diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java index ff50b5db4..2165b55e0 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ComponentLogController.java @@ -13,6 +13,7 @@ import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RestController; import com.iqser.red.service.persistence.management.v1.processor.exception.BadRequestException; +import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.iqser.red.service.persistence.management.v1.processor.service.ComponentLogService; import com.iqser.red.service.persistence.management.v1.processor.service.ComponentOverrideService; import com.iqser.red.service.persistence.management.v1.processor.service.persistence.AuditPersistenceService; @@ -38,11 +39,15 @@ public class ComponentLogController implements ComponentLogResource { ComponentLogService componentLogService; ComponentOverrideService componentOverrideService; AuditPersistenceService auditPersistenceService; + AccessControlService accessControlService; @Override public ComponentLog getComponentLog(String dossierId, String fileId, boolean includeOverrides) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); + return componentLogService.getComponentLog(dossierId, fileId, includeOverrides); } @@ -50,6 +55,9 @@ public class ComponentLogController implements ComponentLogResource { @PreAuthorize("hasAuthority('" + GET_RSS + "')") public void addOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody ComponentsOverrides componentsOverrides) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); + if (componentsOverrides.getComponentOverrides() == null || componentsOverrides.getComponentOverrides().isEmpty()) { throw new BadRequestException("Request body cannot be empty!"); } @@ -65,6 +73,8 @@ public class ComponentLogController implements ComponentLogResource { @PreAuthorize("hasAuthority('" + GET_RSS + "')") public ComponentsOverrides getOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); return componentOverrideService.getOverrides(dossierId, fileId); } @@ -72,6 +82,9 @@ public class ComponentLogController implements ComponentLogResource { @PreAuthorize("hasAuthority('" + GET_RSS + "')") public void revertOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody RevertOverrideRequest revertOverrideRequest) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); + if (revertOverrideRequest.getComponents() == null || revertOverrideRequest.getComponents().isEmpty()) { throw new BadRequestException("Request body cannot be empty!"); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java index 30d2e34c0..bdb313aef 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DictionaryController.java @@ -23,6 +23,7 @@ import org.springframework.web.bind.annotation.RequestPart; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.multipart.MultipartFile; +import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity; import com.iqser.red.service.persistence.management.v1.processor.exception.BadRequestException; import com.iqser.red.service.persistence.management.v1.processor.service.DictionaryService; @@ -54,6 +55,7 @@ public class DictionaryController implements DictionaryResource { private final DictionaryService dictionaryService; private final AuditPersistenceService auditClient; + private final AccessControlService accessControlService; @Override @@ -80,6 +82,8 @@ public class DictionaryController implements DictionaryResource { if (dossierId == null) { dictionaryService.addGlobalEntries(type, dossierTemplateId, entries, removeCurrent, dictionaryEntryType); } else { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); + dictionaryService.addDossierEntries(type, dossierTemplateId, entries, removeCurrent, dossierId, dictionaryEntryType); } } @@ -113,6 +117,7 @@ public class DictionaryController implements DictionaryResource { if (dossierId == null) { dictionaryService.deleteGlobalEntries(type, dossierTemplateId, entries, dictionaryEntryType); } else { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); dictionaryService.deleteDossierEntries(type, dossierTemplateId, entries, dossierId, dictionaryEntryType); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java index d9796ac20..f02cea2c5 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DocumentController.java @@ -16,6 +16,7 @@ import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RestController; +import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.iqser.red.service.persistence.management.v1.processor.service.FileManagementStorageService; import com.iqser.red.service.persistence.management.v1.processor.service.FileStatusService; import com.iqser.red.service.persistence.management.v1.processor.utils.StringEncodingUtils; @@ -34,12 +35,17 @@ public class DocumentController implements DocumentResource { private final FileStatusService fileStatusService; private final FileManagementStorageService fileManagementStorageService; + private final AccessControlService accessControlService; @SneakyThrows @PreAuthorize("hasAuthority('" + READ_REDACTION_LOG + "')") public ResponseEntity getDocumentText(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + // check access to resources and check for deletion + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); + try { return buildZipFileResponseEntity(fileId, dossierId, FileType.DOCUMENT_TEXT); } catch (FeignException e) { @@ -52,6 +58,10 @@ public class DocumentController implements DocumentResource { @PreAuthorize("hasAuthority('" + READ_REDACTION_LOG + "')") public ResponseEntity getDocumentPositions(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + // check access to resources and check for deletion + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); + try { return buildZipFileResponseEntity(fileId, dossierId, FileType.DOCUMENT_POSITION); } catch (FeignException e) { @@ -64,6 +74,9 @@ public class DocumentController implements DocumentResource { @PreAuthorize("hasAuthority('" + READ_REDACTION_LOG + "')") public ResponseEntity getDocumentStructure(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + // check access to resources and check for deletion + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); try { return buildZipFileResponseEntity(fileId, dossierId, FileType.DOCUMENT_STRUCTURE); } catch (FeignException e) { @@ -76,6 +89,9 @@ public class DocumentController implements DocumentResource { @PreAuthorize("hasAuthority('" + READ_REDACTION_LOG + "')") public ResponseEntity getDocumentPages(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + // check access to resources and check for deletion + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); try { return buildZipFileResponseEntity(fileId, dossierId, FileType.DOCUMENT_PAGES); } catch (FeignException e) { @@ -88,6 +104,10 @@ public class DocumentController implements DocumentResource { @PreAuthorize("hasAuthority('" + READ_REDACTION_LOG + "')") public ResponseEntity getSimplifiedSectionText(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + // check access to resources and check for deletion + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); + try { HttpHeaders httpHeaders = new HttpHeaders(); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java index 6e0428ac8..10d545a50 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java @@ -118,9 +118,10 @@ public class DossierAttributesController implements DossierAttributesResource { } - @PreAuthorize("hasAuthority('" + WRITE_FILE_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')") + @PreAuthorize("hasAuthority('" + WRITE_FILE_ATTRIBUTES + "')") public DossierAttributes setDossierAttributes(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody DossierAttributes dossierAttributes) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsDossierOwner(dossierId); var result = dossierAttributesManagementService.setDossierAttributes(dossierId, dossierAttributes.getDossierAttributeList()); auditPersistenceService.insertRecord(AuditRequest.builder() @@ -134,9 +135,10 @@ public class DossierAttributesController implements DossierAttributesResource { } - @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')") + @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')") public DossierAttributes addOrUpdateDossierAttribute(String dossierId, DossierAttribute dossierAttribute) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsDossierOwner(dossierId); DossierAttribute result = dossierAttributesManagementService.addOrUpdateDossierAttribute(dossierId, dossierAttribute); auditPersistenceService.insertRecord(AuditRequest.builder() @@ -170,9 +172,10 @@ public class DossierAttributesController implements DossierAttributesResource { } - @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')") + @PreAuthorize("hasAuthority('" + WRITE_DOSSIER_ATTRIBUTES + "')") public void deleteDossierAttribute(String dossierId, String dossierAttributeId) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsDossierOwner(dossierId); dossierAttributesManagementService.deleteDossierAttribute(dossierId, dossierAttributeId); auditPersistenceService.insertRecord(AuditRequest.builder() diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java index 6eb15122f..bbece0f07 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierController.java @@ -18,7 +18,6 @@ import java.util.Set; import java.util.TreeSet; import java.util.stream.Collectors; -import com.iqser.red.service.persistence.management.v1.processor.exception.NotFoundException; import com.iqser.red.service.persistence.management.v1.processor.service.DossierCreatorService; import org.apache.commons.lang3.StringUtils; @@ -42,7 +41,6 @@ import com.iqser.red.service.persistence.management.v1.processor.roles.Applicati import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.iqser.red.service.persistence.management.v1.processor.service.DossierManagementService; import com.iqser.red.service.persistence.management.v1.processor.service.FileStatusManagementService; -import com.iqser.red.service.persistence.management.v1.processor.service.FilterByPermissionsService; import com.iqser.red.service.persistence.management.v1.processor.service.persistence.AuditPersistenceService; import com.iqser.red.service.persistence.management.v1.processor.service.persistence.NotificationPersistenceService; import com.iqser.red.service.persistence.management.v1.processor.service.users.UserService; @@ -351,6 +349,7 @@ public class DossierController implements DossierResource { public void deleteDossier(@PathVariable(DOSSIER_ID_PARAM) String dossierId) { Dossier dossier = dossierACLService.enhanceDossierWithACLData(dossierManagementService.getDossierById(dossierId, true, false)); + accessControlService.checkAccessPermissionsToDossier(dossierId); if (dossier.getOwnerId() != null && !dossier.getOwnerId().equals(KeycloakSecurity.getUserId())) { throw new AccessDeniedException("Can not delete dossier that is owned by a different user"); @@ -383,11 +382,7 @@ public class DossierController implements DossierResource { @RequestParam(name = INCLUDE_ARCHIVED_PARAM, defaultValue = "false", required = false) boolean includeArchived, @RequestParam(name = INCLUDE_DELETED_PARAM, defaultValue = "false", required = false) boolean includeDeleted) { - try { - accessControlService.verifyUserHasViewPermissions(dossierId); - } catch (AccessDeniedException e) { - throw new NotFoundException("Object not found"); - } + accessControlService.checkViewPermissionsToDossier(dossierId); return dossierACLService.enhanceDossierWithACLData(dossierManagementService.getDossierById(dossierId, includeArchived, includeDeleted)); } @@ -464,6 +459,7 @@ public class DossierController implements DossierResource { @PreAuthorize("hasAuthority('" + UNARCHIVE_DOSSIER + "')") + @PreFilter("hasPermission(filterObject, 'Dossier', 'ACCESS_OBJECT')") public void unarchiveDossiers(@RequestBody Set dossierIds) { dossierManagementService.unarchiveDossiers(dossierIds); @@ -480,6 +476,7 @@ public class DossierController implements DossierResource { @PreAuthorize("hasAuthority('" + DELETE_DOSSIER + "')") + @PreFilter("hasPermission(filterObject, 'Dossier', 'ACCESS_OBJECT')") public void hardDeleteDossiers(@RequestParam(DOSSIER_ID_PARAM) Set dossierIds) { var filteredDossierIds = filterDossierIdsByOwnedKeepUnowned(dossierIds); @@ -500,6 +497,7 @@ public class DossierController implements DossierResource { @PreAuthorize("hasAuthority('" + DELETE_DOSSIER + "')") + @PreFilter("hasPermission(filterObject, 'Dossier', 'ACCESS_OBJECT')") public void undeleteDossiers(@RequestBody Set dossierIds) { var filteredDossierIds = filterDossierIdsByOwnedKeepUnowned(dossierIds); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java index 6ec2b86af..860a6cd5c 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierStatsController.java @@ -12,6 +12,7 @@ import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RestController; +import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.iqser.red.service.persistence.management.v1.processor.service.DossierStatsService; import com.iqser.red.service.persistence.service.v1.api.external.resource.DossierStatsResource; import com.iqser.red.service.persistence.service.v1.api.shared.model.DossierStats; @@ -26,12 +27,14 @@ import lombok.extern.slf4j.Slf4j; public class DossierStatsController implements DossierStatsResource { private final DossierStatsService dossierStatsService; + private final AccessControlService