feat(rest): new readOnly user role.

[rudra-superrr]

Issue: #3241

This will restrict the endpoints for the new readOnly user role.

[GMishx]

A question.

[rudra-superrr]

Made the changes.

[GMishx]

Changes looks good.

[keerthi-bl]

@rudra-superrr

Resolve the conflicts and can you please add steps to test this PR in the description.

[bibhuti230185]

Few more areas to look for

1. ProjectPermissions.java — isVisible() needs VIEWER awareness
2. ProjectController.java — VIEWER sees full project objects ,needs field stripping
3. ProjectController.java — Missing VIEWER guards on multiple project endpoints

Endpoint	Line	What's missing
GET /projects/{id}/licenseClearing	L457	default should be blocked — add throwIfReadOnlyUser with a // TODO: revisit after License Clearing decision comment
GET /projects/{id}/linkedProjects	L580	VIEWER must not see linked projects — add throwIfReadOnlyUser
GET /projects/{id}/linkedProjects/releases	L629	Same — add throwIfReadOnlyUser

---

4. SW360ReportController.java L122 — Report exports need per-module VIEWER guard

   Requirement: "Exports of Excel Sheet are allowed, ReadMeOSS are allowed (from License Clearing Tab), Product Clearing not allowed (from Obligations Tab)."

   GET /reports dispatches to different report types based on a module parameter. The requirement says:

   • ✅ Allowed: projects, components, licenses (Excel sheets), licenseInfo (ReadMeOSS)
   • ❌ Blocked: exportCreateProjectClearingReport (Product Clearing), licenseResourceBundle, projectReleaseSpreadsheetWithEccInfo (ECC)
   • ⚠️ SBOM: needs discussion

   Currently there's no VIEWER check at all — every module is accessible.

5. SearchController.java L98 — Search must respect VIEWER restrictions

   Requirement: "Search should follow the same restrictions like normal view, Projects with 'Everyone' visibility, all Components & Releases."

   GET /search passes all typeMasks to the search service without filtering.

   For VIEWER this means: components ✅, releases ✅, licenses ✅, projects (EVERYONE only) ⚠️, vulnerabilities ❌, users ❌.

6. "UserController.java" : POST /users/tokens creates API tokens. Currently the EndpointsFilter blocks all POST requests for VIEWER . This means VIEWER cannot create any token — including READ tokens, which the requirement explicitly allows.
   Additionally, even if the POST were allowed, there's no check preventing VIEWER from requesting WRITE authorities in the token body. The authorities field in the request is user-supplied.

7. In PermissionUtils.java, DEFAULT_USER_GROUP = UserGroup.USER. Per R8, new org-wide users should default to VIEWER. This needs to change to UserGroup.VIEWER

8. Keycloak integration — not present
   VIEWER group in Keycloak realm
   Sw360UserStorageProviderFactory update to assign VIEWER by default
   Department-based USER promotion (configurable via orgmapping.properties from PR #3594)

[GMishx]

I guess only one miss-understanding happened here. Rest looks good.

[GMishx]

A quick question, you'd be implementing the changes for KeyCloak in this branch or in a separate PR? I'd prefer a separate PR to keep it logically separated as well.

[GMishx]

Final few changes still needed

[GMishx]

This would still have to be removed?

[GMishx]

Please block following endpoints for viewer role as well:

• /vulnerabilitySummary
• /vulnerabilities