Allow RA to revoke Recovery Token

The RA user was not yet allowed to revoke a recovery token. This is now allowed. As this is a RA role. See: https://www.pivotaltracker.com/story/show/184938232
OpenConext · Feb 20, 2024 · 1b35421 · 1b35421
1 parent e7bc00b
commit 1b35421
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Authorization/Service/CommandAuthorizationService.php b/src/Surfnet/StepupMiddleware/ApiBundle/Authorization/Service/CommandAuthorizationService.php
@@ -29,6 +29,8 @@
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\SelfServiceExecutable;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\CreateIdentityCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\ExpressLocalePreferenceCommand;
+use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\RevokeOwnRecoveryTokenCommand;
+use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\RevokeRegistrantsRecoveryTokenCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\RevokeRegistrantsSecondFactorCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\UpdateIdentityCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\VetSecondFactorCommand;
@@ -216,9 +218,13 @@ public function mayRaCommandBeExecutedOnBehalfOf(
 
             // the VetSecondFactorCommand is used to vet a second factor for a user
             // the RevokeRegistrantsSecondFactorCommand is used to revoke a user's secondfactor
-            // Both are only sent by the RA where the minimal role requirement is RA
+            // the RevokeRegistrantsRecoveryTokenCommand is used to revoke a user's recovery token
+            // All three are only sent by the RA where the minimal role requirement is RA
             // all the other actions require RAA rights
-            if ($command instanceof VetSecondFactorCommand || $command instanceof RevokeRegistrantsSecondFactorCommand) {
+            if ($command instanceof VetSecondFactorCommand ||
+                $command instanceof RevokeRegistrantsSecondFactorCommand ||
+                $command instanceof RevokeRegistrantsRecoveryTokenCommand
+            ) {
                 $this->logger->notice('VetSecondFactorCommand and RevokeRegistrantsSecondFactorCommand require a RA role');
                 $roleRequirement = RegistrationAuthorityRole::ra();
                 // Use the institution of the identity (the user vetting or having his token revoked).