accessControlService; @Override - @PreAuthorize("hasAuthority('" + READ_DOSSIER + "') && hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')") + @PreAuthorize("hasAuthority('" + READ_DOSSIER + "')") public DossierStats getDossierStats(@PathVariable(DOSSIER_ID_PARAM) String dossierId) { + accessControlService.checkViewPermissionsToDossier(dossierId); return dossierStatsService.getDossierStats(dossierId); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java index aaea93cdf..3756c8b93 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/EntityLogController.java @@ -10,6 +10,7 @@ import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; +import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.iqser.red.service.persistence.management.v1.processor.service.EntityLogService; import com.iqser.red.service.persistence.service.v1.api.external.resource.EntityLogResource; import com.iqser.red.service.persistence.service.v1.api.shared.model.analysislog.entitylog.EntityLog; @@ -22,6 +23,7 @@ import lombok.RequiredArgsConstructor; public class EntityLogController implements EntityLogResource { private final EntityLogService entityLogService; + private final AccessControlService accessControlService; @PreAuthorize("hasAuthority('" + READ_REDACTION_LOG + "')") @@ -30,6 +32,8 @@ public class EntityLogController implements EntityLogResource { @RequestParam(value = "excludedType", required = false) List excludedTypes, @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { + accessControlService.checkAccessPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); return entityLogService.getEntityLog(dossierId, fileId, excludedTypes, includeUnprocessed); } @@ -39,6 +43,8 @@ public class EntityLogController implements EntityLogResource { @PathVariable(FILE_ID) String fileId, @RequestBody FilteredEntityLogRequest filteredEntityLogRequest) { + accessControlService.checkAccessPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); return entityLogService.getFilteredEntityLog(dossierId, fileId, filteredEntityLogRequest); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java index 6611e1934..cb082957e 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/FileManagementController.java @@ -78,6 +78,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void deleteFile(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + accessControlService.checkAccessPermissionsToDossier(dossierId); fileService.deleteFile(dossierId, fileId); auditPersistenceService.audit(AuditRequest.builder() .userId(KeycloakSecurity.getUserId()) @@ -94,6 +95,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void deleteFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody List fileIds) { + accessControlService.checkAccessPermissionsToDossier(dossierId); List errorIds = new ArrayList<>(); for (String fileId : fileIds) { try { @@ -122,6 +124,7 @@ public class FileManagementController implements FileManagementResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "inline", required = false, defaultValue = FALSE) boolean inline) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); return getResponseEntityForPDFDocument(fileId, dossierId, FileType.ORIGIN, inline); } @@ -133,6 +136,7 @@ public class FileManagementController implements FileManagementResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "inline", required = false, defaultValue = FALSE) boolean inline) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); // Viewer Document Returns if (storageService.objectExists(TenantContext.getTenantId(), StorageIdUtils.getStorageId(dossierId, fileId, FileType.VIEWER_DOCUMENT))) { return getResponseEntityForPDFDocument(fileId, dossierId, FileType.VIEWER_DOCUMENT, inline); @@ -177,6 +181,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void hardDeleteFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestParam(FILE_IDS) Set fileIds) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); for (String fileId : fileIds) { if (fileStatusManagementService.getFileStatus(fileId).getAssignee() != null) { accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); @@ -197,6 +202,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + DELETE_FILE + "')") public void restoreFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody Set fileIds) { + accessControlService.checkAccessPermissionsToDossier(dossierId); verifyUserIsDossierOwnerOrApproverOrAssignedReviewer(dossierId, fileIds); fileService.undeleteFiles(dossierId, fileIds); auditPersistenceService.audit(AuditRequest.builder() @@ -213,6 +219,7 @@ public class FileManagementController implements FileManagementResource { @PreAuthorize("hasAuthority('" + ROTATE_PAGE + "')") public void rotatePages(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody RotatePagesRequest rotatePagesRequest) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewer(dossierId, fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java index ebd8c704a..90174cd1c 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/HighlightsController.java @@ -49,6 +49,7 @@ public class HighlightsController implements HighlightsResource { @PreAuthorize("hasAuthority('" + GET_HIGHLIGHTS + "')") public Highlights getHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); fileStatusService.getStatus(fileId); if (storageService.objectExists(TenantContext.getTenantId(), getStorageId(dossierId, fileId, FileType.TEXT_HIGHLIGHTS))) { @@ -67,6 +68,7 @@ public class HighlightsController implements HighlightsResource { public void convertHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds) { try { + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); @@ -81,6 +83,7 @@ public class HighlightsController implements HighlightsResource { public void deleteHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds) { try { + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); @@ -96,6 +99,7 @@ public class HighlightsController implements HighlightsResource { public void deleteImportedRedactions(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds) { try { + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java index 13f01ba30..1dc10b509 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ManualRedactionController.java @@ -79,6 +79,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestBody Set annotationIds, @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsApprover(dossierId); manualRedactionUndoService.undo(dossierId, fileId, annotationIds, includeUnprocessed); @@ -93,6 +94,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(ANNOTATION_ID) String annotationId, @PathVariable(COMMENT_ID) String commentId) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); @@ -114,6 +116,8 