Commit 0a4fb7c6 authored by Piotr Gawron's avatar Piotr Gawron
Browse files

Merge branch '893-minervanet-error-report-97' into 'master'

Resolve "MINERVANET - Error Report 97"

Closes #893

See merge request !889
parents 44f5bce3 f931eb8a
Pipeline #12965 canceled with stage
minerva (14.0.0~beta.0) unstable; urgency=low
* Bug fix: fetching list of miRnas resulted sometimes in "Internal Server
Error" (#889)
* Bug fix: user without admin right can accept terms of service (#893)
-- Piotr Gawron <piotr.gawron@uni.lu> Mon, 21 Aug 2019 21:00:00 +0200
......
......@@ -81,14 +81,15 @@ public class UserController extends BaseController {
.collect(Collectors.toList());
}
@PreAuthorize("hasAuthority('IS_ADMIN')")
@PreAuthorize("hasAuthority('IS_ADMIN') or #login == authentication.name")
@PatchMapping(value = "/{login:.+}")
public Map<String, Object> updateUser(
@RequestBody String body,
@PathVariable(value = "login") String login) throws QueryException, IOException {
@PathVariable(value = "login") String login,
Authentication authentication) throws QueryException, IOException {
Map<String, Object> node = parseBody(body);
Map<String, Object> data = getData(node, "user");
return userRest.updateUser(login, data);
return userRest.updateUser(login, data, authentication.getAuthorities());
}
@PreAuthorize("hasAuthority('IS_ADMIN')")
......
......@@ -5,6 +5,9 @@ import java.util.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
......@@ -627,8 +630,11 @@ public class UserRestImpl extends BaseRestImpl {
}
public Map<String, Object> updateUser(String login, Map<String, Object> userData)
public Map<String, Object> updateUser(String login, Map<String, Object> userData,
Collection<? extends GrantedAuthority> authorities)
throws QueryException {
boolean isAdmin = authorities.contains(new SimpleGrantedAuthority(PrivilegeType.IS_ADMIN.toString()));
if (userData == null) {
throw new QueryException("user field cannot be undefined");
}
......@@ -651,7 +657,11 @@ public class UserRestImpl extends BaseRestImpl {
} else if (key.equalsIgnoreCase("termsofuseconsent")) {
user.setTermsOfUseConsent((Boolean) value);
} else if (key.equalsIgnoreCase("connectedtoldap")) {
user.setConnectedToLdap((Boolean) value);
if (isAdmin) {
user.setConnectedToLdap((Boolean) value);
} else {
throw new AccessDeniedException("connectedtoldap can be updated by admin");
}
} else if (key.equalsIgnoreCase("password")) {
if (stringValue != null && !stringValue.trim().isEmpty()) {
user.setCryptedPassword(passwordEncoder.encode(stringValue));
......
package lcsb.mapviewer.web;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import java.awt.geom.Point2D;
import java.util.Arrays;
......@@ -100,6 +101,7 @@ abstract public class ControllerIntegrationTest {
.param("login", login)
.param("password", password);
return (MockHttpSession) mockMvc.perform(request)
.andExpect(status().is2xxSuccessful())
.andReturn()
.getRequest()
.getSession();
......
......@@ -217,9 +217,9 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
.andExpect(status().is2xxSuccessful())
.andReturn().getResponse().getContentAsString();
Map responseObject = new Gson().fromJson(response, Map.class);
Map<?, ?> responseObject = new Gson().fromJson(response, Map.class);
List privileges = (List) responseObject.get("privileges");
List<?> privileges = (List<?>) responseObject.get("privileges");
assertEquals(0, privileges.size());
}
......@@ -267,7 +267,6 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
for (int i = 0; i < result.size(); i++) {
assertNotNull(result.get(i).getAsJsonObject().get("ldapAccountAvailable"));
assertNotNull(result.get(i).getAsJsonObject().get("connectedToLdap"));
logger.debug(result.get(i));
}
}
......@@ -403,4 +402,38 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
.andExpect(status().isBadRequest());
}
@Test
public void userUpdateOwnPassword() throws Exception {
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
String newPassword = "new pass";
String body = "{\"user\":{\"password\":\"" + newPassword + "\"}}";
RequestBuilder grantRequest = patch("/users/" + TEST_USER_LOGIN)
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.content(body)
.session(session);
mockMvc.perform(grantRequest)
.andExpect(status().is2xxSuccessful());
MockHttpSession sessionWithNewPass = createSession(TEST_USER_LOGIN, newPassword);
assertNotNull(sessionWithNewPass);
}
@Test
public void userCannotUpdateOwnLdapConnection() throws Exception {
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
String body = "{\"user\":{\"connectedtoldap\":false}}";
RequestBuilder grantRequest = patch("/users/" + TEST_USER_LOGIN)
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.content(body)
.session(session);
mockMvc.perform(grantRequest)
.andExpect(status().isForbidden());
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment