bcgov · Jxio · Mar 12, 2025 · Mar 12, 2025 · Mar 12, 2025 · Mar 20, 2025
diff --git a/auth-api/migrations/versions/2025_03_13_2b69b3c83578_26014_permissions_updates_2.py b/auth-api/migrations/versions/2025_03_13_2b69b3c83578_26014_permissions_updates_2.py
@@ -0,0 +1,24 @@
+"""26014-permissions-updates-2
+
+Revision ID: 2b69b3c83578
+Revises: 2ef3f0be3759
+Create Date: 2025-03-13 13:40:59.972418
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '2b69b3c83578'
+down_revision = '2ef3f0be3759'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute("""INSERT INTO permissions (membership_type_code, actions) VALUES ('COORDINATOR', 'edit_user');""")
+
+
+def downgrade():
+    op.execute("delete from permissions where membership_type_code = 'COORDINATOR' and actions = 'edit_user'")
diff --git a/auth-api/migrations/versions/2025_03_14_0879befaf0b6_26014_permissions_updates_3.py b/auth-api/migrations/versions/2025_03_14_0879befaf0b6_26014_permissions_updates_3.py
@@ -0,0 +1,27 @@
+"""26014-permissions-updates-3
+
+Revision ID: 0879befaf0b6
+Revises: 2b69b3c83578
+Create Date: 2025-03-14 09:04:07.238735
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '0879befaf0b6'
+down_revision = '2b69b3c83578'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute("""INSERT INTO permissions (membership_type_code, actions) VALUES ('CC_STAFF', 'view_account_invitations');""")
+    op.execute("""INSERT INTO permissions (membership_type_code, actions) VALUES ('CC_STAFF', 'view_pending_tasks');""")
+    op.execute("""INSERT INTO permissions (membership_type_code, actions) VALUES ('CC_STAFF', 'view_suspended_accounts');""")
+
+def downgrade():
+    op.execute("delete from permissions where membership_type_code = 'CC_STAFF' and actions = 'view_account_invitations'")
+    op.execute("delete from permissions where membership_type_code = 'CC_STAFF' and actions = 'view_pending_tasks'")
+    op.execute("delete from permissions where membership_type_code = 'CC_STAFF' and actions = 'view_suspended_accounts'")
diff --git a/auth-api/src/auth_api/resources/v1/user.py b/auth-api/src/auth_api/resources/v1/user.py
@@ -137,7 +137,14 @@ def post_user():
 
 @bp.route("/<path:username>/otp", methods=["DELETE", "OPTIONS"])
 @cross_origin(origins="*", methods=["DELETE"])
-@_jwt.has_one_of_roles([Role.STAFF_MANAGE_ACCOUNTS.value, Role.PUBLIC_USER.value, Role.STAFF_VIEW_ACCOUNTS.value])
+@_jwt.has_one_of_roles(
+    [
+        Role.STAFF_MANAGE_ACCOUNTS.value,
+        Role.PUBLIC_USER.value,
+        Role.STAFF_VIEW_ACCOUNTS.value,
+        Role.MANAGE_RESET_OTP.value,
+    ]
+)
 def delete_user_otp(username):
     """Delete/Reset the OTP of user profile associated with the provided username."""
     try:

diff --git a/auth-api/src/auth_api/services/invitation.py b/auth-api/src/auth_api/services/invitation.py
@@ -451,6 +451,9 @@ def accept_invitation(invitation_id, user: UserService, origin, add_membership:
 
                 Invitation._publish_activity_if_active(membership_model, user_from_context)
 
+                if org_model.access_type == AccessType.GOVM.value:
+                    MembershipService.add_or_remove_group_for_staff(membership_model)
+
                 # Create staff review task.
                 Invitation._create_affidavit_review_task(org_model, membership_model)
                 try:

diff --git a/auth-api/src/auth_api/services/membership.py b/auth-api/src/auth_api/services/membership.py
@@ -333,11 +333,11 @@ def _add_or_remove_group(model: MembershipModel):
                 KeycloakService.remove_from_account_holders_group(model.user.keycloak_guid)
 