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "unprocessed", required = false, defaultValue = FALSE) boolean unprocessed) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); + accessControlService.validateFileResourceExistence(fileId); return manualRedactionService.getManualRedactions(fileId, unprocessed); } @@ -123,6 +127,7 @@ public class ManualRedactionController implements ManualRedactionResource { public AnnotationComments getComments(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @PathVariable(ANNOTATION_ID) String annotationId) { dossierManagementService.getDossierById(dossierId, false, false); + accessControlService.checkViewPermissionsToDossier(dossierId); fileStatusManagementService.getFileStatus(fileId, false); List comments = commentService.getComments(fileId, annotationId); @@ -137,6 +142,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(ANNOTATION_ID) String annotationId, @RequestBody AddCommentRequestModel addCommentRequest) { + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); @@ -161,7 +167,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestBody Set addRedactionRequests) { var dossier = dossierManagementService.getDossierById(dossierId, false, false); - + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); if (addRedactionRequests.stream().anyMatch(AddRedactionRequestModel::isAddToAllDossiers)) { accessControlService.verifyUserIsApprover(dossierId); @@ -191,6 +197,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { var dossier = dossierManagementService.getDossierById(dossierId, false, false); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); if (removeRedactionRequests.stream().anyMatch(RemoveRedactionRequestModel::isRemoveFromAllDossiers)) { accessControlService.verifyUserIsApprover(dossierId); @@ -218,6 +225,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(FILE_ID) String fileId, @RequestBody Set forceRedactionRequests) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); @@ -241,6 +249,7 @@ public class ManualRedactionController implements ManualRedactionResource { @PathVariable(FILE_ID) String fileId, @RequestBody Set legalBasisChangeRequests) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); @@ -267,6 +276,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { var dossier = dossierManagementService.getDossierById(dossierId, false, false); + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); @@ -292,6 +302,7 @@ public class ManualRedactionController implements ManualRedactionResource { @RequestBody Set resizeRedactionRequests, @RequestParam(value = "includeUnprocessed", required = false, defaultValue = FALSE) boolean includeUnprocessed) { + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsMemberOrApprover(dossierId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java index 02efcdddf..d343d0a31 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReanalysisController.java @@ -45,13 +45,7 @@ public class ReanalysisController implements ReanalysisResource { @PreAuthorize("hasAuthority('" + REANALYZE_DOSSIER + "')") public void reanalyzeDossier(@PathVariable(DOSSIER_ID) String dossierId, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force) { - try { - accessControlService.verifyUserHasViewPermissions(dossierId); - } catch (AccessDeniedException e) { - throw new NotFoundException("Object not found"); - } - - accessControlService.verifyUserHasAccessPermissions(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); reanalysisService.reanalyzeDossier(dossierId, force); auditPersistenceService.audit(AuditRequest.builder() @@ -102,13 +96,8 @@ public class ReanalysisController implements ReanalysisResource { @PreAuthorize("hasAuthority('" + REANALYZE_DOSSIER + "')") public void ocrDossier(@PathVariable(DOSSIER_ID) String dossierId) { - try { - accessControlService.verifyUserHasViewPermissions(dossierId); - } catch (AccessDeniedException e) { - throw new NotFoundException("Object not found"); - } + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); - accessControlService.verifyUserHasAccessPermissions(dossierId); reanalysisService.ocrDossier(dossierId); auditPersistenceService.audit(AuditRequest.builder() diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java index 90e5c5c1c..7b02a6e94 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusController.java @@ -149,6 +149,7 @@ public class StatusController implements StatusResource { @PreAuthorize("hasAuthority('" + READ_FILE_STATUS + "')") public FileStatus getFileStatus(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); return FileStatusMapper.toFileStatus(fileStatusManagementService.getFileStatus(fileId)); } @@ -159,6 +160,7 @@ public class StatusController implements StatusResource { @PathVariable(FILE_ID) String fileId, @RequestParam(name = ASSIGNEE_ID_REQUEST_PARAM, required = false) String assigneeId) { + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsMemberOrApprover(dossierId); log.debug("Requested [setFileReviewer] for dossier: {} / file: {} / reviewer: {}", dossierId, fileId, assigneeId); @@ -238,6 +240,7 @@ public class StatusController implements StatusResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = ASSIGNEE_ID_REQUEST_PARAM, required = false) String assigneeId) { + accessControlService.checkAccessPermissionsToDossier(dossierId); var fileStatus = fileStatusManagementService.getFileStatus(fileId); setStatusUnderReviewForFile(dossierId, fileId, assigneeId); @@ -267,6 +270,7 @@ public class StatusController implements StatusResource { @PathVariable(FILE_ID) String fileId, @RequestParam(name = ASSIGNEE_ID_REQUEST_PARAM, required = false) String assigneeId) { + accessControlService.checkAccessPermissionsToDossier(dossierId); var fileStatus = fileStatusManagementService.getFileStatus(fileId); setStatusUnderApprovalForFile(dossierId, fileId, assigneeId); @@ -295,6 +299,7 @@ public class StatusController implements StatusResource { @PreAuthorize("hasAuthority('" + SET_STATUS_APPROVED + "')") public void setStatusApproved(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsApprover(dossierId); setStatusApprovedForFile(dossierId, fileId); auditPersistenceService.audit(AuditRequest.builder() @@ -403,6 +408,7 @@ public class StatusController implements StatusResource { @PreAuthorize("hasAuthority('" + SET_REVIEWER + "')") public void setStatusNewForList(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody List fileIds) { + accessControlService.checkAccessPermissionsToDossier(dossierId); for (var fileId : fileIds) { accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); var fileStatus = fileStatusManagementService.getFileStatus(fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java index 547832cdb..55db7bf9e 