Commit 5f3ea1d6 authored by Piotr Gawron's avatar Piotr Gawron
Browse files

you need can_create_overlays privilege when adding data overlay

parent c30ef233
Pipeline #13962 passed with stage
in 13 minutes and 13 seconds
...@@ -13,6 +13,8 @@ minerva (14.0.0~beta.2) unstable; urgency=low ...@@ -13,6 +13,8 @@ minerva (14.0.0~beta.2) unstable; urgency=low
* Bug fix: version of the project is limited to 20 characters (#951) * Bug fix: version of the project is limited to 20 characters (#951)
* Bug fix: link to comment on map from admin panel was broken (#941) * Bug fix: link to comment on map from admin panel was broken (#941)
* Bug fix: hide glyphs tab when necessary (#949) * Bug fix: hide glyphs tab when necessary (#949)
* Bug fix: user with write access but without can_create_privileges cannot
create data overlay (#939)
-- Piotr Gawron <piotr.gawron@uni.lu> Mon, 16 Sep 2019 21:00:00 +0200 -- Piotr Gawron <piotr.gawron@uni.lu> Mon, 16 Sep 2019 21:00:00 +0200
......
...@@ -37,7 +37,8 @@ public class OverlayController extends BaseController { ...@@ -37,7 +37,8 @@ public class OverlayController extends BaseController {
public List<Map<String, Object>> getOverlayList( public List<Map<String, Object>> getOverlayList(
@PathVariable(value = "projectId") String projectId, @PathVariable(value = "projectId") String projectId,
@RequestParam(value = "creator", defaultValue = "") String creator, @RequestParam(value = "creator", defaultValue = "") String creator,
@RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay) throws lcsb.mapviewer.api.ObjectNotFoundException { @RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay)
throws lcsb.mapviewer.api.ObjectNotFoundException {
return overlayRestImp.getOverlayList(projectId).stream() return overlayRestImp.getOverlayList(projectId).stream()
.filter(overlay -> !publicOverlay || (Boolean) overlay.get("publicOverlay")) .filter(overlay -> !publicOverlay || (Boolean) overlay.get("publicOverlay"))
.filter( .filter(
...@@ -99,7 +100,8 @@ public class OverlayController extends BaseController { ...@@ -99,7 +100,8 @@ public class OverlayController extends BaseController {
Integer.valueOf(reactionId), "ALIAS", columns); Integer.valueOf(reactionId), "ALIAS", columns);
} }
@PreAuthorize("hasAnyAuthority('IS_ADMIN', 'WRITE_PROJECT:' + #projectId)" + @PreAuthorize("hasAuthority('IS_ADMIN')" +
" or (hasAuthority('IS_CURATOR') and hasAuthority('WRITE_PROJECT:' + #projectId))" +
" or (hasAuthority('READ_PROJECT:' + #projectId) and hasAuthority('CAN_CREATE_OVERLAYS'))") " or (hasAuthority('READ_PROJECT:' + #projectId) and hasAuthority('CAN_CREATE_OVERLAYS'))")
@PostMapping(value = "/") @PostMapping(value = "/")
public Map<String, Object> addOverlay( public Map<String, Object> addOverlay(
......
...@@ -1246,4 +1246,31 @@ public class OverlayControllerIntegrationTest extends ControllerIntegrationTest ...@@ -1246,4 +1246,31 @@ public class OverlayControllerIntegrationTest extends ControllerIntegrationTest
assertEquals(3, overlay4.getOrderIndex()); assertEquals(3, overlay4.getOrderIndex());
} }
@Test
public void testCreateOverlayWithoutCreateDataOverlayAccess() throws Exception {
User user = createUser(TEST_USER_LOGIN, TEST_USER_PASSWORD);
userService.grantUserPrivilege(user, PrivilegeType.WRITE_PROJECT, project.getProjectId());
UploadedFileEntry file = createFile("elementIdentifier\tvalue\n\t-1", user);
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
String body = EntityUtils.toString(new UrlEncodedFormEntity(Arrays.asList(
new BasicNameValuePair("fileId", String.valueOf(file.getId())),
new BasicNameValuePair("name", "overlay name"),
new BasicNameValuePair("description", "overlay name"),
new BasicNameValuePair("filename", "overlay name"),
new BasicNameValuePair("googleLicenseConsent", "overlay name"),
new BasicNameValuePair("type", "GENERIC"))));
RequestBuilder request = post("/projects/"+TEST_PROJECT+"/overlays/")
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.content(body)
.session(session);
mockMvc.perform(request)
.andExpect(status().isForbidden());
}
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment