Marmelator/persistence-service
1
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases 1.1k Wiki Activity

Merge branch 'RED-5369' into 'master'

Browse Source 
RED-5369: View dossier & access permissions are not working for dossier attributes controller

Closes RED-5369

See merge request redactmanager/persistence-service!316
This commit is contained in:
Maverick Studer 2024-01-22 12:56:53 +01:00
commit ef13d8ace2
3 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java vendored
View File

@ -6,6 +6,7 @@ import static com.iqser.red.service.persistence.management.v1.processor.roles.Ac
import static com.iqser.red.service.persistence.management.v1.processor.roles.ActionRoles.WRITE_DOSSIER_ATTRIBUTES_CONFIG;
import static com.iqser.red.service.persistence.management.v1.processor.roles.ActionRoles.WRITE_FILE_ATTRIBUTES;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@ -15,6 +16,7 @@ import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DossierPersistenceService;
import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity;
import com.iqser.red.service.persistence.management.v1.processor.entity.dossier.DossierAttributeConfigEntity;
import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService;
@ -36,6 +38,7 @@ import lombok.RequiredArgsConstructor;
@RequiredArgsConstructor
public class DossierAttributesController implements DossierAttributesResource {
private final DossierPersistenceService dossierPersistenceService;
private final DossierAttributeConfigPersistenceService dossierAttributeConfigPersistenceService;
private final AuditPersistenceService auditPersistenceService;
private final DossierAttributesManagementService dossierAttributesManagementService;
@ -146,10 +149,16 @@ public class DossierAttributesController implements DossierAttributesResource {
}
@PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')")
@PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')")
public DossierAttributes getDossierAttributes(String dossierId) {
var result = dossierAttributesManagementService.getDossierAttributes(dossierId);
//check if dossier exists before verifying permissions
dossierPersistenceService.findByDossierId(dossierId);
List<DossierAttribute> result = Collections.emptyList();
if (accessControlService.hasUserViewPermissionsForDossier(dossierId)) {
result = dossierAttributesManagementService.getDossierAttributes(dossierId);
}
auditPersistenceService.insertRecord(AuditRequest.builder()
.userId(KeycloakSecurity.getUserId())
.objectId(dossierId)

12
persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java
View File

@ -76,14 +76,20 @@ public class ACLBeanConfiguration {
}
@Bean
public AclPermissionEvaluator defaultACLPermissionEvaluator() {
return new AclPermissionEvaluator(aclService());
}
@Bean
@Primary
public MethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
AclPermissionEvaluator permissionEvaluator = new AclPermissionEvaluator(aclService());
permissionEvaluator.setPermissionFactory(permissionFactory());
expressionHandler.setPermissionEvaluator(permissionEvaluator);
AclPermissionEvaluator aclPermissionEvaluator = defaultACLPermissionEvaluator();
aclPermissionEvaluator.setPermissionFactory(permissionFactory());
expressionHandler.setPermissionEvaluator(aclPermissionEvaluator);
var permissionCacheOptimizer = new AclPermissionCacheOptimizer(aclService());
permissionCacheOptimizer.setObjectIdentityRetrievalStrategy(new RedObjectIdentityRetrievalStrategy());

7
persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java
View File

@ -2,6 +2,8 @@ package com.iqser.red.service.persistence.management.v1.processor.service;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.acls.AclPermissionEvaluator;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
import com.iqser.red.service.persistence.management.v1.processor.acl.custom.dossier.DossierACLService;
@ -23,6 +25,7 @@ public class AccessControlService {
private final FileStatusManagementService fileStatusManagementService;
private final DossierManagementService dossierManagementService;
private final DossierACLService dossierACLService;
private final AclPermissionEvaluator aclPermissionEvaluator;
public void verifyUserIsReviewer(String dossierId, String fileId) {
@ -122,6 +125,10 @@ public class AccessControlService {
}
public boolean hasUserViewPermissionsForDossier(String dossierId) {
return aclPermissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), dossierId, "Dossier", "VIEW_OBJECT");
}
public void verifyFileIsNotApproved(String dossierId, String fileId) {