From d09da8ea78d14bbca15521ab82413217c26fb3be Mon Sep 17 00:00:00 2001 From: devplant Date: Thu, 4 May 2023 09:44:57 +0300 Subject: [PATCH 1/2] RED-6034 - Possible to assign a file to unauthorized users - change status from 403 to 400 --- .../management/v1/processor/service/AccessControlService.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java index cd75b6e65..4a8e2a394 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java @@ -6,6 +6,7 @@ import org.springframework.stereotype.Service; import com.iqser.red.keycloak.commons.KeycloakSecurity; import com.iqser.red.service.persistence.management.v1.processor.acl.custom.dossier.DossierACLService; +import com.iqser.red.service.persistence.management.v1.processor.exception.BadRequestException; import com.iqser.red.service.persistence.management.v1.processor.exception.NotAllowedException; import com.iqser.red.service.persistence.management.v1.processor.exception.NotFoundException; import com.iqser.red.service.persistence.service.v1.api.shared.model.dossiertemplate.dossier.file.WorkflowStatus; @@ -69,7 +70,7 @@ public class AccessControlService { var isMember = dossier.getMemberIds().contains(userId); var isApprover = dossier.getApproverIds().contains(userId); if (!isMember && !isApprover) { - throw new NotAllowedException("User must be dossier member or approver."); + throw new BadRequestException("User must be dossier member or approver."); } } From 113947d2165821ab778eacfe537918f52fd9c082 Mon Sep 17 00:00:00 2001 From: devplant Date: Thu, 4 May 2023 10:29:15 +0300 Subject: [PATCH 2/2] RED-6034 - Possible to assign a file to unauthorized users - update junit test --- .../peristence/v1/server/integration/tests/FileTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/persistence-service-v1/persistence-service-server-v1/src/test/java/com/iqser/red/service/peristence/v1/server/integration/tests/FileTest.java b/persistence-service-v1/persistence-service-server-v1/src/test/java/com/iqser/red/service/peristence/v1/server/integration/tests/FileTest.java index a9c57a057..658d471d6 100644 --- a/persistence-service-v1/persistence-service-server-v1/src/test/java/com/iqser/red/service/peristence/v1/server/integration/tests/FileTest.java +++ b/persistence-service-v1/persistence-service-server-v1/src/test/java/com/iqser/red/service/peristence/v1/server/integration/tests/FileTest.java @@ -548,7 +548,7 @@ public class FileTest extends AbstractPersistenceServerServiceTest { assertThat(actualMessage).contains(expectedMessage); - exception = Assertions.assertThrows(FeignException.Forbidden.class, () -> { + exception = Assertions.assertThrows(FeignException.BadRequest.class, () -> { fileClient.setStatusUnderReview(dossier.getId(), file.getId(), user2); });