From 9aed05d574ab337939c47b3cf45d516ae261c3e8 Mon Sep 17 00:00:00 2001
From: gkolokythas <gkolokythas@cite.gr>
Date: Wed, 18 Dec 2019 12:38:04 +0200
Subject: [PATCH] Adds backend validation so that only creator can edit one
 DMP.

---
 .../logic/managers/DataManagementPlanManager.java      | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java b/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java
index fcb0a973c..7bdb35e7e 100644
--- a/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java
+++ b/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java
@@ -69,9 +69,7 @@ import javax.xml.bind.JAXBException;
 import javax.xml.bind.Unmarshaller;
 import java.io.*;
 import java.math.BigInteger;
-import java.net.URL;
 import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import java.util.stream.Collectors;
@@ -106,7 +104,6 @@ public class DataManagementPlanManager {
 
         CompletableFuture itemsFuture;
         if (fieldsGroup.equals("listing")) {
-
             itemsFuture = pagedItems.withHint(HintedModelFactory.getHint(DataManagementPlanListingModel.class))
                     .selectAsync(item -> {
                         item.setDataset(
@@ -127,7 +124,7 @@ public class DataManagementPlanManager {
         }
 
         CompletableFuture countFuture = authItems.countAsync().whenComplete((count, throwable) ->
-            dataTable.setTotalCount(count)
+                dataTable.setTotalCount(count)
         );
         CompletableFuture.allOf(itemsFuture, countFuture).join();
         return dataTable;
@@ -479,10 +476,13 @@ public class DataManagementPlanManager {
         if (dataManagementPlan.getId() != null) {
             DMP dmp1 = apiContext.getOperationsContext().getDatabaseRepository().getDmpDao().find(dataManagementPlan.getId());
 
+            if (!isUserOwnerOfDmp(dmp1, principal)) {
+                throw new Exception("User not being the creator is not authorized to edit this DMP.");
+            }
             List<Dataset> datasetList = new ArrayList<>(dmp1.getDataset());
             for (Dataset dataset : datasetList) {
             	if (dataManagementPlan.getProfiles().stream().filter(associatedProfile -> dataset.getProfile().getId().equals(associatedProfile.getId())).findAny().orElse(null) == null)
-            		throw new Exception("Dataset Template for Dataest Description is missing from the DMP.");
+            		throw new Exception("Dataset Template for Dataset Description is missing from the DMP.");
             }
             if (dataManagementPlan.getStatus() == (int) DMP.DMPStatus.FINALISED.getValue() && dmp1.getStatus().equals(DMP.DMPStatus.FINALISED.getValue()))
                 throw new Exception("DMP is finalized, therefore cannot be edited.");