Issue with owner permission with LDAP integration

[tdipisa]

While testing geosolutions-it/geostore#468 an issue was found :

• When saving, the server return -1 for every resource in case of LDAP integration. So deleting one saved permission internally is done by id, but id is -1 for every rule, so the front end deletes everything.
• We can solve by checking by applying changes by NAME + TYPE instead of by id. If IPRanges, check and use ID anyway, because in this case we don't have name I think
• This doesn't happen while adding new rules, because arbitrary IDs are applied to the groups, so it initially works. But when loading saved items, the problem appear.

Screencast.from.2026-02-24.12-56-23.webm

There are other consequences about this:

• Edit permission
• Delete all rules at once

Screencast.from.2026-02-24.13-11-15.webm

This requires a backport on 2025.02.xx too

[tdipisa]

@axl8713 waitign for further checks on the @offtherailz side before reviewing the assegnee.

[rowheat02]

@offtherailz @tdipisa
I tried to run MapStore2 with LDAP direct integration locally, but the backend does not start correctly in LDAP mode (GeoStore init fails), so I could not replicate the issue.

For LDAP, I followed the existing MapStore documentation: used the Docker-based OpenLDAP setup and also tried running against a separate LDAP server, then built and ran the backend with the LDAP profile. I wasn’t able to get a fully working LDAP-backed MapStore instance in my local environment,

The proposed change below is based on code analysis and the described LDAP behaviour here (all permission subjects coming back with id = -1).

Problem With LDAP:

• GET /resources/{id}/permissions returns SecurityRule entries where user/group id is always -1.
• The ResourcesCatalog permissions UI identifies entries by entry.id.
• Since all loaded rules have the same id, deleting/editing a single rule can affect all rules.

IP-based rules are different: they have a real ipRange.id that can be used as a stable identifier.

Proposed frontend fix

In web/client/plugins/ResourcesCatalog/components/Permissions.jsx:

1. Introduce a stable key

function getEntryKey(entry) {
    if (!entry) return '';
    if (entry.type === 'ip') {
        // IP ranges have a real backend id
        return `ip-${entry.id}`;
    }
    // For users/groups, LDAP may return id = -1 for all, so use type+name
    return `${entry.type}-${entry.name ?? ''}`;
}

2. Use getEntryKey for removing entries

function handleRemoveEntry(removedEntry) {
    const key = getEntryKey(removedEntry);
    const newEntries = permissionsEntires.filter(entry => getEntryKey(entry) !== key);
    setPermissionsEntires(newEntries);
    handleChange({ entries: newEntries });
}

3. Use getEntryKey for updating entries

function handleUpdateEntry(entryKey, properties, noCallback) {
    const newEntries = permissionsEntires.map(entry => {
        if (getEntryKey(entry) === entryKey) {
            return { ...entry, ...properties };
        }
        return entry;
    });
    setPermissionsEntires(newEntries);
    if (!noCallback) {
        handleChange({ entries: newEntries });
    }
}

4. Use getEntryKey for list key and onChange

<li key={getEntryKey(entry) + '-' + idx}>
    <PermissionsRow
        {...entry}
        onChange={editing ? handleUpdateEntry.bind(null, getEntryKey(entry)) : null}
        ...
    >
        ...
        <Button onClick={handleRemoveEntry.bind(null, entry)}>
            <Glyphicon glyph="trash" />
        </Button>
    </PermissionsRow>
</li>

So the above fix seems correct based on the findings on the description and code analysis, but locally issue was not replicated and tested, so PR was not created.
@offtherailz, what do you suggest to create a PR of the above proposal or give more time to set up LADP locally, replicate issue, apply fix, test locally and create PR.