Commit 5f3ea1d6 authored by Piotr Gawron's avatar Piotr Gawron
Browse files

you need can_create_overlays privilege when adding data overlay

parent c30ef233
Pipeline #13962 passed with stage
in 13 minutes and 13 seconds
......@@ -13,6 +13,8 @@ minerva (14.0.0~beta.2) unstable; urgency=low
* Bug fix: version of the project is limited to 20 characters (#951)
* Bug fix: link to comment on map from admin panel was broken (#941)
* Bug fix: hide glyphs tab when necessary (#949)
* Bug fix: user with write access but without can_create_privileges cannot
create data overlay (#939)
-- Piotr Gawron <piotr.gawron@uni.lu> Mon, 16 Sep 2019 21:00:00 +0200
......
......@@ -37,7 +37,8 @@ public class OverlayController extends BaseController {
public List<Map<String, Object>> getOverlayList(
@PathVariable(value = "projectId") String projectId,
@RequestParam(value = "creator", defaultValue = "") String creator,
@RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay) throws lcsb.mapviewer.api.ObjectNotFoundException {
@RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay)
throws lcsb.mapviewer.api.ObjectNotFoundException {
return overlayRestImp.getOverlayList(projectId).stream()
.filter(overlay -> !publicOverlay || (Boolean) overlay.get("publicOverlay"))
.filter(
......@@ -99,7 +100,8 @@ public class OverlayController extends BaseController {
Integer.valueOf(reactionId), "ALIAS", columns);
}
@PreAuthorize("hasAnyAuthority('IS_ADMIN', 'WRITE_PROJECT:' + #projectId)" +
@PreAuthorize("hasAuthority('IS_ADMIN')" +
" or (hasAuthority('IS_CURATOR') and hasAuthority('WRITE_PROJECT:' + #projectId))" +
" or (hasAuthority('READ_PROJECT:' + #projectId) and hasAuthority('CAN_CREATE_OVERLAYS'))")
@PostMapping(value = "/")
public Map<String, Object> addOverlay(
......
......@@ -1246,4 +1246,31 @@ public class OverlayControllerIntegrationTest extends ControllerIntegrationTest
assertEquals(3, overlay4.getOrderIndex());
}
@Test
public void testCreateOverlayWithoutCreateDataOverlayAccess() throws Exception {
User user = createUser(TEST_USER_LOGIN, TEST_USER_PASSWORD);
userService.grantUserPrivilege(user, PrivilegeType.WRITE_PROJECT, project.getProjectId());
UploadedFileEntry file = createFile("elementIdentifier\tvalue\n\t-1", user);
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
String body = EntityUtils.toString(new UrlEncodedFormEntity(Arrays.asList(
new BasicNameValuePair("fileId", String.valueOf(file.getId())),
new BasicNameValuePair("name", "overlay name"),
new BasicNameValuePair("description", "overlay name"),
new BasicNameValuePair("filename", "overlay name"),
new BasicNameValuePair("googleLicenseConsent", "overlay name"),
new BasicNameValuePair("type", "GENERIC"))));
RequestBuilder request = post("/projects/"+TEST_PROJECT+"/overlays/")
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.content(body)
.session(session);
mockMvc.perform(request)
.andExpect(status().isForbidden());
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment