From 80e783d46b74404306291382b117bbc2a770b539 Mon Sep 17 00:00:00 2001 From: Corina Olariu Date: Thu, 1 Feb 2024 12:36:57 +0200 Subject: [PATCH] RED-8361 - Returned error status codes should be checked - renamed and rework the access permission validations Signed-off-by: Corina Olariu --- .../controller/ComponentLogController.java | 8 ++--- .../impl/controller/DictionaryController.java | 4 +-- .../impl/controller/DocumentController.java | 10 +++--- .../DossierAttributesController.java | 6 ++-- .../impl/controller/DossierController.java | 6 ++-- .../controller/DossierStatsController.java | 2 +- .../impl/controller/EntityLogController.java | 4 +-- .../controller/FileManagementController.java | 14 ++++---- .../impl/controller/HighlightsController.java | 8 ++--- .../controller/ManualRedactionController.java | 22 ++++++------- .../impl/controller/ReanalysisController.java | 11 ++----- .../api/impl/controller/StatusController.java | 12 +++---- .../controller/StatusReportController.java | 2 +- .../api/impl/controller/UploadController.java | 4 +-- .../impl/controller/VersionsController.java | 2 +- .../controller/ViewedPagesController.java | 6 ++-- .../service/AccessControlService.java | 33 ++++++++++--------- .../processor/service/DictionaryService.java | 10 +++--- 18 files changed, 79 insertions(+), 85 deletions(-) diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java index d1b22610a..2165b55e0 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java @@ -45,7 +45,7 @@ public class ComponentLogController implements ComponentLogResource { @Override public ComponentLog getComponentLog(String dossierId, String fileId, boolean includeOverrides) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); return componentLogService.getComponentLog(dossierId, fileId, includeOverrides); @@ -55,7 +55,7 @@ public class ComponentLogController implements ComponentLogResource { @PreAuthorize("hasAuthority('" + GET_RSS + "')") public void addOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody ComponentsOverrides componentsOverrides) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); if (componentsOverrides.getComponentOverrides() == null || componentsOverrides.getComponentOverrides().isEmpty()) { @@ -73,7 +73,7 @@ public class ComponentLogController implements ComponentLogResource { @PreAuthorize("hasAuthority('" + GET_RSS + "')") public ComponentsOverrides getOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); return componentOverrideService.getOverrides(dossierId, fileId); } @@ -82,7 +82,7 @@ public class ComponentLogController implements ComponentLogResource { @PreAuthorize("hasAuthority('" + GET_RSS + "')") public void revertOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody RevertOverrideRequest revertOverrideRequest) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); if (revertOverrideRequest.getComponents() == null || revertOverrideRequest.getComponents().isEmpty()) { diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java index 13e85e9f7..bdb313aef 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java @@ -82,7 +82,7 @@ public class DictionaryController implements DictionaryResource { if (dossierId == null) { dictionaryService.addGlobalEntries(type, dossierTemplateId, entries, removeCurrent, dictionaryEntryType); } else { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); dictionaryService.addDossierEntries(type, dossierTemplateId, entries, removeCurrent, dossierId, dictionaryEntryType); } @@ -117,7 +117,7 @@ public class DictionaryController implements DictionaryResource { if (dossierId == null) { dictionaryService.deleteGlobalEntries(type, dossierTemplateId, entries, dictionaryEntryType); } else { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); dictionaryService.deleteDossierEntries(type, dossierTemplateId, entries, dossierId, dictionaryEntryType); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java index 69d693ab0..f02cea2c5 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java @@ -43,7 +43,7 @@ public class DocumentController implements DocumentResource { public ResponseEntity getDocumentText(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { // check access to resources and check for deletion - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); try { @@ -59,7 +59,7 @@ public class DocumentController implements DocumentResource { public ResponseEntity getDocumentPositions(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { // check access to resources and check for deletion - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); try { @@ -75,7 +75,7 @@ public class DocumentController implements DocumentResource { public ResponseEntity getDocumentStructure(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { // check access to resources and check for deletion - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); try { return buildZipFileResponseEntity(fileId, dossierId, FileType.DOCUMENT_STRUCTURE); @@ -90,7 +90,7 @@ public class DocumentController implements DocumentResource { public ResponseEntity getDocumentPages(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { // check access to resources and check for deletion - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); try { return buildZipFileResponseEntity(fileId, dossierId, FileType.DOCUMENT_PAGES); @@ -105,7 +105,7 @@ public class DocumentController implements DocumentResource { public ResponseEntity getSimplifiedSectionText(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { // check access to resources and check for deletion - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); try { diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java index 731b90148..10d545a50 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java @@ -121,7 +121,7 @@ public class DossierAttributesController implements DossierAttributesResource { @PreAuthorize("hasAuthority('" + WRITE_FILE_ATTRIBUTES + "')") public DossierAttributes setDossierAttributes(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody DossierAttributes dossierAttributes) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsDossierOwner(dossierId); var result = dossierAttributesManagementService.setDossierAttributes(dossierId, dossierAttributes.getDossierAttributeList()); auditPersistenceService.insertRecord(AuditRequest.builder() @@ -138,7 +138,7 @@ public class DossierAttributesController implements DossierAttributesResource { @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')") public DossierAttributes addOrUpdateDossierAttribute(String dossierId, DossierAttribute dossierAttribute) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsDossierOwner(dossierId); DossierAttribute result = dossierAttributesManagementService.addOrUpdateDossierAttribute(dossierId, dossierAttribute); auditPersistenceService.insertRecord(AuditRequest.builder() @@ -175,7 +175,7 @@ public class DossierAttributesController implements DossierAttributesResource { @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')") public void deleteDossierAttribute(String dossierId, String dossierAttributeId) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsDossierOwner(dossierId); dossierAttributesManagementService.deleteDossierAttribute(dossierId, dossierAttributeId); auditPersistenceService.insertRecord(AuditRequest.builder() diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java index 78ffa55d1..bbece0f07 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java @@ -18,7 +18,6 @@ import java.util.Set; import java.util.TreeSet; import java.util.stream.Collectors; -import com.iqser.red.service.persistence.management.v1.processor.exception.NotFoundException; import com.iqser.red.service.persistence.management.v1.processor.service.DossierCreatorService; import org.apache.commons.lang3.StringUtils; @@ -42,7 +41,6 @@ import com.iqser.red.service.persistence.management.v1.processor.roles.Applicati import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.iqser.red.service.persistence.management.v1.processor.service.DossierManagementService; import com.iqser.red.service.persistence.management.v1.processor.service.FileStatusManagementService; -import com.iqser.red.service.persistence.management.v1.processor.service.FilterByPermissionsService; import com.iqser.red.service.persistence.management.v1.processor.service.persistence.AuditPersistenceService; import com.iqser.red.service.persistence.management.v1.processor.service.persistence.NotificationPersistenceService; import com.iqser.red.service.persistence.management.v1.processor.service.users.UserService; @@ -351,7 +349,7 @@ public class DossierController implements DossierResource { public void deleteDossier(@PathVariable(DOSSIER_ID_PARAM) String dossierId) { Dossier dossier = dossierACLService.enhanceDossierWithACLData(dossierManagementService.getDossierById(dossierId, true, false)); - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); if (dossier.getOwnerId() != null && !dossier.getOwnerId().equals(KeycloakSecurity.getUserId())) { throw new AccessDeniedException("Can not delete dossier that is owned by a different user"); @@ -384,7 +382,7 @@ public class DossierController implements DossierResource { @RequestParam(name = INCLUDE_ARCHIVED_PARAM, defaultValue = "false", required = false) boolean includeArchived, @RequestParam(name = INCLUDE_DELETED_PARAM, defaultValue = "false", required = false) boolean includeDeleted) { - accessControlService.verifyDossierViewPermission(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); return dossierACLService.enhanceDossierWithACLData(dossierManagementService.getDossierById(dossierId, includeArchived, includeDeleted)); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java index f8fe5c5f2..860a6cd5c 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java @@ -34,7 +34,7 @@ public class DossierStatsController implements DossierStatsResource { @PreAuthorize("hasAuthority('" + READ_DOSSIER + "')") public DossierStats getDossierStats(@PathVariable(DOSSIER_ID_PARAM) String dossierId) { - accessControlService.verifyDossierViewPermission(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); return dossierStatsService.getDossierStats(dossierId); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java index 35d65457e..3756c8b93 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java @@ -32,7 +32,7 @@ public class EntityLogController implements EntityLogResource { @RequestParam(value = "excludedType", required = false) List excludedTypes, @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); return entityLogService.getEntityLog(dossierId, fileId, excludedTypes, includeUnprocessed); } @@ -43,7 +43,7 @@ public class EntityLogController implements EntityLogResource { @PathVariable(FILE_ID) String fileId, @RequestBody FilteredEntityLogRequest filteredEntityLogRequest) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); return entityLogService.getFilteredEntityLog(dossierId, fileId, filteredEntityLogRequest); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java index 60fa60e64..cb082957e 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java @@ -78,7 +78,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void deleteFile(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); fileService.deleteFile(dossierId, fileId); auditPersistenceService.audit(AuditRequest.builder() .userId(KeycloakSecurity.getUserId()) @@ -95,7 +95,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void deleteFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody List fileIds) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); List errorIds = new ArrayList<>(); for (String fileId : fileIds) { try { @@ -124,7 +124,7 @@ public class FileManagementController implements FileManagementResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "inline", required = false, defaultValue = FALSE) boolean inline) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); return getResponseEntityForPDFDocument(fileId, dossierId, FileType.ORIGIN, inline); } @@ -136,7 +136,7 @@ public class FileManagementController implements FileManagementResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "inline", required = false, defaultValue = FALSE) boolean inline) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); // Viewer Document Returns if (storageService.objectExists(TenantContext.getTenantId(), StorageIdUtils.getStorageId(dossierId, fileId, FileType.VIEWER_DOCUMENT))) { return getResponseEntityForPDFDocument(fileId, dossierId, FileType.VIEWER_DOCUMENT, inline); @@ -181,7 +181,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void hardDeleteFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestParam(FILE_IDS) Set fileIds) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); for (String fileId : fileIds) { if (fileStatusManagementService.getFileStatus(fileId).getAssignee() != null) { accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); @@ -202,7 +202,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void restoreFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody Set fileIds) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); verifyUserIsDossierOwnerOrApproverOrAssignedReviewer(dossierId, fileIds); fileService.undeleteFiles(dossierId, fileIds); auditPersistenceService.audit(AuditRequest.builder() @@ -219,7 +219,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + ROTATE_PAGE + "')") public void rotatePages(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody RotatePagesRequest rotatePagesRequest) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewer(dossierId, fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java index 80bd01a3e..90174cd1c 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java @@ -49,7 +49,7 @@ public class HighlightsController implements HighlightsResource { @PreAuthorize("hasAuthority('" + GET_HIGHLIGHTS + "')") public Highlights getHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); fileStatusService.getStatus(fileId); if (storageService.objectExists(TenantContext.getTenantId(), getStorageId(dossierId, fileId, FileType.TEXT_HIGHLIGHTS))) { @@ -68,7 +68,7 @@ public class HighlightsController implements HighlightsResource { public void convertHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds) { try { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); @@ -83,7 +83,7 @@ public class HighlightsController implements HighlightsResource { public void deleteHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds) { try { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); @@ -99,7 +99,7 @@ public class HighlightsController implements HighlightsResource { public void deleteImportedRedactions(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds) { try { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java index b5603574a..1dc10b509 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java @@ -79,7 +79,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestBody Set annotationIds, @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsApprover(dossierId); manualRedactionUndoService.undo(dossierId, fileId, annotationIds, includeUnprocessed); @@ -94,7 +94,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(ANNOTATION_ID) String annotationId, @PathVariable(COMMENT_ID) String commentId) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); @@ -116,7 +116,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "unprocessed", required = false, defaultValue = FALSE) boolean unprocessed) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.validateFileResourceExistence(fileId); return manualRedactionService.getManualRedactions(fileId, unprocessed); } @@ -127,7 +127,7 @@ public class ManualRedactionController implements ManualRedactionResource { public AnnotationComments getComments(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @PathVariable(ANNOTATION_ID) String annotationId) { dossierManagementService.getDossierById(dossierId, false, false); - accessControlService.verifyDossierViewPermission(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); fileStatusManagementService.getFileStatus(fileId, false); List comments = commentService.getComments(fileId, annotationId); @@ -142,7 +142,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(ANNOTATION_ID) String annotationId, @RequestBody AddCommentRequestModel addCommentRequest) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); @@ -167,7 +167,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestBody Set addRedactionRequests) { var dossier = dossierManagementService.getDossierById(dossierId, false, false); - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); if (addRedactionRequests.stream().anyMatch(AddRedactionRequestModel::isAddToAllDossiers)) { accessControlService.verifyUserIsApprover(dossierId); @@ -197,7 +197,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { var dossier = dossierManagementService.getDossierById(dossierId, false, false); - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); if (removeRedactionRequests.stream().anyMatch(RemoveRedactionRequestModel::isRemoveFromAllDossiers)) { accessControlService.verifyUserIsApprover(dossierId); @@ -225,7 +225,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(FILE_ID) String fileId, @RequestBody Set forceRedactionRequests) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); @@ -249,7 +249,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(FILE_ID) String fileId, @RequestBody Set legalBasisChangeRequests) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); @@ -276,7 +276,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { var dossier = dossierManagementService.getDossierById(dossierId, false, false); - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); @@ -302,7 +302,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestBody Set resizeRedactionRequests, @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java index fd03201ae..d343d0a31 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java @@ -8,6 +8,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -44,7 +45,7 @@ public class ReanalysisController implements ReanalysisResource { @PreAuthorize("hasAuthority('" + REANALYZE_DOSSIER + "')") public void reanalyzeDossier(@PathVariable(DOSSIER_ID) String dossierId, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); reanalysisService.reanalyzeDossier(dossierId, force); auditPersistenceService.audit(AuditRequest.builder() @@ -61,9 +62,6 @@ public class ReanalysisController implements ReanalysisResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); - accessControlService.validateFileResourceExistence(fileId); - reanalysisService.reanalyzeFiles(dossierId, Sets.newHashSet(fileId), force); auditPersistenceService.audit(AuditRequest.builder() .userId(KeycloakSecurity.getUserId()) @@ -81,8 +79,6 @@ public class ReanalysisController implements ReanalysisResource { @RequestBody List fileIds, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); - reanalysisService.reanalyzeFiles(dossierId, new HashSet<>(fileIds), force); auditPersistenceService.audit(AuditRequest.builder() @@ -100,7 +96,7 @@ public class ReanalysisController implements ReanalysisResource { @PreAuthorize("hasAuthority('" + REANALYZE_DOSSIER + "')") public void ocrDossier(@PathVariable(DOSSIER_ID) String dossierId) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); reanalysisService.ocrDossier(dossierId); @@ -120,7 +116,6 @@ public class ReanalysisController implements ReanalysisResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); validateOCR(dossierId, fileId); reanalysisService.ocrFile(dossierId, fileId, force); auditPersistenceService.audit(AuditRequest.builder() diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java index d86ee8534..7b02a6e94 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java @@ -149,7 +149,7 @@ public class StatusController implements StatusResource { @PreAuthorize("hasAuthority('" + READ_FILE_STATUS + "')") public FileStatus getFileStatus(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); return FileStatusMapper.toFileStatus(fileStatusManagementService.getFileStatus(fileId)); } @@ -160,7 +160,7 @@ public class StatusController implements StatusResource { @PathVariable(FILE_ID) String fileId, @RequestParam(name = ASSIGNEE_ID_REQUEST_PARAM, required = false) String assigneeId) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsMemberOrApprover(dossierId); log.debug("Requested [setFileReviewer] for dossier: {} / file: {} / reviewer: {}", dossierId, fileId, assigneeId); @@ -240,7 +240,7 @@ public class StatusController implements StatusResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = ASSIGNEE_ID_REQUEST_PARAM, required = false) String assigneeId) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); var fileStatus = fileStatusManagementService.getFileStatus(fileId); setStatusUnderReviewForFile(dossierId, fileId, assigneeId); @@ -270,7 +270,7 @@ public class