From db98454ee4737fd1fabba03b44a81b5d139f2617 Mon Sep 17 00:00:00 2001
From: Luca Frosini <luca.frosini@isti.cnr.it>
Date: Fri, 1 Apr 2022 15:49:44 +0200
Subject: [PATCH] Adding role filtering

---
 pom.xml                                              |  5 +++++
 src/main/java/org/gcube/gcat/profile/ISProfile.java  |  2 +-
 src/main/java/org/gcube/gcat/rest/Configuration.java |  8 ++++++++
 src/main/java/org/gcube/gcat/rest/Group.java         | 11 +++++++++++
 src/main/java/org/gcube/gcat/rest/Item.java          | 12 ++++++++++++
 src/main/java/org/gcube/gcat/rest/Organization.java  |  8 ++++++++
 src/main/java/org/gcube/gcat/rest/Profile.java       |  5 +++++
 src/main/java/org/gcube/gcat/rest/Trash.java         | 10 +++++++---
 src/main/java/org/gcube/gcat/rest/User.java          |  8 ++++++++
 9 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index a565ef3..8b3b3e7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -65,6 +65,11 @@
 			<artifactId>gcat-api</artifactId>
 			<version>[2.0.0,3.0.0-SNAPSHOT)</version>
 		</dependency>
+		<dependency>
+			<groupId>org.gcube.common</groupId>
+			<artifactId>authorization-control-library</artifactId>
+			<version>[1.0.0,2.0.0-SNAPSHOT)</version>
+		</dependency>
 		<dependency>
 			<groupId>org.gcube.common</groupId>
 			<artifactId>authorization-utils</artifactId>
diff --git a/src/main/java/org/gcube/gcat/profile/ISProfile.java b/src/main/java/org/gcube/gcat/profile/ISProfile.java
index 2a55f14..2e08417 100644
--- a/src/main/java/org/gcube/gcat/profile/ISProfile.java
+++ b/src/main/java/org/gcube/gcat/profile/ISProfile.java
@@ -197,7 +197,7 @@ public class ISProfile {
 	public boolean delete(String name) {
 		try {
 			CKANUser ckanUser = CKANUserCache.getCurrrentCKANUser();
-			if(ckanUser.getRole().ordinal()<Role.EDITOR.ordinal()) {
+			if(ckanUser.getRole().ordinal()<Role.ADMIN.ordinal()) {
 				throw new NotAuthorizedException("You are not authorized to manage profiles, only Catalogue Editor can manipulate profiles.");
 			}
 			MetadataUtility metadataUtility = new MetadataUtility();
diff --git a/src/main/java/org/gcube/gcat/rest/Configuration.java b/src/main/java/org/gcube/gcat/rest/Configuration.java
index 83a31b1..447dfe7 100644
--- a/src/main/java/org/gcube/gcat/rest/Configuration.java
+++ b/src/main/java/org/gcube/gcat/rest/Configuration.java
@@ -9,6 +9,7 @@ import javax.ws.rs.DefaultValue;
 import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.GET;
 import javax.ws.rs.InternalServerErrorException;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.POST;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -23,6 +24,7 @@ import javax.xml.ws.WebServiceException;
 
 import org.gcube.com.fasterxml.jackson.databind.ObjectMapper;
 import org.gcube.com.fasterxml.jackson.databind.node.ObjectNode;
+import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.common.authorization.utils.manager.SecretManagerProvider;
 import org.gcube.gcat.annotation.PATCH;
 import org.gcube.gcat.annotation.PURGE;
@@ -94,6 +96,7 @@ public class Configuration extends BaseREST implements org.gcube.gcat.api.interf
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response create(String json) throws WebServiceException {
 		try {
 			ServiceCatalogueConfiguration catalogueConfiguration = ServiceCatalogueConfiguration.getServiceCatalogueConfiguration(json);
@@ -114,6 +117,7 @@ public class Configuration extends BaseREST implements org.gcube.gcat.api.interf
 	@GET
 	@Path("/{" + CONTEXT_FULLNAME_PARAMETER + "}")
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response read(@PathParam(CONTEXT_FULLNAME_PARAMETER) String context) throws WebServiceException {
 		try {
 			checkContext(context);
@@ -147,6 +151,7 @@ public class Configuration extends BaseREST implements org.gcube.gcat.api.interf
 	@Path("/{" + CONTEXT_FULLNAME_PARAMETER + "}")
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String createOrUpdate(@PathParam(CONTEXT_FULLNAME_PARAMETER) String context, String json) throws WebServiceException {
 		try {
 			ServiceCatalogueConfiguration catalogueConfiguration = ServiceCatalogueConfiguration.getServiceCatalogueConfiguration(json);
@@ -183,6 +188,7 @@ public class Configuration extends BaseREST implements org.gcube.gcat.api.interf
 	@Path("/{" + CONTEXT_FULLNAME_PARAMETER + "}")
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response patch(@PathParam(CONTEXT_FULLNAME_PARAMETER) String context, String json) throws WebServiceException {
 		try {
 			checkContext(context);
@@ -236,6 +242,7 @@ public class Configuration extends BaseREST implements org.gcube.gcat.api.interf
 	
