Fixed permission issue for Data Asset Header component

openmetadata-ui/src/main/resources/ui/playwright/e2e/Features/Permissions/EntityPermissions.spec.ts

@@ -11,8 +11,11 @@
  *  limitations under the License.
  */
 
-import { Page, test as base } from '@playwright/test';
+import { test as base, expect, Page } from '@playwright/test';
+import { PolicyClass } from '../../../support/access-control/PoliciesClass';
+import { RolesClass } from '../../../support/access-control/RolesClass';
 import { EntityClass } from '../../../support/entity/EntityClass';
+import { TableClass } from '../../../support/entity/TableClass';
 import { UserClass } from '../../../support/user/UserClass';
 import { performAdminLogin } from '../../../utils/admin';
 import { getApiContext } from '../../../utils/common';
@@ -26,8 +29,75 @@ import {
   assignRoleToUser,
   cleanupPermissions,
   initializePermissions,
+  setupUserWithPolicy,
 } from '../../../utils/permission';
 
+const EDIT_ALL_ALLOW_SPECIFIC_DENY_RULES = [
+  {
+    name: 'ViewAll-Rule',
+    resources: ['All'],
+    operations: ['ViewAll'],
+    effect: 'allow',
+  },
+  {
+    name: 'EditAll-Allow-Rule',
+    resources: ['All'],
+    operations: ['EditAll'],
+    effect: 'allow',
+  },
+  {
+    name: 'EditTier-Deny-Rule',
+    resources: ['All'],
+    operations: ['EditTier'],
+    effect: 'deny',
+  },
+  {
+    name: 'EditOwners-Deny-Rule',
+    resources: ['All'],
+    operations: ['EditOwners'],
+    effect: 'deny',
+  },
+  {
+    name: 'EditCertification-Deny-Rule',
+    resources: ['All'],
+    operations: ['EditCertification'],
+    effect: 'deny',
+  },
+];
+
+const SPECIFIC_ALLOW_EDIT_ALL_DENY_RULES = [
+  {
+    name: 'ViewAll-Rule',
+    resources: ['All'],
+    operations: ['ViewAll'],
+    effect: 'allow',
+  },
+  {
+    name: 'EditAll-Deny-Rule',
+    resources: ['All'],
+    operations: ['EditAll'],
+    effect: 'deny',
+  },
+  {
+    name: 'EditTier-Allow-Rule',
+    resources: ['All'],
+    operations: ['EditTier'],
+    effect: 'allow',
+  },
+  {
+    name: 'EditOwners-Allow-Rule',
+    resources: ['All'],
+    operations: ['EditOwners'],
+    effect: 'allow',
+  },
+  {
+    name: 'EditCertification-Allow-Rule',
+    resources: ['All'],
+    operations: ['EditCertification'],
+    effect: 'allow',
+  },
+];
+
 const adminUser = new UserClass();
 const testUser = new UserClass();
 
@@ -70,6 +140,111 @@ test.afterAll('Cleanup pre-requests', async ({ browser }) => {
   await afterAction();
 });
 