StatusController implements StatusResource { @PathVariable(FILE_ID) String fileId, @RequestParam(name = ASSIGNEE_ID_REQUEST_PARAM, required = false) String assigneeId) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); var fileStatus = fileStatusManagementService.getFileStatus(fileId); setStatusUnderApprovalForFile(dossierId, fileId, assigneeId); @@ -299,7 +299,7 @@ public class StatusController implements StatusResource { @PreAuthorize("hasAuthority('" + SET_STATUS_APPROVED + "')") public void setStatusApproved(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsApprover(dossierId); setStatusApprovedForFile(dossierId, fileId); auditPersistenceService.audit(AuditRequest.builder() @@ -408,7 +408,7 @@ public class StatusController implements StatusResource { @PreAuthorize("hasAuthority('" + SET_REVIEWER + "')") public void setStatusNewForList(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody List fileIds) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); for (var fileId : fileIds) { accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); var fileStatus = fileStatusManagementService.getFileStatus(fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java index 60aca454d..55db7bf9e 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java @@ -41,7 +41,7 @@ public class StatusReportController implements StatusReportResource { @PreAuthorize("hasAuthority('" + READ_DOSSIER + "')") public ResponseEntity generateStatusReport(@PathVariable(DOSSIER_ID) String dossierId) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); try { StatusReportResponse statusReportResponse = statusReportClient.generateStatusReport(dossierId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java index 4af50d043..f57d0a1c1 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java @@ -67,7 +67,7 @@ public class UploadController implements UploadResource { @PathVariable(DOSSIER_ID) String dossierId, @RequestParam(value = "keepManualRedactions", required = false, defaultValue = "false") boolean keepManualRedactions) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); if (file.getOriginalFilename() == null) { throw new BadRequestException("Could not upload file, no filename provided."); } @@ -101,7 +101,7 @@ public class UploadController implements UploadResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "pageInclusionRequest", required = false) Set pageInclusionRequest) { - accessControlService.verifyDossierAccessPermission(dossierId); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java index 4a7ae3219..a0b33bf7e 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java @@ -47,7 +47,7 @@ public class VersionsController implements VersionsResource { @PreAuthorize("hasAuthority('" + READ_VERSIONS + "')") public Long getDossierDictionaryVersion(@PathVariable(DOSSIER_TEMPLATE_PARAMETER_NAME) String dossierTemplateId, @PathVariable(DOSSIER_ID_PARAM) String dossierId) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); return dictionaryPersistenceService.getVersionForDossier(dossierId); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java index dbc100535..37f6b926c 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java @@ -36,7 +36,7 @@ public class ViewedPagesController implements ViewedPagesResource { @PreAuthorize("hasAuthority('" + MANAGE_VIEWED_PAGES + "')") public void addPage(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody ViewedPagesRequest viewedPagesRequest) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewer(dossierId, fileId); viewedPagesPersistenceService.insertPage(fileId, KeycloakSecurity.getUserId(), viewedPagesRequest.getPage()); } @@ -45,7 +45,7 @@ public class ViewedPagesController implements ViewedPagesResource { @PreAuthorize("hasAuthority('" + MANAGE_VIEWED_PAGES + "')") public void removePage(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @PathVariable(PAGE) int page) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewer(dossierId, fileId); viewedPagesPersistenceService.removePage(fileId, KeycloakSecurity.getUserId(), page); } @@ -54,7 +54,7 @@ public class ViewedPagesController implements ViewedPagesResource { @PreAuthorize("hasAuthority('" + MANAGE_VIEWED_PAGES + "')") public ViewedPages getViewedPages(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { - accessControlService.verifyDossierViewPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewer(dossierId, fileId); try { var pages = MagicConverter.convert(viewedPagesPersistenceService.findViewedPages(fileId, KeycloakSecurity.getUserId()), ViewedPage.class); diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java index 922fdee4f..8f439fdfd 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java @@ -1,6 +1,5 @@ package com.iqser.red.service.persistence.management.v1.processor.service; - import org.springframework.http.HttpStatus; import org.springframework.security.access.prepost.PostAuthorize; import org.springframework.security.acls.AclPermissionEvaluator; @@ -11,7 +10,6 @@ import com.iqser.red.service.persistence.management.v1.processor.acl.custom.doss import com.iqser.red.service.persistence.management.v1.processor.exception.BadRequestException; import com.iqser.red.service.persistence.management.v1.processor.exception.NotAllowedException; import