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/StatusReportController.java @@ -41,11 +41,7 @@ public class StatusReportController implements StatusReportResource { @PreAuthorize("hasAuthority('" + READ_DOSSIER + "')") public ResponseEntity generateStatusReport(@PathVariable(DOSSIER_ID) String dossierId) { - try { - accessControlService.verifyUserHasViewPermissions(dossierId); - } catch (AccessDeniedException e) { - throw new NotFoundException("Object not found"); - } + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); try { StatusReportResponse statusReportResponse = statusReportClient.generateStatusReport(dossierId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java index 5e7c22d28..f57d0a1c1 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/UploadController.java @@ -67,6 +67,7 @@ public class UploadController implements UploadResource { @PathVariable(DOSSIER_ID) String dossierId, @RequestParam(value = "keepManualRedactions", required = false, defaultValue = "false") boolean keepManualRedactions) { + accessControlService.checkAccessPermissionsToDossier(dossierId); if (file.getOriginalFilename() == null) { throw new BadRequestException("Could not upload file, no filename provided."); } @@ -100,6 +101,7 @@ public class UploadController implements UploadResource { @PathVariable(FILE_ID) String fileId, @RequestParam(value = "pageInclusionRequest", required = false) Set pageInclusionRequest) { + accessControlService.checkAccessPermissionsToDossier(dossierId); accessControlService.verifyFileIsNotApproved(dossierId, fileId); accessControlService.verifyUserIsReviewerOrApprover(dossierId, fileId); diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java index af36f1e29..a0b33bf7e 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/VersionsController.java @@ -11,6 +11,7 @@ import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; +import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DictionaryPersistenceService; import com.iqser.red.service.persistence.management.v1.processor.service.persistence.RulesPersistenceService; import com.iqser.red.service.persistence.service.v1.api.external.resource.VersionsResource; @@ -25,6 +26,7 @@ public class VersionsController implements VersionsResource { private final DictionaryPersistenceService dictionaryPersistenceService; private final RulesPersistenceService rulesPersistenceService; + private final AccessControlService accessControlService; @Override @@ -45,6 +47,7 @@ public class VersionsController implements VersionsResource { @PreAuthorize("hasAuthority('" + READ_VERSIONS + "')") public Long getDossierDictionaryVersion(@PathVariable(DOSSIER_TEMPLATE_PARAMETER_NAME) String dossierTemplateId, @PathVariable(DOSSIER_ID_PARAM) String dossierId) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); return dictionaryPersistenceService.getVersionForDossier(dossierId); } diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java index 246d3666e..37f6b926c 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ViewedPagesController.java @@ -36,6 +36,7 @@ public class ViewedPagesController implements ViewedPagesResource { @PreAuthorize("hasAuthority('" + MANAGE_VIEWED_PAGES + "')") public void addPage(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody ViewedPagesRequest viewedPagesRequest) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewer(dossierId, fileId); viewedPagesPersistenceService.insertPage(fileId, KeycloakSecurity.getUserId(), viewedPagesRequest.getPage()); } @@ -44,6 +45,7 @@ public class ViewedPagesController implements ViewedPagesResource { @PreAuthorize("hasAuthority('" + MANAGE_VIEWED_PAGES + "')") public void removePage(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @PathVariable(PAGE) int page) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewer(dossierId, fileId); viewedPagesPersistenceService.removePage(fileId, KeycloakSecurity.getUserId(), page); } @@ -52,6 +54,7 @@ public class ViewedPagesController implements ViewedPagesResource { @PreAuthorize("hasAuthority('" + MANAGE_VIEWED_PAGES + "')") public ViewedPages getViewedPages(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId) { + accessControlService.checkDossierExistenceAndViewPermissionsToDossier(dossierId); accessControlService.verifyUserIsReviewer(dossierId, fileId); try { var pages = MagicConverter.convert(viewedPagesPersistenceService.findViewedPages(fileId, KeycloakSecurity.getUserId()), ViewedPage.class); diff --git a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ComponentLogResource.java b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ComponentLogResource.java index e97a6428c..4dc21ce73 100644 --- a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ComponentLogResource.java +++ b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ComponentLogResource.java @@ -45,7 +45,7 @@ public interface ComponentLogResource { @ResponseStatus(value = HttpStatus.NO_CONTENT) @PostMapping(value = COMPONENT_LOG_PATH + OVERRIDE_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE, consumes = MediaType.APPLICATION_JSON_VALUE) @Operation(summary = "Adds overrides for components", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void addOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody ComponentsOverrides componentsOverrides); @@ -53,7 +53,7 @@ public interface ComponentLogResource { @ResponseStatus(value = HttpStatus.OK) @GetMapping(value = COMPONENT_LOG_PATH + OVERRIDE_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE, produces = MediaType.APPLICATION_JSON_VALUE) @Operation(summary = "Gets overrides for components", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) ComponentsOverrides getOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId); @@ -61,7 +61,7 @@ public interface ComponentLogResource { @ResponseStatus(value = HttpStatus.NO_CONTENT) @PostMapping(value = COMPONENT_LOG_PATH + OVERRIDE_PATH + "/revert" + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE, consumes = MediaType.APPLICATION_JSON_VALUE) @Operation(summary = "Reverts overrides for components", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void revertOverrides(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody RevertOverrideRequest revertOverrideRequest); } diff --git a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DictionaryResource.java b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DictionaryResource.java index 16b640b8e..7f9e9837b 100644 --- a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DictionaryResource.java +++ b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DictionaryResource.java @@ -129,7 +129,7 @@ public interface DictionaryResource { @GetMapping(value = TYPE_PATH + DOSSIER_TEMPLATE_PATH_VARIABLE, produces = MediaType.APPLICATION_JSON_VALUE) @Operation(summary = "Retrieve all entry types", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "Successfully retrieved all the entry types")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "Successfully retrieved all the entry types"), @ApiResponse(responseCode = "404", description = "Not found")}) TypeResponse getAllTypes(@PathVariable(DOSSIER_TEMPLATE_PARAMETER_NAME) String dossierTemplateId, @RequestParam(value = DOSSIER_ID_PARAMETER_NAME, required = false) String dossierId, @RequestParam(value = INCLUDE_DELETED_PARAMETER_NAME, required = false, defaultValue = "false") boolean includeDeleted); diff --git a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DossierAttributesResource.java b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DossierAttributesResource.java index 2abaa7846..b0d3ece93 100644 --- a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DossierAttributesResource.java +++ b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/DossierAttributesResource.java @@ -85,7 +85,7 @@ public interface DossierAttributesResource { @Operation(summary = "Set dossier attributes to an existing dossier", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) @PostMapping(value = DOSSIER_ATTRIBUTES_PATH + SET_PATH + DOSSIER_ID_PATH_VARIABLE, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) DossierAttributes setDossierAttributes(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody DossierAttributes dossierAttributes); @@ -94,7 +94,7 @@ public interface DossierAttributesResource { @ResponseBody @ResponseStatus(HttpStatus.OK) @Operation(summary = "Add or update a dossier attribute in existing dossier.", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) @PostMapping(value = DOSSIER_ATTRIBUTES_PATH + UPDATE_PATH + DOSSIER_ID_PATH_VARIABLE, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) DossierAttributes addOrUpdateDossierAttribute(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody DossierAttribute dossierAttribute); @@ -102,7 +102,7 @@ public interface DossierAttributesResource { @ResponseStatus(HttpStatus.OK) @Operation(summary = "Get the dossier attributes.", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) @GetMapping(value = DOSSIER_ATTRIBUTES_PATH + DOSSIER_ID_PATH_VARIABLE, produces = MediaType.APPLICATION_JSON_VALUE) DossierAttributes getDossierAttributes(@PathVariable(DOSSIER_ID) String dossierId); @@ -111,7 +111,7 @@ public interface DossierAttributesResource { @ResponseBody @ResponseStatus(HttpStatus.NO_CONTENT) @Operation(summary = "Delete a specific dossier attribute.", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "NO_CONTENT")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "NO_CONTENT"), @ApiResponse(responseCode = "404", description = "Not found")}) @DeleteMapping(value = DOSSIER_ATTRIBUTES_PATH + SET_PATH + DOSSIER_ID_PATH_VARIABLE + DOSSIER_ATTRIBUTE_ID_PATH) void deleteDossierAttribute(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(DOSSIER_ATTRIBUTE_ID) String dossierAttributeId); diff --git a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/FileManagementResource.java b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/FileManagementResource.java index e1c6535e2..be338d82a 100644 --- a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/FileManagementResource.java +++ b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/FileManagementResource.java @@ -43,21 +43,21 @@ public interface FileManagementResource { @ResponseStatus(value = HttpStatus.NO_CONTENT) @DeleteMapping(value = DELETE_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE) @Operation(summary = "Deletes a file for a given dossierId and FileId", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void deleteFile(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId); @ResponseStatus(value = HttpStatus.NO_CONTENT) @PostMapping(value = DELETE_PATH + DOSSIER_ID_PATH_VARIABLE) @Operation(summary = "Deletes a a list of files for a given dossierId", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void deleteFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody List fileIds); @ResponseBody @ResponseStatus(value = HttpStatus.OK) @Operation(summary = "Returns a downloadable byte stream of the original file with the specified fileId", description = "Use the optional \"inline\" request parameter to select, if this downloadAnnotated will be opened in the browser.") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "400", description = "Could not prepare file download.")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "400", description = "Could not prepare file download."), @ApiResponse(responseCode = "404", description = "Not found")}) @GetMapping(value = DOWNLOAD_ORIGINAL_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE) ResponseEntity downloadOriginal(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @@ -67,7 +67,7 @@ public interface FileManagementResource { @ResponseBody @ResponseStatus(value = HttpStatus.OK) @Operation(summary = "Returns a downloadable byte stream of the viewer document file with the specified fileId", description = "Use the optional \"inline\" request parameter to select, if this downloadAnnotated will be opened in the browser.") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "400", description = "Could not prepare file download.")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "400", description = "Could not prepare file download."), @ApiResponse(responseCode = "404", description = "Not found")}) @GetMapping(value = DOWNLOAD_VIEWER_DOCUMENT_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE) ResponseEntity downloadViewerDocument(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @@ -85,14 +85,14 @@ public interface FileManagementResource { @ResponseStatus(value = HttpStatus.CREATED) @PostMapping(value = UNDELETE_PATH + DOSSIER_ID_PATH_VARIABLE, consumes = MediaType.APPLICATION_JSON_VALUE) @Operation(summary = "Restores an deleted file.", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "201", description = "File successfully restored."), @ApiResponse(responseCode = "400", description = "Incorrect dossier ID or file ID entered to restore file."), @ApiResponse(responseCode = "403", description = "Forbidden operation while restoring."), @ApiResponse(responseCode = "409", description = "Conflict occurred while restoring.")