+let editAllUser: UserClass;
+let editAllPolicy: PolicyClass;
+let editAllRole: RolesClass;
+
+let specificEditsUser: UserClass;
+let specificEditsPolicy: PolicyClass;
+let specificEditsRole: RolesClass;
+
+let headerPermTable: TableClass;
+
+const headerPermTest = base.extend<{
+  editAllPage: Page;
+  specificEditsPage: Page;
+  denyAllPage: Page;
+}>({
+  editAllPage: async ({ browser }, use) => {
+    const page = await browser.newPage();
+    try {
+      await editAllUser.login(page);
+      await use(page);
+    } finally {
+      await page.close();
+    }
+  },
+  specificEditsPage: async ({ browser }, use) => {
+    const page = await browser.newPage();
+    try {
+      await specificEditsUser.login(page);
+      await use(page);
+    } finally {
+      await page.close();
+    }
+  },
+});
+
+headerPermTest.describe(
+  'DataAsset Header – EditTier / EditOwners / EditCertification permissions',
+  () => {
+    headerPermTest.beforeAll(
+      'Setup users, roles, and table',
+      async ({ browser }) => {
+        editAllUser = new UserClass();
+        editAllPolicy = new PolicyClass();
+        editAllRole = new RolesClass();
+
+        specificEditsUser = new UserClass();
+        specificEditsPolicy = new PolicyClass();
+        specificEditsRole = new RolesClass();
+
+        headerPermTable = new TableClass();
+
+        const { apiContext, afterAction } = await performAdminLogin(browser);
+
+        await headerPermTable.create(apiContext);
+
+        await setupUserWithPolicy(
+          apiContext,
+          editAllUser,
+          editAllPolicy,
+          editAllRole,
+          EDIT_ALL_ALLOW_SPECIFIC_DENY_RULES
+        );
+        await setupUserWithPolicy(
+          apiContext,
+          specificEditsUser,
+          specificEditsPolicy,
+          specificEditsRole,
+          SPECIFIC_ALLOW_EDIT_ALL_DENY_RULES
+        );
+        await afterAction();
+      }
+    );
+
+    headerPermTest(
+      'EditAll allowed but EditTier, EditOwners, EditCertification denied – edit buttons not visible',
+      async ({ editAllPage }) => {
+        await headerPermTable.visitEntityPage(editAllPage);
+
+        await expect(editAllPage.getByTestId('edit-tier')).not.toBeVisible();
+        await expect(editAllPage.getByTestId('edit-owner')).not.toBeVisible();
+        await expect(
+          editAllPage.getByTestId('edit-certification')
+        ).not.toBeVisible();
+      }
+    );
+
+    headerPermTest(
+      'EditTier, EditOwners, EditCertification allowed but EditAll denied – edit buttons not visible',
+      async ({ specificEditsPage }) => {
+        await headerPermTable.visitEntityPage(specificEditsPage);
+
+        await expect(
+          specificEditsPage.getByTestId('edit-tier')
+        ).not.toBeVisible();
+        await expect(
+          specificEditsPage.getByTestId('edit-owner')
+        ).not.toBeVisible();
+        await expect(
+          specificEditsPage.getByTestId('edit-certification')
+        ).not.toBeVisible();
+      }
+    );
+  }
+);
+
 Object.entries(entityConfig).forEach(([, config]) => {
   const entity = new config.class();
   const entityType = entity.getType();

openmetadata-ui/src/main/resources/ui/src/components/DataAssets/DataAssetsHeader/DataAssetsHeader.component.tsx

@@ -15,12 +15,14 @@ import { Button, Col, Divider, Row, Space, Tooltip, Typography } from 'antd';
 import ButtonGroup from 'antd/lib/button/button-group';
 import { AxiosError } from 'axios';
 import classNames from 'classnames';
+import { Operation } from '../../../generated/entity/policies/policy';
 import { get, isEmpty, isUndefined, toLower } from 'lodash';
 import { ServiceTypes } from 'Models';
 import QueryString from 'qs';
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { useTranslation } from 'react-i18next';
 import { Link, useNavigate } from 'react-router-dom';
+import { getPrioritizedEditPermission } from '../../../utils/PermissionsUtils';
 import { ReactComponent as RedAlertIcon } from '../../../assets/svg/ic-alert-red.svg';
 import { ReactComponent as TaskOpenIcon } from '../../../assets/svg/ic-open-task.svg';
 import { ReactComponent as VersionIcon } from '../../../assets/svg/ic-version.svg';
@@ -463,12 +465,16 @@ export const DataAssetsHeader = ({
     () => ({
       editDomainPermission: permissions.EditAll && !dataAsset.deleted,
       editOwnerPermission:
-        (permissions.EditAll || permissions.EditOwners) && !dataAsset.deleted,
+        getPrioritizedEditPermission(permissions, Operation.EditOwners) &&
+        !dataAsset.deleted,
       editTierPermission:
-        (permissions.EditAll || permissions.EditTier) && !dataAsset.deleted,
-      editCertificationPermission:
-        (permissions.EditAll || permissions.EditCertification) &&
+        getPrioritizedEditPermission(permissions, Operation.EditTier) &&
         !dataAsset.deleted,
+      editCertificationPermission:
+        getPrioritizedEditPermission(
+          permissions,
+          Operation.EditCertification
+        ) && !dataAsset.deleted,
     }),
     [permissions, dataAsset]
   );