Merge discvr-25.11 to develop

LDK/api-src/org/labkey/api/ldk/buttons/ShowBulkEditButton.java

@@ -19,6 +19,7 @@
 import org.labkey.api.module.Module;
 import org.labkey.api.query.DetailsURL;
 import org.labkey.api.security.permissions.AdminPermission;
+import org.labkey.api.security.permissions.Permission;
 
 /**
  * User: bimber
@@ -31,8 +32,13 @@ public class ShowBulkEditButton extends SimpleButtonConfigFactory
     protected String _queryName;
 
     public ShowBulkEditButton(Module owner, String schemaName, String queryName)
+    {
+        this(owner, schemaName, queryName, AdminPermission.class);
+    }
+
+    public ShowBulkEditButton(Module owner, String schemaName, String queryName, Class<? extends Permission> permission)
     {
         super(owner, "Bulk Edit", DetailsURL.fromString("/ldk/apiBulkEdit.view?schemaName=" + schemaName + "&queryName=" + queryName));
-        setPermission(AdminPermission.class);
+        setPermission(permission);
     }
 }

LDK/api-src/org/labkey/api/ldk/security/DataAdminPermission.java

@@ -0,0 +1,10 @@
+package org.labkey.api.ldk.security;
+
+import org.labkey.api.security.permissions.AbstractPermission;
+
+public class DataAdminPermission extends AbstractPermission
+{
+    public DataAdminPermission() {
+        super("DataAdminPermission", "Required for certain operations involving large-scale management of data");
+    }
+}

LDK/api-src/org/labkey/api/ldk/table/SimpleButtonConfigFactory.java

@@ -125,7 +125,17 @@ protected String getJsHandler(TableInfo ti)
     @Override
     public boolean isAvailable(TableInfo ti)
     {
-        return _owner == null || ti.getUserSchema().getContainer().getActiveModules().contains(_owner);
+        if (_owner != null && !ti.getUserSchema().getContainer().getActiveModules().contains(_owner))
+        {
+            return false;
+        }
+
+        if (_permission != null && !ti.getUserSchema().getContainer().hasPermission(ti.getUserSchema().getUser(), _permission))
+        {
+            return false;
+        }
+
+        return true;
     }
 
     @Override

LDK/resources/views/apiBulkEdit.view.xml

@@ -1,6 +1,6 @@
 <view xmlns="http://labkey.org/data/xml/view" title="Bulk Edit Using Client API">
     <requiresPermissions>
-        <permissionClass name="org.labkey.api.security.permissions.AdminPermission"/>
+        <permissionClass name="org.labkey.api.ldk.security.DataAdminPermission"/>
     </requiresPermissions>
     <dependencies>
         <dependency path="ldk.context"/>

LDK/src/org/labkey/ldk/query/DefaultTableCustomizer.java

@@ -469,6 +469,11 @@ private static boolean configureMoreActionsBtn(TableInfo ti, List<ButtonConfigFa
         for (ButtonConfigFactory fact : buttons)
         {
             NavTree newButton = fact.create(ti);
+            if (!fact.isAvailable(ti) || !fact.isVisible(ti))
+            {
+                continue;
+            }
+
             if (!btnNameMap.containsKey(newButton.getText()))
             {
                 btnNameMap.put(newButton.getText(), newButton);

LDK/test/src/org/labkey/test/tests/external/labModules/LabModulesTest.java

@@ -240,6 +240,8 @@ public void testSteps() throws Exception
         urlGenerationTest();
         peptideTableTest();
         searchPanelTest();
+
+        testButtonPermissions();
     }
 
     protected void setUpTest() throws Exception
@@ -1877,4 +1879,27 @@ public void checkViews()
         //the module contains an R report tied to a specific assay name, so view check fails when an assay of that name isnt present
         //when module-based assays can supply reports this should be corrected
     }
+
+    protected void testButtonPermissions() throws Exception
+    {
+        goToProjectHome();
+        _helper.clickNavPanelItem("Samples:", "Browse All");
+
+        DataRegionTable dr = new DataRegionTable("query", this);
+        dr.checkAllOnPage();
+
+        dr.clickHeaderButton("More Actions");
+        assertElementPresent(Locator.tagWithText("a", "Bulk Edit"));
+
+        impersonateRole("Editor");
+        refresh();
+
+        dr = new DataRegionTable("query", this);
+        dr.checkAllOnPage();
+
+        dr.clickHeaderButton("More Actions");
+        assertElementNotPresent(Locator.tagWithText("a", "Bulk Edit"));
+
+        stopImpersonating();
+    }
 }

laboratory/src/org/labkey/laboratory/LaboratoryModule.java

@@ -196,7 +196,7 @@ protected void doStartupAfterSpringConfig(ModuleContext moduleContext)
         btn4.setPermission(UpdatePermission.class);
         LDKService.get().registerQueryButton(btn4, LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES);
 
-        LDKService.get().registerQueryButton(new ShowBulkEditButton(this, LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES), LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES);
+        LDKService.get().registerQueryButton(new ShowBulkEditButton(this, LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES, LaboratoryAdminPermission.class), LaboratoryModule.SCHEMA_NAME, LaboratorySchema.TABLE_SAMPLES);
 
         SimpleButtonConfigFactory btn5 = new SimpleButtonConfigFactory(this, "Manage Freezers", DetailsURL.fromString("/query/executeQuery.view?schemaName=laboratory&query.queryName=freezers"));
         btn5.setPermission(LaboratoryAdminPermission.class);

laboratory/src/org/labkey/laboratory/security/LaboratoryAdminRole.java

@@ -1,6 +1,7 @@
 package org.labkey.laboratory.security;
 
 import org.labkey.api.laboratory.security.LaboratoryAdminPermission;
+import org.labkey.api.ldk.security.DataAdminPermission;
 import org.labkey.api.security.permissions.DeletePermission;
 import org.labkey.api.security.permissions.InsertPermission;
 import org.labkey.api.security.permissions.ReadPermission;
@@ -21,6 +22,7 @@ public LaboratoryAdminRole()
                 InsertPermission.class,
                 UpdatePermission.class,
                 DeletePermission.class,
+                DataAdminPermission.class,
                 LaboratoryAdminPermission.class
         );
     }