         # Add or Remove from STAFF group in keycloak
-        Membership._add_or_remove_group_for_staff(model)
+        Membership.add_or_remove_group_for_staff(model)
         ProductService.update_users_products_keycloak_groups([model.user.id])
 
     @staticmethod
-    def _add_or_remove_group_for_staff(model: MembershipModel):
+    def add_or_remove_group_for_staff(model: MembershipModel):
         mapping_group = org_type_to_group_mapping.get(model.org.type_code)
         if not mapping_group:
             return

diff --git a/auth-api/src/auth_api/services/org.py b/auth-api/src/auth_api/services/org.py
@@ -240,7 +240,7 @@ def _create_payment_settings(
                 )
 
             match response.status_code:
-                case HTTPStatus.OK:
+                case HTTPStatus.OK | HTTPStatus.CREATED:
                     payment_account_status = PaymentAccountStatus.CREATED
                 case HTTPStatus.ACCEPTED:
                     payment_account_status = PaymentAccountStatus.PENDING

diff --git a/auth-api/src/auth_api/services/user.py b/auth-api/src/auth_api/services/user.py
@@ -238,13 +238,17 @@ def _create_new_user_and_membership(db_username, kc_user, membership, org_id):
         return user_model
 
     @staticmethod
-    def delete_otp_for_user(user_name, origin_url: str = None):
+    @user_context
+    def delete_otp_for_user(user_name, origin_url: str = None, **kwargs):
         """Reset the OTP of the user."""
         # TODO - handle when the multiple teams implemented for bceid..
         user = UserModel.find_by_username(user_name)
         membership = MembershipModel.find_membership_by_userid(user.id)
         org_id = membership.org_id
-        check_auth(org_id=org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
+
+        user_from_context: UserContext = kwargs["user_context"]
+        if not user_from_context.has_role(Role.MANAGE_RESET_OTP.value):
+            check_auth(org_id=org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
         try:
             KeycloakService.reset_otp(str(user.keycloak_guid))
             User.send_otp_authenticator_reset_notification(user.email, origin_url, org_id)

diff --git a/auth-api/src/auth_api/utils/roles.py b/auth-api/src/auth_api/utils/roles.py
@@ -50,6 +50,7 @@ class Role(Enum):
     VIEW_ACCOUNT_PENDING_INVITATIONS = "view_account_pending_invitations"
     VIEW_MEMBERS_PENDING_INVITATIONS = "view_members_pending_invitations"
     VIEW_ACTIVITY_LOGS = "view_activity_logs"
+    MANAGE_RESET_OTP = "manage_reset_otp"
 
 
 # Membership types

diff --git a/auth-api/tests/unit/services/test_org.py b/auth-api/tests/unit/services/test_org.py
@@ -119,13 +119,22 @@ def test_create_org_products(session, keycloak_mock, monkeypatch):
     patch_token_info({"sub": user.keycloak_guid, "idp_userid": user.idp_userid}, monkeypatch)
     with patch.object(ActivityLogPublisher, "publish_activity", return_value=None) as mock_alp:
         org = OrgService.create_org(TestOrgInfo.org_with_products, user_id=user.id)
-        mock_alp.assert_called_with(
+        mock_alp.assert_any_call(
             Activity(
                 action=ActivityAction.ADD_PRODUCT_AND_SERVICE.value,
                 org_id=ANY,
                 value=ANY,
                 id=ANY,
-                name="Business Registry & Name Request",
+                name=ANY,
+            )
+        )
+        mock_alp.assert_any_call(
+            Activity(
+                action=ActivityAction.PAYMENT_INFO_CHANGE.value,
+                org_id=ANY,
+                value=ANY,
+                id=ANY,
+                name=ANY,
             )
         )
         assert org

diff --git a/auth-web/.env.example b/auth-web/.env.example
@@ -38,7 +38,7 @@ VUE_APP_NAMEX_WEB_URL="https://dev.namex.bcregistry.gov.bc.ca/"
 VUE_APP_BUSINESS_REGISTRY_URL="https://business-registry-dev.web.app/"
 
