Commit 37db8bbc authored by Sascha Herzinger's avatar Sascha Herzinger
Browse files

fixed OverlayController permissions

parent 90357f9f
......@@ -41,13 +41,13 @@ public class OverlayController extends BaseController {
@RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay) {
return overlayRestImp.getOverlayList(projectId).stream()
.filter(overlay -> !publicOverlay || (Boolean) overlay.get("publicOverlay"))
.filter(overlay -> creator.isEmpty() || overlay.get("owner").equals(creator))
.filter(overlay -> creator.isEmpty() || overlay.get("owner") == null || overlay.get("owner").equals(creator))
.collect(Collectors.toList());
}
@PostAuthorize("hasAuthority('IS_ADMIN')" +
" or hasAuthority('IS_CURATOR') and hasAuthority('READ_PROJECT:' + #projectId)" +
" or hasAuthority('READ_PROJECT:' + #projectId) and returnObject['owner'] == authentication.name")
" or hasAuthority('READ_PROJECT:' + #projectId) and (returnObject['owner'] == authentication.name or returnObject['publicOverlay'])")
@GetMapping(value = "/{overlayId}/")
public Map<String, Object> getOverlayById(
@PathVariable(value = "projectId") String projectId,
......
......@@ -131,7 +131,7 @@ public class OverlayControllerIntegrationTest extends ControllerIntegrationTest
.andExpect(status().is2xxSuccessful())
.andReturn().getResponse().getContentAsString();
assertEquals("There are none public overlays created by user xxx", 1, new JsonParser()
assertEquals("There are no public overlays created by user xxx", 1, new JsonParser()
.parse(response)
.getAsJsonArray().size());
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment