Give Troubleshooters read permission in the root

api/src/org/labkey/api/reports/report/view/ReportUtil.java

@@ -738,10 +738,10 @@ public static void updateReportSecurityPolicy(ViewContext context, @NotNull Repo
         {
             MutableSecurityPolicy policy = new MutableSecurityPolicy(report.getDescriptor(), SecurityPolicyManager.getPolicy(report.getDescriptor(), false));
 
-            List<Role> principalAssignedRoles = policy.getAssignedRoles(principal);
-            if (toAdd && principalAssignedRoles.isEmpty())
+            boolean hasNoAssignedRoles = policy.getAssignedRoles(principal).findAny().isEmpty();
+            if (toAdd && hasNoAssignedRoles)
                 policy.addRoleAssignment(principal, ReaderRole.class);
-            else if (!toAdd && !principalAssignedRoles.isEmpty())
+            else if (!toAdd && !hasNoAssignedRoles)
                 policy.addRoleAssignment(principal, NoPermissionsRole.class);
 
             SecurityPolicyManager.savePolicy(policy, context.getUser());

api/src/org/labkey/api/security/Group.java

@@ -17,6 +17,7 @@
 
 import org.labkey.api.data.Container;
 import org.labkey.api.data.ContainerManager;
+import org.labkey.api.data.Transient;
 import org.labkey.api.security.roles.Role;
 
 import java.util.stream.Stream;
@@ -95,6 +96,7 @@ public String getPath()
         return "/" + c.getName() + "/" + getName();
     }
 
+    @Transient
     @Override
     public PrincipalArray getGroups()
     {
@@ -111,7 +113,7 @@ public boolean isInGroup(int group)
     public Stream<Role> getAssignedRoles(SecurableResource resource)
     {
         SecurityPolicy policy = SecurityPolicyManager.getPolicy(resource);
-        return policy.getRoles(getGroups()).stream();
+        return policy.getRoles(getGroups());
     }
 
     @Override

api/src/org/labkey/api/security/LimitedUser.java

@@ -41,6 +41,7 @@
 import org.labkey.api.util.TestContext;
 
 import java.util.Date;
+import java.util.Objects;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -77,7 +78,7 @@ public PrincipalArray getGroups(User user)
         @Override
         public Stream<Role> getAssignedRoles(User user, SecurableResource resource)
         {
-            return _roles.stream();
+            return Objects.requireNonNull(_roles).stream();
         }
     }
 
@@ -111,38 +112,39 @@ public void testLimitedUser()
         {
             User user = TestContext.get().getUser();
 
-            testPermissions(new LimitedUser(user), 0, false, false, false, false, false);
-            testPermissions(new LimitedUser(user, ReaderRole.class), 1, true, false, false, false, false);
-            testPermissions(new LimitedUser(user, EditorRole.class), 1, true, true, true, false, false);
-            testPermissions(new LimitedUser(user, FolderAdminRole.class), 1, true, true, true, true, true);
-            testPermissions(new LimitedUser(new LimitedUser(user, FolderAdminRole.class), ReaderRole.class), 1, true, false, false, false, false);
+            testPermissions(new LimitedUser(user), 0, 0, false, false, false, false, false);
+            testPermissions(new LimitedUser(user, ReaderRole.class), 1, 0, true, false, false, false, false);
+            testPermissions(new LimitedUser(user, EditorRole.class), 1, 0, true, true, true, false, false);
+            testPermissions(new LimitedUser(user, FolderAdminRole.class), 1, 0, true, true, true, true, true);
+            testPermissions(new LimitedUser(new LimitedUser(user, FolderAdminRole.class), ReaderRole.class), 1, 0, true, false, false, false, false);
         }
 
         @Test
         public void testElevatedUser()
         {
             User user = TestContext.get().getUser();
             Container c = JunitUtil.getTestContainer();
+            Container root = ContainerManager.getRoot();
 
-            testPermissions(ElevatedUser.getElevatedUser(new LimitedUser(user, SubmitterRole.class, null), ReaderRole.class, null), 2, true, true, false, false, false);
-            testPermissions(ElevatedUser.ensureCanSeeAuditLogRole(c, new LimitedUser(user)), 1, false, false, false, false, true);
-            testPermissions(ElevatedUser.ensureCanSeeAuditLogRole(c, new LimitedUser(user, ReaderRole.class)), 2, true, false, false, false, true);
-            testPermissions(ElevatedUser.ensureCanSeeAuditLogRole(c, ElevatedUser.getElevatedUser(new LimitedUser(user, ReaderRole.class), EditorRole.class)), 3, true, true, true, false, true);
+            testPermissions(ElevatedUser.getElevatedUser(new LimitedUser(user, SubmitterRole.class, null), ReaderRole.class, null), 2, 0, true, true, false, false, false);
+            testPermissions(ElevatedUser.ensureCanSeeAuditLogRole(c, new LimitedUser(user)), 1, 1, false, false, false, false, true);
+            testPermissions(ElevatedUser.ensureCanSeeAuditLogRole(c, new LimitedUser(user, ReaderRole.class)), 2, 1, true, false, false, false, true);
+            testPermissions(ElevatedUser.ensureCanSeeAuditLogRole(c, ElevatedUser.getElevatedUser(new LimitedUser(user, ReaderRole.class), EditorRole.class)), 3, 1, true, true, true, false, true);
 
             int groupCount = user.getGroups().size();
             int roleCount = (int)user.getAssignedRoles(c).count();
-            int siteRolesCount = (int)user.getSiteRoles().count();
+            int siteRolesCount = (int)user.getSiteRoles(root).count();
             User elevated = ElevatedUser.getElevatedUser(user);
             assertEquals(groupCount, elevated.getGroups().size());
             assertEquals(roleCount, (int)elevated.getAssignedRoles(c).count());
-            assertEquals(siteRolesCount, (int)elevated.getSiteRoles().count());
+            assertEquals(siteRolesCount, (int)elevated.getSiteRoles(root).count());
         }
 
-        private void testPermissions(User user, int roleCount, boolean hasRead, boolean hasInsert, boolean hasUpdate, boolean hasAdmin, boolean hasCanSeeAuditLog)
+        private void testPermissions(User user, int roleCount, int siteRoleCount, boolean hasRead, boolean hasInsert, boolean hasUpdate, boolean hasAdmin, boolean hasCanSeeAuditLog)
         {
             Container c = JunitUtil.getTestContainer();
             assertEquals(roleCount, (int)user.getAssignedRoles(c).count());
-            assertTrue(user.getSiteRoles().findAny().isEmpty());
+            assertEquals(siteRoleCount, user.getSiteRoles(ContainerManager.getRoot()).count());
             assertFalse(user.hasSiteAdminPermission());
             assertEquals(0, user.getGroups().stream().count());
             assertFalse(user.hasPrivilegedRole());

api/src/org/labkey/api/security/RoleSet.java

@@ -20,6 +20,7 @@
 import org.junit.Assert;
 import org.junit.Test;
 import org.labkey.api.data.Container;
+import org.labkey.api.data.ContainerManager;
 import org.labkey.api.pipeline.PipelineJob;
 import org.labkey.api.security.impersonation.RoleImpersonationContextFactory;
 import org.labkey.api.security.roles.CanSeeAuditLogRole;
@@ -153,15 +154,15 @@ private void testImpersonateRoles(User adminUser, @Nullable Container project, C
             impersonatingUser.setImpersonationContext(factory.getImpersonationContext());
 
             if (null == project)
-                assertEquals(roles, impersonatingUser.getSiteRoles().collect(Collectors.toSet()));
+                assertEquals(roles, impersonatingUser.getSiteRoles(ContainerManager.getRoot()).collect(Collectors.toSet()));
             else
                 assertEquals(roles, impersonatingUser.getAssignedRoles(project).collect(Collectors.toSet()));
 
             json = writer.writeValueAsString(impersonatingUser);
             User reconstitutedUser = mapper.readValue(json, User.class);
 
             if (null == project)
-                assertEquals(roles, reconstitutedUser.getSiteRoles().collect(Collectors.toSet()));
+                assertEquals(roles, reconstitutedUser.getSiteRoles(ContainerManager.getRoot()).collect(Collectors.toSet()));
             else
                 assertEquals(roles, reconstitutedUser.getAssignedRoles(project).collect(Collectors.toSet()));
         }

api/src/org/labkey/api/security/SecurityManager.java

@@ -1950,7 +1950,7 @@ public static Collection<Integer> getFolderUserids(Container c)
 
         //don't filter if all site users is playing a role
         Group allSiteUsers = getGroup(Group.groupUsers);
-        if (!policy.getAssignedRoles(allSiteUsers).isEmpty())
+        if (policy.getAssignedRoles(allSiteUsers).findAny().isPresent())
         {
             // Just select all users
             SQLFragment sql = new SQLFragment("SELECT u.UserId FROM ");
@@ -3122,6 +3122,8 @@ public static List<String> getPermissionNames(SecurableResource resource, @NotNu
      * appropriate only for generating reports about role assignments for administrators.
      * Returns the roles the principal is playing in this securable resource, either due to direct assignment or due
      * to membership in a group that is assigned the role.
+     * Note: The returned stream may duplicate some roles; if a distinct stream of roles is required, callers should
+     * invoke {@code distinct()} or collect to a set.
      * @param principal The principal
      * @return The roles this principal is playing in the securable resource
      */
@@ -3376,7 +3378,7 @@ public PrincipalArray getGroups()
                 public Stream<Role> getAssignedRoles(SecurableResource resource)
                 {
                     SecurityPolicy policy = SecurityPolicyManager.getPolicy(resource);
-                    return policy.getRoles(getGroups()).stream();
+                    return policy.getRoles(getGroups());
                 }
 
                 @Override
@@ -3560,9 +3562,13 @@ public boolean performChecks()
             // check that the user has the expected role
             Container rootContainer = ContainerManager.getRoot();
             User user = UserManager.getUser(userEmail);
-            Collection<Role> roles = rootContainer.getPolicy().getAssignedRoles(user);
+            assertNotNull(user);
             Role role = RoleManager.getRole(TEST_USER_1_ROLE_NAME);
-            assertTrue("The user defined in the startup properties: "  + userEmail + " did not have the specified role: " + TEST_USER_1_ROLE_NAME, roles.contains(role));
+            assertTrue(
+                "The user defined in the startup properties: "  + userEmail + " did not have the specified role: " + TEST_USER_1_ROLE_NAME,
+                rootContainer.getPolicy().getAssignedRoles(user)
+                    .anyMatch(r -> r.equals(role))
+            );
 
             // delete the test user that was added
             UserManager.deleteUser(user.getUserId());
@@ -3598,9 +3604,14 @@ public boolean performChecks()
 
             // check that the group has the expected role
             Group group = GroupManager.getGroup(rootContainer, TEST_GROUP_1_NAME, GroupEnumType.SITE);
-            Collection<Role> roles = rootContainer.getPolicy().getAssignedRoles(group);
+            assertNotNull(group);
             Role role = RoleManager.getRole(TEST_GROUP_1_ROLE_NAME);
-            assertTrue("The group defined in the startup properties: "  + TEST_GROUP_1_NAME + " did not have the specified role: " + TEST_GROUP_1_ROLE_NAME, roles.contains(role));
+            assertNotNull(role);
+            assertTrue(
+                "The group defined in the startup properties: "  + TEST_GROUP_1_NAME + " did not have the specified role: " + TEST_GROUP_1_ROLE_NAME,
+                rootContainer.getPolicy().getAssignedRoles(group)
+                    .anyMatch(r -> r.equals(role))
+            );
 
             // delete the test group that was added
             deleteGroup(group, TestContext.get().getUser());