From 56dcd421a9dac08e077424b1f25467941dbfc24c Mon Sep 17 00:00:00 2001 From: maverickstuder Date: Mon, 22 Jan 2024 12:34:02 +0100 Subject: [PATCH] RED-5369: View dossier & access permissions are not working for dossier attributes controller * now when no permissions are given to view dossiers the endpoint to get dossier attributes returns an empty list instead of a 403 access denied --- .../api/impl/controller/DossierAttributesController.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java index 501048fb8..6e0428ac8 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java @@ -16,6 +16,7 @@ import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; +import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DossierPersistenceService; import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity; import com.iqser.red.service.persistence.management.v1.processor.entity.dossier.DossierAttributeConfigEntity; import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; @@ -37,6 +38,7 @@ import lombok.RequiredArgsConstructor; @RequiredArgsConstructor public class DossierAttributesController implements DossierAttributesResource { + private final DossierPersistenceService dossierPersistenceService; private final DossierAttributeConfigPersistenceService dossierAttributeConfigPersistenceService; private final AuditPersistenceService auditPersistenceService; private final DossierAttributesManagementService dossierAttributesManagementService; @@ -150,6 +152,9 @@ public class DossierAttributesController implements DossierAttributesResource { @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')") public DossierAttributes getDossierAttributes(String dossierId) { + //check if dossier exists before verifying permissions + dossierPersistenceService.findByDossierId(dossierId); + List result = Collections.emptyList(); if (accessControlService.hasUserViewPermissionsForDossier(dossierId)) { result = dossierAttributesManagementService.getDossierAttributes(dossierId);