From 1b36ad6c1ab915fd1896840e36550b54124c9fff Mon Sep 17 00:00:00 2001
From: gkolokythas <gkolokythas@cite.gr>
Date: Thu, 3 Oct 2019 18:08:47 +0300
Subject: [PATCH] Fixes Security issues, where user could create DMP template.

---
 dmp-backend/web/src/main/java/eu/eudat/controllers/Admin.java | 4 ++--
 .../main/java/eu/eudat/controllers/DMPProfileController.java  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dmp-backend/web/src/main/java/eu/eudat/controllers/Admin.java b/dmp-backend/web/src/main/java/eu/eudat/controllers/Admin.java
index 12cab1917..9b36da4b6 100644
--- a/dmp-backend/web/src/main/java/eu/eudat/controllers/Admin.java
+++ b/dmp-backend/web/src/main/java/eu/eudat/controllers/Admin.java
@@ -90,7 +90,7 @@ public class Admin extends BaseController {
 
 	@RequestMapping(method = RequestMethod.POST, value = {"/datasetprofiles/getPaged"}, produces = "application/json")
 	public @ResponseBody
-	ResponseEntity<ResponseItem<DataTableData<DatasetProfileListingModel>>> getPaged(@RequestBody DatasetProfileTableRequestItem datasetProfileTableRequestItem, Principal principal) throws Exception {
+	ResponseEntity<ResponseItem<DataTableData<DatasetProfileListingModel>>> getPaged(@RequestBody DatasetProfileTableRequestItem datasetProfileTableRequestItem, @ClaimedAuthorities(claims = {ADMIN}) Principal principal) throws Exception {
 		DataTableData<DatasetProfileListingModel> datasetProfileTableData = this.datasetProfileManager.getPaged(datasetProfileTableRequestItem);
 		return ResponseEntity.status(HttpStatus.OK).body(new ResponseItem<DataTableData<DatasetProfileListingModel>>().status(ApiMessageCode.NO_MESSAGE).payload(datasetProfileTableData));
 	}
@@ -116,7 +116,7 @@ public class Admin extends BaseController {
 	@Transactional
 	@RequestMapping(method = RequestMethod.DELETE, value = {"{id}"}, consumes = "application/json", produces = "application/json")
 	public @ResponseBody
-	ResponseEntity<ResponseItem<DatasetProfile>> inactivate(@PathVariable String id, Principal principal) {
+	ResponseEntity<ResponseItem<DatasetProfile>> inactivate(@PathVariable String id, @ClaimedAuthorities(claims = {ADMIN}) Principal principal) {
 		try {
 			eu.eudat.data.entities.DatasetProfile ret = AdminManager.inactivate(this.getApiContext().getOperationsContext().getDatabaseRepository().getDatasetProfileDao(), this.getApiContext().getOperationsContext().getDatabaseRepository().getDatasetDao(), id);
 			return ResponseEntity.status(HttpStatus.OK).body(new ResponseItem<eu.eudat.models.data.admin.composite.DatasetProfile>().status(ApiMessageCode.SUCCESS_MESSAGE));
diff --git a/dmp-backend/web/src/main/java/eu/eudat/controllers/DMPProfileController.java b/dmp-backend/web/src/main/java/eu/eudat/controllers/DMPProfileController.java
index a53653305..1a54587fa 100644
--- a/dmp-backend/web/src/main/java/eu/eudat/controllers/DMPProfileController.java
+++ b/dmp-backend/web/src/main/java/eu/eudat/controllers/DMPProfileController.java
@@ -46,7 +46,7 @@ public class DMPProfileController extends BaseController {
     @Transactional
     @RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
     public @ResponseBody
-    ResponseEntity<ResponseItem<DMPProfile>> createOrUpdate(@RequestBody DataManagementPlanProfileListingModel dataManagementPlan, Principal principal) throws Exception {
+    ResponseEntity<ResponseItem<DMPProfile>> createOrUpdate(@RequestBody DataManagementPlanProfileListingModel dataManagementPlan, @ClaimedAuthorities(claims = {ADMIN}) Principal principal) throws Exception {
         this.dataManagementProfileManager.createOrUpdate(dataManagementPlan, principal);
         return ResponseEntity.status(HttpStatus.OK).body(new ResponseItem<DMPProfile>().status(ApiMessageCode.SUCCESS_MESSAGE).message("Created"));
     }