From 804a0784033c74b1d348b698efd7dbdb6a4aad10 Mon Sep 17 00:00:00 2001
From: maverickstuder <maverick.studer@knecon.com>
Date: Thu, 18 Jan 2024 13:38:59 +0100
Subject: [PATCH] RED-5369: View dossier & access permissions are not working
 for dossier attributes controller * added hasPermission checks on all dossier
 specific endpoints in the DossierAttributesController

---
 .../api/impl/controller/DossierAttributesController.java  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java
index aeb4b4754..c1010dda4 100644
--- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java
+++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java
@@ -115,7 +115,7 @@ public class DossierAttributesController implements DossierAttributesResource {
     }
 
 
-    @PreAuthorize("hasAuthority('" + WRITE_FILE_ATTRIBUTES + "')")
+    @PreAuthorize("hasAuthority('" + WRITE_FILE_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')")
     public DossierAttributes setDossierAttributes(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody DossierAttributes dossierAttributes) {
 
         accessControlService.verifyUserIsDossierOwner(dossierId);
@@ -131,7 +131,7 @@ public class DossierAttributesController implements DossierAttributesResource {
     }
 
 
-    @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')")
+    @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')")
     public DossierAttributes addOrUpdateDossierAttribute(String dossierId, DossierAttribute dossierAttribute) {
 
         accessControlService.verifyUserIsDossierOwner(dossierId);
@@ -146,7 +146,7 @@ public class DossierAttributesController implements DossierAttributesResource {
     }
 
 
-    @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')")
+    @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')")
     public DossierAttributes getDossierAttributes(String dossierId) {
 
         var result = dossierAttributesManagementService.getDossierAttributes(dossierId);
@@ -161,7 +161,7 @@ public class DossierAttributesController implements DossierAttributesResource {
     }
 
 
-    @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')")
+    @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')")
     public void deleteDossierAttribute(String dossierId, String dossierAttributeId) {
 
         accessControlService.verifyUserIsDossierOwner(dossierId);