From 9d8de0c2fb42dc39e55fe59cd5d627a85e379f13 Mon Sep 17 00:00:00 2001
From: gkolokythas <gkolokythas@cite.gr>
Date: Thu, 9 Jan 2020 14:34:23 +0200
Subject: [PATCH] Adds authorization check when creating new version of a DMP.

---
 .../eu/eudat/logic/managers/DataManagementPlanManager.java   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java b/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java
index a1bd6e2ba..8a440cfed 100644
--- a/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java
+++ b/dmp-backend/web/src/main/java/eu/eudat/logic/managers/DataManagementPlanManager.java
@@ -571,7 +571,9 @@ public class DataManagementPlanManager {
 
     public void newVersion(UUID uuid, DataManagementPlanNewVersionModel dataManagementPlan, Principal principal) throws Exception {
         DMP oldDmp = databaseRepository.getDmpDao().find(uuid);
-
+        if (!isUserOwnerOfDmp(oldDmp, principal)) {
+            throw new Exception("User not being the creator is not authorized to perform this action.");
+        }
         DataManagementPlanCriteria criteria = new DataManagementPlanCriteria();
         LinkedList<UUID> list = new LinkedList<>();
         list.push(oldDmp.getGroupId());
@@ -639,7 +641,6 @@ public class DataManagementPlanManager {
         databaseRepository.getGrantDao().createOrUpdate(newDmp.getGrant());
         newDmp = databaseRepository.getDmpDao().createOrUpdate(newDmp);
 
-        // Assign creator.
         assignUser(newDmp, user);
         copyDatasets(newDmp, databaseRepository.getDatasetDao());
     }