 	@DELETE
 	@Path("/{" + CONTEXT_FULLNAME_PARAMETER + "}")
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response delete(@PathParam(CONTEXT_FULLNAME_PARAMETER) String context, 
 			@QueryParam(GCatConstants.PURGE_QUERY_PARAMETER) @DefaultValue("false") Boolean purge) throws WebServiceException {
 		try {
@@ -267,6 +274,7 @@ public class Configuration extends BaseREST implements org.gcube.gcat.api.interf
 	
 	@PURGE
 	@Path("/{" + CONTEXT_FULLNAME_PARAMETER + "}")
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response purge(@PathParam(CONTEXT_FULLNAME_PARAMETER) String context) throws WebServiceException {
 		try {
 			checkContext(context);
diff --git a/src/main/java/org/gcube/gcat/rest/Group.java b/src/main/java/org/gcube/gcat/rest/Group.java
index 7fe3c9f..d596ba3 100644
--- a/src/main/java/org/gcube/gcat/rest/Group.java
+++ b/src/main/java/org/gcube/gcat/rest/Group.java
@@ -4,6 +4,7 @@ import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.POST;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -13,9 +14,11 @@ import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Response;
 import javax.xml.ws.WebServiceException;
 
+import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.gcat.annotation.PATCH;
 import org.gcube.gcat.annotation.PURGE;
 import org.gcube.gcat.api.GCatConstants;
+import org.gcube.gcat.api.roles.Role;
 import org.gcube.gcat.persistence.ckan.CKANGroup;
 
 /**
@@ -41,6 +44,7 @@ public class Group extends REST<CKANGroup> implements org.gcube.gcat.api.interfa
 	
 	@GET
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String list(@QueryParam(GCatConstants.LIMIT_PARAMETER) @DefaultValue("10") int limit,
 			@QueryParam(GCatConstants.OFFSET_PARAMETER) @DefaultValue("0") int offset, 
 			@QueryParam(GCatConstants.COUNT_PARAMETER) @DefaultValue("false") Boolean countOnly) {
@@ -65,6 +69,7 @@ public class Group extends REST<CKANGroup> implements org.gcube.gcat.api.interfa
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response create(String json) {
 		return super.create(json);
 	}
@@ -73,6 +78,7 @@ public class Group extends REST<CKANGroup> implements org.gcube.gcat.api.interfa
 	@Path("/{" + GROUP_ID_PARAMETER + "}")
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR}, exception=NotAuthorizedException.class)
 	public String read(@PathParam(GROUP_ID_PARAMETER) String id) {
 		return super.read(id);
 	}
@@ -82,6 +88,7 @@ public class Group extends REST<CKANGroup> implements org.gcube.gcat.api.interfa
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String update(@PathParam(GROUP_ID_PARAMETER) String id, String json) {
 		return super.update(id, json);
 	}
@@ -91,6 +98,7 @@ public class Group extends REST<CKANGroup> implements org.gcube.gcat.api.interfa
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String patch(@PathParam(GROUP_ID_PARAMETER) String id, String json) {
 		return super.patch(id, json);
 	}
@@ -98,6 +106,7 @@ public class Group extends REST<CKANGroup> implements org.gcube.gcat.api.interfa
 	@DELETE
 	@Path("/{" + GROUP_ID_PARAMETER + "}")
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response delete(@PathParam(GROUP_ID_PARAMETER) String id,
 			@QueryParam(GCatConstants.PURGE_QUERY_PARAMETER) @DefaultValue("false") Boolean purge) {
 		return super.delete(id, purge);
@@ -106,11 +115,13 @@ public class Group extends REST<CKANGroup> implements org.gcube.gcat.api.interfa
 	@PURGE
 	@Path("/{" + GROUP_ID_PARAMETER + "}")
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response purge(@PathParam(GROUP_ID_PARAMETER) String id) {
 		return delete(id, true);
 	}
 	
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response delete(String name, boolean purge) {
 		return delete(name, new Boolean(purge));
 	}
diff --git a/src/main/java/org/gcube/gcat/rest/Item.java b/src/main/java/org/gcube/gcat/rest/Item.java
index 6cd6b37..465e155 100644
--- a/src/main/java/org/gcube/gcat/rest/Item.java
+++ b/src/main/java/org/gcube/gcat/rest/Item.java
@@ -4,6 +4,7 @@ import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.POST;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -15,9 +16,12 @@ import javax.ws.rs.core.Response.ResponseBuilder;
 import javax.ws.rs.core.Response.Status;
 import javax.xml.ws.WebServiceException;
 
+import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.gcat.annotation.PATCH;
 import org.gcube.gcat.annotation.PURGE;
 import org.gcube.gcat.api.GCatConstants;
+import org.gcube.gcat.api.moderation.Moderated;
+import org.gcube.gcat.api.roles.Role;
 import org.gcube.gcat.persistence.ckan.CKANPackage;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -40,6 +44,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	
 	@GET
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MEMBER, Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String list(@QueryParam(GCatConstants.LIMIT_PARAMETER) @DefaultValue("10") int limit,
 			@QueryParam(GCatConstants.OFFSET_PARAMETER) @DefaultValue("0") int offset, 
 			@QueryParam(GCatConstants.COUNT_PARAMETER) @DefaultValue("false") Boolean countOnly) {
@@ -65,6 +70,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response create(String json) {
 		return super.create(json);
 	}
@@ -73,6 +79,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	@Path("/{" + ITEM_ID_PARAMETER + "}")
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MEMBER, Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String read(@PathParam(ITEM_ID_PARAMETER) String id) {
 		return super.read(id);
 	}
@@ -82,6 +89,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String update(@PathParam(ITEM_ID_PARAMETER) String id, String json) {
 		return super.update(id, json);
 	}
@@ -91,6 +99,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String patch(@PathParam(ITEM_ID_PARAMETER) String id, String json) {
 		return super.patch(id, json);
 	}
@@ -98,6 +107,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	@DELETE
 	@Path("/{" + ITEM_ID_PARAMETER + "}")
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response delete(@PathParam(ITEM_ID_PARAMETER) String id,
 			@QueryParam(GCatConstants.PURGE_QUERY_PARAMETER) @DefaultValue("false") Boolean purge) {
 		return super.delete(id, purge);
@@ -106,6 +116,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	@PURGE
 	@Path("/{" + ITEM_ID_PARAMETER + "}")
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response purge(@PathParam(ITEM_ID_PARAMETER) String id) {
 		return super.purge(id);
 	}
@@ -146,6 +157,7 @@ public class Item extends REST<CKANPackage> implements org.gcube.gcat.api.interf
 	@Path("/{" + ITEM_ID_PARAMETER + "}")
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER, Moderated.CATALOGUE_MODERATOR }, exception=NotAuthorizedException.class)
 	public Response moderate(@PathParam(ITEM_ID_PARAMETER) String id, String json) {
 		setCalledMethod("POST /" + COLLECTION_PARAMETER + "/{" + ID_PARAMETER + "}");
 		CKANPackage ckanPackage = getInstance();
diff --git a/src/main/java/org/gcube/gcat/rest/Organization.java b/src/main/java/org/gcube/gcat/rest/Organization.java
index db26c4a..032b59e 100644
--- a/src/main/java/org/gcube/gcat/rest/Organization.java
+++ b/src/main/java/org/gcube/gcat/rest/Organization.java
@@ -4,6 +4,7 @@ import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.POST;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -13,9 +14,11 @@ import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Response;
 import javax.xml.ws.WebServiceException;
 