com.iqser.red.service.persistence.management.v1.processor.exception.NotFoundException; -import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DossierPersistenceService; import com.iqser.red.service.persistence.management.v1.processor.service.users.UserService; import com.iqser.red.service.persistence.service.v1.api.shared.model.dossiertemplate.dossier.file.WorkflowStatus; import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity; @@ -82,6 +80,7 @@ public class AccessControlService { } + // checks that the user has view permissions to dossier and returns 403 if it doesn't @PostAuthorize("hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')") public void verifyUserHasViewPermissions(String dossierId) { @@ -125,6 +124,7 @@ public class AccessControlService { + // checks that the user has view permissions to dossier and returns a boolean flag public boolean hasUserViewPermissionsForDossier(String dossierId) { return aclPermissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), dossierId, "Dossier", "VIEW_OBJECT"); @@ -153,28 +153,29 @@ public class AccessControlService { } } - public void verifyDossierViewPermission(String dossierId) { + //verifies that user has view permissions to the dossier and responds with 404 if it doesn't + public void checkViewPermissionsToDossier(String dossierId) { if (!hasUserViewPermissionsForDossier(dossierId)) { throw new NotFoundException("Object not found"); } } - public void verifyDossierAccessPermission(String dossierId) { - verifyDossierViewPermission(dossierId); - verifyUserHasAccessPermissions(dossierId); - } - - public void verifyDossierViewPermissionAndResourceNotDeleted(String dossierId) { - - // validates that the dossier is present and not deleted + //verifies that dossier is present and not deleted and user has view permissions to the dossier and responds with 404 if it doesn't + public void checkDossierExistenceAndViewPermissionsToDossier(String dossierId) { dossierManagementService.getDossierById(dossierId, true, false); - verifyDossierViewPermission(dossierId); - + checkViewPermissionsToDossier(dossierId); } - public void verifyDossierAccessPermissionAndResourceNotDeleted(String dossierId) { - verifyDossierViewPermissionAndResourceNotDeleted(dossierId); - verifyUserHasAccessPermissions(dossierId); + //verifies that user has access permissions to the dossier and responds with 403 in case it doesn't + @PostAuthorize("hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')") + public void checkAccessPermissionsToDossier(String dossierId) { + checkViewPermissionsToDossier(dossierId); + } + + //checks the existence of dossier and if it is not deleted and view permissions + @PostAuthorize("hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')") + public void checkDossierExistenceAndAccessPermissionsToDossier(String dossierId) { + checkDossierExistenceAndViewPermissionsToDossier(dossierId); } public void validateFileResourceExistence(String fileId) { diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java index 37cae9f75..136d75368 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java @@ -115,7 +115,7 @@ public class DictionaryService { public void deleteDossierEntries(String type, String dossierTemplateId, List entries, String dossierId, DictionaryEntryType dictionaryEntryType) { try { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsMemberOrApprover(dossierId); } catch (AccessDeniedException e) { throw new NotFoundException("Object not found"); @@ -212,7 +212,7 @@ public class DictionaryService { @PreAuthorize("hasAuthority('" + DELETE_DOSSIER_DICTIONARY_TYPE + "')") public void deleteDossierType(String type, String dossierTemplateId, String dossierId) { - accessControlService.verifyDossierAccessPermissionAndResourceNotDeleted(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsMemberOrApprover(dossierId); deleteType(toTypeId(type, dossierTemplateId, dossierId)); } @@ -224,7 +224,7 @@ public class DictionaryService { List types = MagicConverter.convert(dictionaryPersistenceService.getAllTypesForDossierTemplate(dossierTemplateId, includeDeleted), Type.class); if (dossierId != null) { try { - accessControlService.verifyDossierViewPermission(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); dictionaryManagementService.checkDossierMatchesDossierTemplate(dossierId, dossierTemplateId); // for every dossier template type check if a dossier type exists types.forEach(t -> dictionaryManagementService.checkForDossierTypeExistenceAndCreate(toTypeId(t.getType(), t.getDossierTemplateId(), dossierId))); @@ -264,7 +264,7 @@ public class DictionaryService { try { if (dossierId != null) { - accessControlService.verifyDossierViewPermission(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); } var typeId = toTypeId(type, dossierTemplateId, dossierId); // create dossier level type if it does not exist @@ -323,7 +323,7 @@ public class DictionaryService { try { if (dossierId != null) { - accessControlService.verifyDossierViewPermission(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); } var dossierTemplateDictionary = dictionaryPersistenceService.getType(toTypeId(type, dossierTemplateId)); var typeId = toTypeId(type, dossierTemplateId, dossierId);