From 530aac45401256333f1eab92f97ee0e111901ba7 Mon Sep 17 00:00:00 2001 From: "ioannis.diplas" Date: Fri, 11 Oct 2019 11:53:48 +0000 Subject: [PATCH] Moved permissions at the controller level --- .../repo/manager/controllers/PiWikController.java | 10 ++++++++-- .../manager/controllers/RepositoryController.java | 12 +++++++++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/main/java/eu/dnetlib/repo/manager/controllers/PiWikController.java b/src/main/java/eu/dnetlib/repo/manager/controllers/PiWikController.java index 1f3218b..ba99fde 100644 --- a/src/main/java/eu/dnetlib/repo/manager/controllers/PiWikController.java +++ b/src/main/java/eu/dnetlib/repo/manager/controllers/PiWikController.java @@ -5,6 +5,7 @@ import eu.dnetlib.repo.manager.domain.OrderByField; import eu.dnetlib.repo.manager.domain.OrderByType; import eu.dnetlib.repo.manager.domain.Paging; import eu.dnetlib.repo.manager.service.PiWikServiceImpl; +import eu.dnetlib.repo.manager.service.RepositoryService; import eu.dnetlib.repo.manager.shared.RepositoryServiceException; import io.swagger.annotations.Api; import io.swagger.annotations.ApiImplicitParam; @@ -14,6 +15,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.io.FileSystemResource; import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; +import org.springframework.security.access.prepost.PostAuthorize; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; @@ -40,16 +42,19 @@ public class PiWikController { @Autowired private PiWikServiceImpl piWikService; + @Autowired + private RepositoryService repositoryService; + @RequestMapping(value = "/getPiwikSiteForRepo/{repositoryId}" , method = RequestMethod.GET,produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody + @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (@repositoryService.getRepositoryById(#repositoryId).registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public PiwikInfo getPiwikSiteForRepo(@PathVariable("repositoryId") String repositoryId) { return piWikService.getPiwikSiteForRepo(repositoryId); } @RequestMapping(value = "/savePiwikInfo" , method = RequestMethod.POST,produces = MediaType.APPLICATION_JSON_VALUE) - @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (hasRole('ROLE_USER') " + - "and #piwikInfo.requestorEmail == authentication.userInfo.email)") + @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (@repositoryService.getRepositoryById(#piwikInfo.repositoryId).registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public PiwikInfo savePiwikInfo(@RequestBody PiwikInfo piwikInfo) { return piWikService.savePiwikInfo(piwikInfo); } @@ -158,6 +163,7 @@ public class PiWikController { @RequestMapping(value = "/getOpenaireId/{repositoryId}" , method = RequestMethod.GET,produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody + @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN')") public String getOpenaireId(String repositoryid){ return piWikService.getOpenaireId(repositoryid); } diff --git a/src/main/java/eu/dnetlib/repo/manager/controllers/RepositoryController.java b/src/main/java/eu/dnetlib/repo/manager/controllers/RepositoryController.java index 0312992..bef47ff 100644 --- a/src/main/java/eu/dnetlib/repo/manager/controllers/RepositoryController.java +++ b/src/main/java/eu/dnetlib/repo/manager/controllers/RepositoryController.java @@ -11,8 +11,11 @@ import io.swagger.annotations.Api; import org.json.JSONException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.MediaType; +import org.springframework.security.access.prepost.PostAuthorize; +import org.springframework.security.access.prepost.PostFilter; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.web.bind.annotation.*; import javax.ws.rs.Path; @@ -72,6 +75,7 @@ public class RepositoryController { @RequestMapping(value = "/getRepositoryById/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody + @PostAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (returnObject.registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public Repository getRepositoryById(@PathVariable("id") String id) throws JSONException,ResourceNotFoundException { return repositoryService.getRepositoryById(id); } @@ -102,6 +106,7 @@ public class RepositoryController { @RequestMapping(value = "/getRepositoryInterface/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody + @PostAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (@repositoryService.getRepositoryById(#id).registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public List getRepositoryInterface(@PathVariable("id") String id) throws JSONException { return repositoryService.getRepositoryInterface(id); } @@ -109,7 +114,7 @@ public class RepositoryController { @RequestMapping(value = "/addRepository", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE) @ResponseBody -// @PreAuthorize("hasRole('ROLE_USER') and #repository.registeredBy == authentication.userInfo.email") + @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (#repository.registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public Repository addRepository(@RequestParam("datatype") String datatype, @RequestBody Repository repository) throws Exception { @@ -140,6 +145,7 @@ public class RepositoryController { @RequestMapping(value = "/updateRepository", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE) @ResponseBody + @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (#repository.registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public Repository updateRepository(@RequestBody Repository repository,Authentication authentication) throws Exception { return repositoryService.updateRepository(repository, authentication); } @@ -154,7 +160,7 @@ public class RepositoryController { @RequestMapping(value = "/addInterface", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE) @ResponseBody - @PreAuthorize("hasRole('ROLE_USER') and #registeredBy == authentication.userInfo.email") + @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (@repositoryService.getRepositoryById(#repoId).registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public RepositoryInterface addRepositoryInterface(@RequestParam("datatype") String datatype, @RequestParam("repoId") String repoId, @RequestParam("registeredBy") String registeredBy, @@ -211,7 +217,7 @@ public class RepositoryController { @RequestMapping(value = "/updateRepositoryInterface", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE) @ResponseBody - @PreAuthorize("hasRole('ROLE_USER') and #registeredBy == authentication.userInfo.email") + @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_PROVIDE_ADMIN') or (@repositoryService.getRepositoryById(#repoId).registeredBy==authentication.userInfo.email and hasRole('ROLE_USER'))") public RepositoryInterface updateRepositoryInterface(@RequestParam("repoId") String repoId, @RequestParam("registeredBy") String registeredBy, @RequestBody RepositoryInterface repositoryInterface) throws Exception {