+import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.gcat.annotation.PATCH;
 import org.gcube.gcat.annotation.PURGE;
 import org.gcube.gcat.api.GCatConstants;
+import org.gcube.gcat.api.roles.Role;
 import org.gcube.gcat.persistence.ckan.CKANOrganization;
 
 /**
@@ -66,6 +69,7 @@ public class Organization extends REST<CKANOrganization>
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response create(String json) {
 		return super.create(json);
 	}
@@ -83,6 +87,7 @@ public class Organization extends REST<CKANOrganization>
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String update(@PathParam(ORGANIZATION_ID_PARAMETER) String id, String json) {
 		return super.update(id, json);
 	}
@@ -92,6 +97,7 @@ public class Organization extends REST<CKANOrganization>
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String patch(@PathParam(ORGANIZATION_ID_PARAMETER) String id, String json) {
 		return super.patch(id, json);
 	}
@@ -99,6 +105,7 @@ public class Organization extends REST<CKANOrganization>
 	@DELETE
 	@Path("/{" + ORGANIZATION_ID_PARAMETER + "}")
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response delete(@PathParam(ORGANIZATION_ID_PARAMETER) String id,
 			@QueryParam(GCatConstants.PURGE_QUERY_PARAMETER) @DefaultValue("false") Boolean purge) {
 		return super.delete(id, purge);
@@ -106,6 +113,7 @@ public class Organization extends REST<CKANOrganization>
 	
 	@PURGE
 	@Path("/{" + ORGANIZATION_ID_PARAMETER + "}")
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response purge(@PathParam(ORGANIZATION_ID_PARAMETER) String id) {
 		return super.purge(id);
 	}
diff --git a/src/main/java/org/gcube/gcat/rest/Profile.java b/src/main/java/org/gcube/gcat/rest/Profile.java
index 0e70308..99c8f1a 100644
--- a/src/main/java/org/gcube/gcat/rest/Profile.java
+++ b/src/main/java/org/gcube/gcat/rest/Profile.java
@@ -9,6 +9,7 @@ import javax.ws.rs.HeaderParam;
 import javax.ws.rs.HttpMethod;
 import javax.ws.rs.InternalServerErrorException;
 import javax.ws.rs.NotAllowedException;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
@@ -23,8 +24,10 @@ import javax.ws.rs.core.Response.Status;
 import javax.ws.rs.core.UriInfo;
 
 import org.gcube.com.fasterxml.jackson.databind.node.ArrayNode;
+import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.datacatalogue.metadatadiscovery.DataCalogueMetadataFormatReader;
 import org.gcube.gcat.api.GCatConstants;
+import org.gcube.gcat.api.roles.Role;
 import org.gcube.gcat.profile.ISProfile;
 import org.xml.sax.SAXException;
 
@@ -135,6 +138,7 @@ public class Profile extends BaseREST implements org.gcube.gcat.api.interfaces.P
 	@Path("/{" + PROFILE_NAME_PARAMETER + "}")
 	@Consumes(MediaType.APPLICATION_XML)
 	@Produces(MediaType.APPLICATION_XML)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_ADMIN}, exception=NotAuthorizedException.class)
 	public Response createOrUpdate(@PathParam(PROFILE_NAME_PARAMETER) String name, String xml) {
 		setCalledMethod("PUT /" + PROFILES + "/{" + PROFILE_NAME_PARAMETER + "}");
 		try {
@@ -165,6 +169,7 @@ public class Profile extends BaseREST implements org.gcube.gcat.api.interfaces.P
 	
 	@DELETE
 	@Path("/{" + PROFILE_NAME_PARAMETER + "}")
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_ADMIN}, exception=NotAuthorizedException.class)
 	public Response delete(@PathParam(PROFILE_NAME_PARAMETER) String name) {
 		setCalledMethod("DELETE /" + PROFILES + "/{" + PROFILE_NAME_PARAMETER + "}");
 		try {
diff --git a/src/main/java/org/gcube/gcat/rest/Trash.java b/src/main/java/org/gcube/gcat/rest/Trash.java
index 0f8d231..0d2e475 100644
--- a/src/main/java/org/gcube/gcat/rest/Trash.java
+++ b/src/main/java/org/gcube/gcat/rest/Trash.java
@@ -3,6 +3,7 @@ package org.gcube.gcat.rest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
@@ -10,8 +11,10 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import javax.xml.ws.WebServiceException;
 
