } = useAuth();
   const { isAuthDisabled } = useAuthContext();
@@ -396,6 +397,7 @@ const ManageTab: FunctionComponent<ManageProps> = ({
             isListLoading={isUserLoading}
             listOwners={listOwners}
             listVisible={listVisible}
+            manageSectionType={manageSectionType}
             owner={owner || ({} as EntityReference)}
             ownerName={currentUser?.displayName || currentUser?.name || ''}
             ownerSearchText={searchText}

openmetadata-ui/src/main/resources/ui/src/components/TeamDetails/TeamDetails.tsx

@@ -24,7 +24,9 @@ import {
   getUserPath,
   PAGE_SIZE_MEDIUM,
   TITLE_FOR_NON_ADMIN_ACTION,
+  TITLE_FOR_NON_OWNER_ACTION,
 } from '../../constants/constants';
+import { ADMIN_ONLY_ACCESSIBLE_SECTION } from '../../enums/common.enum';
 import { OwnerType } from '../../enums/user.enum';
 import { Operation } from '../../generated/entity/policies/policy';
 import { Team } from '../../generated/entity/teams/team';
@@ -315,8 +317,9 @@ const TeamDetails = ({
           {currentTeamUsers.length > 0 && isActionAllowed() && (
             <div>
               <NonAdminAction
+                isOwner={isActionAllowed()}
                 position="bottom"
-                title={TITLE_FOR_NON_ADMIN_ACTION}>
+                title={TITLE_FOR_NON_OWNER_ACTION}>
                 <Button
                   className="tw-h-8 tw-px-2"
                   data-testid="add-user"
@@ -377,6 +380,7 @@ const TeamDetails = ({
                       <UserCard
                         isActionVisible
                         isIconVisible
+                        isOwner={isActionAllowed()}
                         item={User}
                         key={index}
                         onRemove={deleteUserHandler}
@@ -641,7 +645,7 @@ const TeamDetails = ({
                     entityType="team"
                     handleIsJoinable={handleOpenToJoinToggle}
                     isJoinable={currentTeam.isJoinable}
-                    manageSectionType="Team"
+                    manageSectionType={ADMIN_ONLY_ACCESSIBLE_SECTION.TEAM}
                     onSave={handleManageSave}
                   />
                 </div>

openmetadata-ui/src/main/resources/ui/src/components/common/OwnerWidget/OwnerWidget.tsx

@@ -13,11 +13,13 @@
 
 import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
 import classNames from 'classnames';
-import { isUndefined } from 'lodash';
+import { isUndefined, lowerCase } from 'lodash';
 import React, { Fragment } from 'react';
+import { ADMIN_ONLY_ACCESSIBLE_SECTION } from '../../../enums/common.enum';
 import { Operation } from '../../../generated/entity/policies/policy';
 import { EntityReference } from '../../../generated/type/entityReference';
 import { useAuth } from '../../../hooks/authHooks';
+import { hasEditAccess } from '../../../utils/CommonUtils';
 import { getTitleCase } from '../../../utils/EntityUtils';
 import { isCurrentUserAdmin } from '../../../utils/UserDataUtils';
 import { Button } from '../../buttons/Button/Button';
@@ -36,6 +38,7 @@ interface OwnerWidgetProps {
   allowTeamOwner?: boolean;
   ownerName: string;
   entityType?: string;
+  manageSectionType?: string;
   statusOwner: Status;
   owner?: EntityReference;
   listOwners: {
@@ -56,10 +59,10 @@ interface OwnerWidgetProps {
 }
 
 const OwnerWidget = ({
+  manageSectionType,
   isJoinableActionAllowed,
   teamJoinable,
   isAuthDisabled,
-  hasEditAccess,
   ownerName,
   entityType,
   listVisible,
@@ -74,7 +77,7 @@ const OwnerWidget = ({
   handleOwnerSelection,
   handleSearchOwnerDropdown,
 }: OwnerWidgetProps) => {
-  const { userPermissions } = useAuth();
+  const { userPermissions, isAdminUser } = useAuth();
 
   const getOwnerGroup = () => {
     return allowTeamOwner ? ['Teams', 'Users'] : ['Users'];
@@ -100,6 +103,26 @@ const OwnerWidget = ({
     }
   };
 
+  const isOwnerEditable = () => {
+    if (!isAuthDisabled && !isAdminUser) {
+      if (ownerName) {
+        return hasEditAccess(owner?.type || '', owner?.id || '');
+      } else {
+        if (
+          Object.values(ADMIN_ONLY_ACCESSIBLE_SECTION).find(
+            (s) => s === lowerCase(manageSectionType)
+          )
+        ) {
+          return false;
+        }
+
+        return userPermissions[Operation.UpdateOwner];
+      }
+    }
+
+    return true;
+  };
+
   const ownerDescription =
     entityType === 'team'
       ? 'The owner of the team can manage the team by adding or removing users. Add or update Team ownership here'
@@ -124,22 +147,12 @@ const OwnerWidget = ({
                     <p>You do not have permissions to update the owner.</p>
                   </Fragment>
                 }
-                isOwner={hasEditAccess}
-                permission={Operation.UpdateOwner}
+                isOwner={isOwnerEditable()}
                 position="left">
                 <Button
-                  className={classNames('tw-underline', {
-                    'tw-opacity-40':
-                      !userPermissions[Operation.UpdateOwner] &&
-                      !isAuthDisabled &&
-                      !hasEditAccess,
-                  })}
+                  className="tw-underline"
                   data-testid="owner-dropdown"
-                  disabled={
-                    !userPermissions[Operation.UpdateOwner] &&
-                    !isAuthDisabled &&
-                    !hasEditAccess
-                  }
+                  disabled={!isOwnerEditable()}
                   size="custom"
                   theme="primary"
                   variant="link"

openmetadata-ui/src/main/resources/ui/src/enums/common.enum.ts

@@ -0,0 +1,17 @@
+/*
+ *  Copyright 2021 Collate
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+export enum ADMIN_ONLY_ACCESSIBLE_SECTION {
+  TEAM = 'team',
+  SERVICE = 'service',
+}

openmetadata-ui/src/main/resources/ui/src/pages/service/index.tsx

@@ -53,6 +53,7 @@ import {
   PAGE_SIZE,
   pagingObject,
 } from '../../constants/constants';
+import { ADMIN_ONLY_ACCESSIBLE_SECTION } from '../../enums/common.enum';
 import { SearchIndex } from '../../enums/search.enum';
 import { ServiceCategory } from '../../enums/service.enum';
 import { OwnerType } from '../../enums/user.enum';
@@ -1054,7 +1055,7 @@ const ServicePage: FunctionComponent = () => {
                         serviceDetails?.owner?.type || '',
                         serviceDetails?.owner?.id || ''
                       )}
-                      manageSectionType={serviceCategory.slice(0, -1)}
+                      manageSectionType={ADMIN_ONLY_ACCESSIBLE_SECTION.SERVICE}
                       onSave={handleUpdateOwner}
                     />
                   </div>