 #vaults API
-VUE_APP_AUTH_API_URL="https://auth-api-dev.apps.silver.devops.gov.bc.ca"
+VUE_APP_AUTH_API_URL="https://auth-api-dev-142173140222.northamerica-northeast1.run.app"
 VUE_APP_AUTH_API_VERSION="/api/v1"
 VUE_APP_LEGAL_API_URL="https://legal-api-dev.apps.silver.devops.gov.bc.ca"
 VUE_APP_LEGAL_API_VERSION="/api/v1"
@@ -72,4 +72,4 @@ VUE_APP_KEYCLOAK_CLIENTID="account-web"
 VUE_APP_SENTRY_DSN=
 
 #vaults hotjar
-VUE_APP_HOTJAR_ID=
+VUE_APP_HOTJAR_ID=
diff --git a/auth-web/firebase.json b/auth-web/firebase.json
@@ -1,3 +1,4 @@
+// This is for GCBRUN only for DEV/TEST/PROD - see https://github.com/bcgov/bcregistry-sre/tree/main/.github/actions/frontend-deploy/files
 {
   "hosting":
     {
@@ -20,7 +21,7 @@
             { "key" : "X-XSS-Protection", "value" : "1; mode=block" },
             {
               "key": "Content-Security-Policy",
-              "value": "default-src 'self'; frame-src 'self' *.gov.bc.ca *.hotjar.com *.googleapis.com https://*.nr-data.net https://*.newrelic.com https://*.cac1.pure.cloud; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.gov.bc.ca *.hotjar.com *.googleapis.com https://*.nr-data.net https://*.newrelic.com https://*.cac1.pure.cloud; style-src 'self' 'unsafe-inline' *.cloudflare.com *.googleapis.com; font-src 'self' *.gov.bc.ca *.hotjar.com *.cloudflare.com *.googleapis.com *.gstatic.com *.jsdelivr.net; img-src 'self' data: *.hotjar.com https://*.cac1.pure.cloud; connect-src 'self' *.gov.bc.ca *.launchdarkly.com *.hotjar.com *.postescanada-canadapost.ca *.sentry.io *.apigee.net wss://*.hotjar.com *.hotjar.io https://*.nr-data.net https://shyrka-prod-cac1.s3.ca-central-1.amazonaws.com https://*.newrelic.com https://*.cac1.pure.cloud wss://*.cac1.pure.cloud; manifest-src 'self'; media-src 'self' https://*.cac1.pure.cloud; object-src 'self' https://*.cac1.pure.cloud; child-src 'self' https://*.cac1.pure.cloud;"
+              "value": "default-src 'self'; frame-src 'self' *.gov.bc.ca *.hotjar.com *.googleapis.com https://*.nr-data.net https://*.newrelic.com https://*.cac1.pure.cloud; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.gov.bc.ca *.hotjar.com *.googleapis.com https://*.nr-data.net https://*.newrelic.com https://*.cac1.pure.cloud; style-src 'self' 'unsafe-inline' *.cloudflare.com *.googleapis.com; font-src 'self' *.gov.bc.ca *.hotjar.com *.cloudflare.com *.googleapis.com *.gstatic.com *.jsdelivr.net; img-src 'self' data: *.hotjar.com https://*.cac1.pure.cloud; connect-src 'self' *.run.app *.gov.bc.ca *.launchdarkly.com *.hotjar.com *.postescanada-canadapost.ca *.sentry.io *.apigee.net wss://*.hotjar.com *.hotjar.io https://*.nr-data.net https://shyrka-prod-cac1.s3.ca-central-1.amazonaws.com https://*.newrelic.com https://*.cac1.pure.cloud wss://*.cac1.pure.cloud; manifest-src 'self'; media-src 'self' https://*.cac1.pure.cloud; object-src 'self' https://*.cac1.pure.cloud; child-src 'self' https://*.cac1.pure.cloud;"
             },
             { "key": "Cache-Control", "value": "no-cache, no-store, must-revalidate"},
             { "key": "Pragma", "value": "no-cache"},