+import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.gcat.annotation.PURGE;
 import org.gcube.gcat.api.GCatConstants;
+import org.gcube.gcat.api.roles.Role;
 import org.gcube.gcat.persistence.ckan.CKANPackageTrash;
 
 /**
@@ -24,6 +27,7 @@ public class Trash extends BaseREST implements org.gcube.gcat.api.interfaces.Tra
 	@GET
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String list(@QueryParam(GCatConstants.OWN_ONLY_QUERY_PARAMETER) @DefaultValue("true") Boolean ownOnly) throws WebServiceException {
 		CKANPackageTrash ckanPackageTrash = new CKANPackageTrash();
 		ckanPackageTrash.setOwnOnly(ownOnly);
@@ -32,6 +36,7 @@ public class Trash extends BaseREST implements org.gcube.gcat.api.interfaces.Tra
 	
 	@DELETE
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response empty(@QueryParam(GCatConstants.OWN_ONLY_QUERY_PARAMETER) @DefaultValue("true") Boolean ownOnly) throws WebServiceException {
 		Thread thread = new Thread(new Runnable() {
 		    @Override
@@ -46,10 +51,9 @@ public class Trash extends BaseREST implements org.gcube.gcat.api.interfaces.Tra
 	}
 	
 	@PURGE
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_EDITOR, Role.CATALOGUE_ADMIN, Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response emptyViaPurge(@QueryParam(GCatConstants.OWN_ONLY_QUERY_PARAMETER) @DefaultValue("true") Boolean ownOnly) throws WebServiceException {
 		return empty(ownOnly); 
 	}
 	
-}
-
-
+}
\ No newline at end of file
diff --git a/src/main/java/org/gcube/gcat/rest/User.java b/src/main/java/org/gcube/gcat/rest/User.java
index 0a8a27b..7af4948 100644
--- a/src/main/java/org/gcube/gcat/rest/User.java
+++ b/src/main/java/org/gcube/gcat/rest/User.java
@@ -3,6 +3,7 @@ package org.gcube.gcat.rest;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
+import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.POST;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -10,7 +11,9 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Response;
 
+import org.gcube.common.authorization.control.annotations.AuthorizationControl;
 import org.gcube.gcat.api.GCatConstants;
+import org.gcube.gcat.api.roles.Role;
 import org.gcube.gcat.persistence.ckan.CKANUser;
 
 /**
@@ -27,6 +30,7 @@ public class User extends REST<CKANUser> implements org.gcube.gcat.api.interface
 	
 	@GET
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_ADMIN}, exception=NotAuthorizedException.class)
 	public String list() {
 		return super.list(-1, -1);
 	}
@@ -35,6 +39,7 @@ public class User extends REST<CKANUser> implements org.gcube.gcat.api.interface
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response create(String json) {
 		return super.create(json);
 	}
@@ -43,6 +48,7 @@ public class User extends REST<CKANUser> implements org.gcube.gcat.api.interface
 	@Path("/{" + USER_ID_PARAMETER + "}")
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_ADMIN}, exception=NotAuthorizedException.class)
 	public String read(@PathParam(USER_ID_PARAMETER) String username) {
 		return super.read(username);
 	}
@@ -52,12 +58,14 @@ public class User extends REST<CKANUser> implements org.gcube.gcat.api.interface
 	@Consumes(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Produces(GCatConstants.APPLICATION_JSON_CHARSET_UTF_8)
 	@Override
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public String update(@PathParam(USER_ID_PARAMETER) String username, String json) {
 		return super.update(username, json);
 	}
 	
 	@DELETE
 	@Path("/{" + USER_ID_PARAMETER + "}")
+	@AuthorizationControl(allowedRoles={Role.CATALOGUE_MANAGER}, exception=NotAuthorizedException.class)
 	public Response delete(@PathParam(USER_ID_PARAMETER) String username) {
 		return super.delete(username, false);
 	}