}) + @ApiResponses(value = {@ApiResponse(responseCode = "201", description = "File successfully restored."), @ApiResponse(responseCode = "400", description = "Incorrect dossier ID or file ID entered to restore file."), @ApiResponse(responseCode = "403", description = "Forbidden operation while restoring."), @ApiResponse(responseCode = "409", description = "Conflict occurred while restoring."), @ApiResponse(responseCode = "404", description = "Not found")}) void restoreFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody Set fileIds); @ResponseStatus(value = HttpStatus.NO_CONTENT) @PostMapping(value = ROTATION_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE, consumes = MediaType.APPLICATION_JSON_VALUE) @Operation(summary = "Rotates one or more pages for one file.", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "Pages successfully rotated."), @ApiResponse(responseCode = "400", description = "Incorrect dossier ID, file ID, pages or rotation entered."), @ApiResponse(responseCode = "403", description = "Forbidden operation while rotating.")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "Pages successfully rotated."), @ApiResponse(responseCode = "400", description = "Incorrect dossier ID, file ID, pages or rotation entered."), @ApiResponse(responseCode = "403", description = "Forbidden operation while rotating."), @ApiResponse(responseCode = "404", description = "Not found")}) void rotatePages(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody RotatePagesRequest rotatePagesRequest); } diff --git a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/HighlightsResource.java b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/HighlightsResource.java index a6c240fe2..1a041221c 100644 --- a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/HighlightsResource.java +++ b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/HighlightsResource.java @@ -34,28 +34,28 @@ public interface HighlightsResource { @ResponseStatus(value = HttpStatus.OK) @Operation(summary = "Gets available highlights for the file", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) @GetMapping(value = DOSSIERS_PATH + DOSSIER_ID_PATH_VARIABLE + FILES_PATH + FILE_ID_PATH_VARIABLE + HIGHLIGHTS_PATH, produces = MediaType.APPLICATION_JSON_VALUE) Highlights getHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId); @ResponseStatus(value = HttpStatus.NO_CONTENT) @Operation(summary = "Converts highlights to imported redactions", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) @PostMapping(value = DOSSIERS_PATH + DOSSIER_ID_PATH_VARIABLE + FILES_PATH + FILE_ID_PATH_VARIABLE + HIGHLIGHTS_PATH + CONVERT_PATH, consumes = MediaType.APPLICATION_JSON_VALUE) void convertHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds); @ResponseStatus(value = HttpStatus.NO_CONTENT) @Operation(summary = "Removed highlights from the file", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) @PostMapping(value = DOSSIERS_PATH + DOSSIER_ID_PATH_VARIABLE + FILES_PATH + FILE_ID_PATH_VARIABLE + HIGHLIGHTS_PATH + DELETE_PATH, consumes = MediaType.APPLICATION_JSON_VALUE) void deleteHighlights(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds); @ResponseStatus(value = HttpStatus.NO_CONTENT) @Operation(summary = "Deletes wrong imported redactions for a file", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) @PostMapping(value = DOSSIERS_PATH + DOSSIER_ID_PATH_VARIABLE + FILES_PATH + FILE_ID_PATH_VARIABLE + IMPORTED_REDACTIONS_PATH + DELETE_PATH, consumes = MediaType.APPLICATION_JSON_VALUE) void deleteImportedRedactions(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestBody AnnotationIds annotationIds); diff --git a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ReanalysisResource.java b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ReanalysisResource.java index e9ebd084b..88e4b1611 100644 --- a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ReanalysisResource.java +++ b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/ReanalysisResource.java @@ -42,13 +42,13 @@ public interface ReanalysisResource { @PostMapping(value = REANALYSIS_REST_PATH + DOSSIER_ID_PATH_VARIABLE) @Operation(summary = "Reanalyze all files of the dossier.", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void reanalyzeDossier(@PathVariable(DOSSIER_ID) String dossierId, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force); @PostMapping(value = REANALYSIS_REST_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE) @Operation(summary = "Reanalyze a file", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void reanalyzeFile(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force); @@ -56,7 +56,7 @@ public interface ReanalysisResource { @PostMapping(value = REANALYSIS_REST_PATH + DOSSIER_ID_PATH_VARIABLE + BULK_REST_PATH) @Operation(summary = "Reanalyze multiple files for a dossier", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void reanalyzeFilesForDossier(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody List fileIds, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force); @@ -64,13 +64,13 @@ public interface ReanalysisResource { @Operation(summary = "Ocr and reanalyze a dossier", description = "None") @PostMapping(value = OCR_REANALYSIS_REST_PATH + DOSSIER_ID_PATH_VARIABLE) - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void ocrDossier(@PathVariable(DOSSIER_ID) String dossierId); @Operation(summary = "Ocr and reanalyze a file", description = "None") @PostMapping(value = OCR_REANALYSIS_REST_PATH + DOSSIER_ID_PATH_VARIABLE + FILE_ID_PATH_VARIABLE) - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "409", description = "Conflict")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "409", description = "Conflict"), @ApiResponse(responseCode = "404", description = "Not found")}) void ocrFile(@PathVariable(DOSSIER_ID) String dossierId, @PathVariable(FILE_ID) String fileId, @RequestParam(value = FORCE_PARAM, required = false, defaultValue = FALSE) boolean force); @@ -78,7 +78,7 @@ public interface ReanalysisResource { @Operation(summary = "Ocr and reanalyze multiple files for a dossier", description = "None") @PostMapping(value = OCR_REANALYSIS_REST_PATH + DOSSIER_ID_PATH_VARIABLE + BULK_REST_PATH) - @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK")}) + @ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "404", description = "Not found")}) void ocrFiles(@PathVariable(DOSSIER_ID) String dossierId, @RequestBody Set fileIds); diff --git a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/StatusReportResource.java b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/StatusReportResource.java index a01dd7a1e..087dd2eac 100644 --- a/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/StatusReportResource.java +++ b/persistence-service-v1/persistence-service-external-api-v1/src/main/java/com/iqser/red/service/persistence/service/v1/api/external/resource/StatusReportResource.java @@ -18,7 +18,7 @@ public interface StatusReportResource { @GetMapping(value = STATUS_REPORT + DOSSIER_ID_PATH_VARIABLE) @Operation(summary = "Generate status report for dossier", description = "None") - @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "Status report was generated.")