Marmelator/persistence-service
1
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases 1.1k Wiki Activity

RED-5369: View dossier & access permissions are not working for dossier attributes controller

Browse Source 
* added hasPermission checks on all dossier specific endpoints in the DossierAttributesController
This commit is contained in:
maverickstuder 2024-01-18 13:38:59 +01:00
parent f608aa1043
commit 804a078403
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java vendored
View File

@ -115,7 +115,7 @@ public class DossierAttributesController implements DossierAttributesResource {
}
@PreAuthorize("hasAuthority('" + WRITE_FILE_ATTRIBUTES + "')")
@PreAuthorize("hasAuthority('" + WRITE_FILE_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')")
public DossierAttributes setDossierAttributes(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody DossierAttributes dossierAttributes) {
accessControlService.verifyUserIsDossierOwner(dossierId);
@ -131,7 +131,7 @@ public class DossierAttributesController implements DossierAttributesResource {
}
@PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')")
@PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')")
public DossierAttributes addOrUpdateDossierAttribute(String dossierId, DossierAttribute dossierAttribute) {
accessControlService.verifyUserIsDossierOwner(dossierId);
@ -146,7 +146,7 @@ public class DossierAttributesController implements DossierAttributesResource {
}
@PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')")
@PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')")
public DossierAttributes getDossierAttributes(String dossierId) {
var result = dossierAttributesManagementService.getDossierAttributes(dossierId);
@ -161,7 +161,7 @@ public class DossierAttributesController implements DossierAttributesResource {
}
@PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')")
@PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')")
public void deleteDossierAttribute(String dossierId, String dossierAttributeId) {
accessControlService.verifyUserIsDossierOwner(dossierId);