diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java index c1010dda4..6e0428ac8 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java @@ -6,6 +6,7 @@ import static com.iqser.red.service.persistence.management.v1.processor.roles.Ac import static com.iqser.red.service.persistence.management.v1.processor.roles.ActionRoles.WRITE_DOSSIER_ATTRIBUTES_CONFIG; import static com.iqser.red.service.persistence.management.v1.processor.roles.ActionRoles.WRITE_FILE_ATTRIBUTES; +import java.util.Collections; import java.util.List; import java.util.Map; @@ -15,6 +16,7 @@ import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; +import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DossierPersistenceService; import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity; import com.iqser.red.service.persistence.management.v1.processor.entity.dossier.DossierAttributeConfigEntity; import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; @@ -36,6 +38,7 @@ import lombok.RequiredArgsConstructor; @RequiredArgsConstructor public class DossierAttributesController implements DossierAttributesResource { + private final DossierPersistenceService dossierPersistenceService; private final DossierAttributeConfigPersistenceService dossierAttributeConfigPersistenceService; private final AuditPersistenceService auditPersistenceService; private final DossierAttributesManagementService dossierAttributesManagementService; @@ -146,10 +149,16 @@ public class DossierAttributesController implements DossierAttributesResource { } - @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')") + @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')") public DossierAttributes getDossierAttributes(String dossierId) { - var result = dossierAttributesManagementService.getDossierAttributes(dossierId); + //check if dossier exists before verifying permissions + dossierPersistenceService.findByDossierId(dossierId); + + List result = Collections.emptyList(); + if (accessControlService.hasUserViewPermissionsForDossier(dossierId)) { + result = dossierAttributesManagementService.getDossierAttributes(dossierId); + } auditPersistenceService.insertRecord(AuditRequest.builder() .userId(KeycloakSecurity.getUserId()) .objectId(dossierId) diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java index 93c32eff3..b0364f7ad 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java @@ -76,14 +76,20 @@ public class ACLBeanConfiguration { } + @Bean + public AclPermissionEvaluator defaultACLPermissionEvaluator() { + return new AclPermissionEvaluator(aclService()); + } + @Bean @Primary public MethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler() { DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); - AclPermissionEvaluator permissionEvaluator = new AclPermissionEvaluator(aclService()); - permissionEvaluator.setPermissionFactory(permissionFactory()); - expressionHandler.setPermissionEvaluator(permissionEvaluator); + + AclPermissionEvaluator aclPermissionEvaluator = defaultACLPermissionEvaluator(); + aclPermissionEvaluator.setPermissionFactory(permissionFactory()); + expressionHandler.setPermissionEvaluator(aclPermissionEvaluator); var permissionCacheOptimizer = new AclPermissionCacheOptimizer(aclService()); permissionCacheOptimizer.setObjectIdentityRetrievalStrategy(new RedObjectIdentityRetrievalStrategy()); diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java index 5a1ff5859..4be6329ee 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java @@ -2,6 +2,8 @@ package com.iqser.red.service.persistence.management.v1.processor.service; import org.springframework.http.HttpStatus; import org.springframework.security.access.prepost.PostAuthorize; +import org.springframework.security.acls.AclPermissionEvaluator; +import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Service; import com.iqser.red.service.persistence.management.v1.processor.acl.custom.dossier.DossierACLService; @@ -23,6 +25,7 @@ public class AccessControlService { private final FileStatusManagementService fileStatusManagementService; private final DossierManagementService dossierManagementService; private final DossierACLService dossierACLService; + private final AclPermissionEvaluator aclPermissionEvaluator; public void verifyUserIsReviewer(String dossierId, String fileId) { @@ -122,6 +125,10 @@ public class AccessControlService { } + public boolean hasUserViewPermissionsForDossier(String dossierId) { + return aclPermissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), dossierId, "Dossier", "VIEW_OBJECT"); + } + public void verifyFileIsNotApproved(String dossierId, String fileId) {