Marmelator/persistence-service
1
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases 1.1k Wiki Activity

RED-5369: View dossier & access permissions are not working for dossier attributes controller

Browse Source 
* now when no permissions are given to view dossiers the endpoint to get dossier attributes returns an empty list instead of a 403 access denied
This commit is contained in:
maverickstuder 2024-01-22 12:34:02 +01:00
parent 9a3898a377
commit 56dcd421a9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java vendored
View File

@ -16,6 +16,7 @@ import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DossierPersistenceService;
import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity;
import com.iqser.red.service.persistence.management.v1.processor.entity.dossier.DossierAttributeConfigEntity;
import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService;
@ -37,6 +38,7 @@ import lombok.RequiredArgsConstructor;
@RequiredArgsConstructor
public class DossierAttributesController implements DossierAttributesResource {
private final DossierPersistenceService dossierPersistenceService;
private final DossierAttributeConfigPersistenceService dossierAttributeConfigPersistenceService;
private final AuditPersistenceService auditPersistenceService;
private final DossierAttributesManagementService dossierAttributesManagementService;
@ -150,6 +152,9 @@ public class DossierAttributesController implements DossierAttributesResource {
@PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')")
public DossierAttributes getDossierAttributes(String dossierId) {
//check if dossier exists before verifying permissions
dossierPersistenceService.findByDossierId(dossierId);
List<DossierAttribute> result = Collections.emptyList();
if (accessControlService.hasUserViewPermissionsForDossier(dossierId)) {
result = dossierAttributesManagementService.getDossierAttributes(dossierId);