From f5f1bde988fe707e289fe51c6cdd8c8305c5a4f7 Mon Sep 17 00:00:00 2001
From: Ali Oezyetimoglu <ali.oezyetimoglu@knecon.com>
Date: Thu, 4 Jan 2024 14:23:55 +0100
Subject: [PATCH] RED-5246: changed permission check for getDossier(...)

---
 .../external/api/impl/controller/DossierController.java  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java
index 18d2044eb..9e0fb0086 100644
--- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java
+++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java
@@ -18,12 +18,14 @@ import java.util.Set;
 import java.util.TreeSet;
 import java.util.stream.Collectors;
 
+import com.iqser.red.service.persistence.management.v1.processor.exception.NotFoundException;
 import com.iqser.red.service.persistence.management.v1.processor.service.DossierCreatorService;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.access.prepost.PreAuthorize;
@@ -374,11 +376,16 @@ public class DossierController implements DossierResource {
 
 
     @PreAuthorize("hasAuthority('" + READ_DOSSIER + "')")
-    @PostAuthorize("hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')")
     public Dossier getDossier(@PathVariable(DOSSIER_ID_PARAM) String dossierId,
                               @RequestParam(name = INCLUDE_ARCHIVED_PARAM, defaultValue = "false", required = false) boolean includeArchived,
                               @RequestParam(name = INCLUDE_DELETED_PARAM, defaultValue = "false", required = false) boolean includeDeleted) {
 
+        try {
+            accessControlService.verifyUserHasViewPermissions(dossierId);
+        } catch (AccessDeniedException e) {
+            throw new NotFoundException("Object not found");
+        }
+
         return dossierACLService.enhanceDossierWithACLData(dossierManagementService.getDossierById(dossierId, includeArchived, includeDeleted));
     }
 
-- 
2.47.2