}) + @ApiResponses(value = {@ApiResponse(responseCode = "200", description = "Status report was generated."), @ApiResponse(responseCode = "404", description = "Not found")}) ResponseEntity generateStatusReport(@PathVariable(DOSSIER_ID) String dossierId); } diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java index 147790cda..8f439fdfd 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java @@ -1,13 +1,8 @@ package com.iqser.red.service.persistence.management.v1.processor.service; -import java.util.Collection; -import java.util.Collections; - import org.springframework.http.HttpStatus; import org.springframework.security.access.prepost.PostAuthorize; import org.springframework.security.acls.AclPermissionEvaluator; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Service; @@ -15,7 +10,6 @@ import com.iqser.red.service.persistence.management.v1.processor.acl.custom.doss import com.iqser.red.service.persistence.management.v1.processor.exception.BadRequestException; import com.iqser.red.service.persistence.management.v1.processor.exception.NotAllowedException; import com.iqser.red.service.persistence.management.v1.processor.exception.NotFoundException; -import com.iqser.red.service.persistence.management.v1.processor.roles.ApplicationRoles; import com.iqser.red.service.persistence.management.v1.processor.service.users.UserService; import com.iqser.red.service.persistence.service.v1.api.shared.model.dossiertemplate.dossier.file.WorkflowStatus; import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity; @@ -86,6 +80,7 @@ public class AccessControlService { } + // checks that the user has view permissions to dossier and returns 403 if it doesn't @PostAuthorize("hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')") public void verifyUserHasViewPermissions(String dossierId) { @@ -129,6 +124,7 @@ public class AccessControlService { + // checks that the user has view permissions to dossier and returns a boolean flag public boolean hasUserViewPermissionsForDossier(String dossierId) { return aclPermissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), dossierId, "Dossier", "VIEW_OBJECT"); @@ -144,7 +140,7 @@ public class AccessControlService { public void verifyFileIsNotApproved(String dossierId, String fileId) { try { - var status = fileStatusManagementService.getFileStatus(fileId).getWorkflowStatus(); + var status = fileStatusManagementService.getFileStatus(fileId, false).getWorkflowStatus(); if (WorkflowStatus.APPROVED.equals(status)) { throw new NotAllowedException("File is already in status APPROVED."); @@ -157,4 +153,36 @@ public class AccessControlService { } } + //verifies that user has view permissions to the dossier and responds with 404 if it doesn't + public void checkViewPermissionsToDossier(String dossierId) { + if (!hasUserViewPermissionsForDossier(dossierId)) { + throw new NotFoundException("Object not found"); + } + } + + //verifies that dossier is present and not deleted and user has view permissions to the dossier and responds with 404 if it doesn't + public void checkDossierExistenceAndViewPermissionsToDossier(String dossierId) { + dossierManagementService.getDossierById(dossierId, true, false); + checkViewPermissionsToDossier(dossierId); + } + + //verifies that user has access permissions to the dossier and responds with 403 in case it doesn't + @PostAuthorize("hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')") + public void checkAccessPermissionsToDossier(String dossierId) { + checkViewPermissionsToDossier(dossierId); + } + + //checks the existence of dossier and if it is not deleted and view permissions + @PostAuthorize("hasPermission(#dossierId, 'Dossier', 'ACCESS_OBJECT')") + public void checkDossierExistenceAndAccessPermissionsToDossier(String dossierId) { + checkDossierExistenceAndViewPermissionsToDossier(dossierId); + } + + public void validateFileResourceExistence(String fileId) { + var status = fileStatusManagementService.getFileStatus(fileId); + if(status.isSoftOrHardDeleted()) { + throw new NotFoundException("Object not found"); + } + } + } diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java index 8dcc0cfdb..136d75368 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/DictionaryService.java @@ -115,7 +115,7 @@ public class DictionaryService { public void deleteDossierEntries(String type, String dossierTemplateId, List entries, String dossierId, DictionaryEntryType dictionaryEntryType) { try { - accessControlService.verifyUserHasAccessPermissions(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsMemberOrApprover(dossierId); } catch (AccessDeniedException e) { throw new NotFoundException("Object not found"); @@ -212,7 +212,7 @@ public class DictionaryService { @PreAuthorize("hasAuthority('" + DELETE_DOSSIER_DICTIONARY_TYPE + "')") public void deleteDossierType(String type, String dossierTemplateId, String dossierId) { - accessControlService.verifyUserHasAccessPermissions(dossierId); + accessControlService.checkDossierExistenceAndAccessPermissionsToDossier(dossierId); accessControlService.verifyUserIsMemberOrApprover(dossierId); deleteType(toTypeId(type, dossierTemplateId, dossierId)); } @@ -224,7 +224,7 @@ public class DictionaryService { List types = MagicConverter.convert(dictionaryPersistenceService.getAllTypesForDossierTemplate(dossierTemplateId, includeDeleted), Type.class); if (dossierId != null) { try { - accessControlService.verifyUserHasViewPermissions(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); dictionaryManagementService.checkDossierMatchesDossierTemplate(dossierId, dossierTemplateId); // for every dossier template type check if a dossier type exists types.forEach(t -> dictionaryManagementService.checkForDossierTypeExistenceAndCreate(toTypeId(t.getType(), t.getDossierTemplateId(), dossierId))); @@ -264,7 +264,7 @@ public class DictionaryService { try { if (dossierId != null) { - accessControlService.verifyUserHasViewPermissions(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); } var typeId = toTypeId(type, dossierTemplateId, dossierId); // create dossier level type if it does not exist @@ -323,7 +323,7 @@ public class DictionaryService { try { if (dossierId != null) { - accessControlService.verifyUserHasViewPermissions(dossierId); + accessControlService.checkViewPermissionsToDossier(dossierId); } var dossierTemplateDictionary = dictionaryPersistenceService.getType(toTypeId(type, dossierTemplateId)); var typeId = toTypeId(type, dossierTemplateId, dossierId);