you need can_create_overlays privilege when adding data overlay

CHANGELOG

@@ -13,6 +13,8 @@ minerva (14.0.0~beta.2) unstable; urgency=low
   * Bug fix: version of the project is limited to 20 characters (#951)
   * Bug fix: link to comment on map from admin panel was broken (#941)
   * Bug fix: hide glyphs tab when necessary (#949)
+  * Bug fix: user with write access but without can_create_privileges cannot
+    create data overlay (#939)
 
  -- Piotr Gawron <piotr.gawron@uni.lu>  Mon, 16 Sep 2019 21:00:00 +0200
 

rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java

@@ -37,7 +37,8 @@ public class OverlayController extends BaseController {
   public List<Map<String, Object>> getOverlayList(
       @PathVariable(value = "projectId") String projectId,
       @RequestParam(value = "creator", defaultValue = "") String creator,
-      @RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay) throws lcsb.mapviewer.api.ObjectNotFoundException {
+      @RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay)
+      throws lcsb.mapviewer.api.ObjectNotFoundException {
     return overlayRestImp.getOverlayList(projectId).stream()
         .filter(overlay -> !publicOverlay || (Boolean) overlay.get("publicOverlay"))
         .filter(
@@ -99,7 +100,8 @@ public class OverlayController extends BaseController {
         Integer.valueOf(reactionId), "ALIAS", columns);
   }
 
-  @PreAuthorize("hasAnyAuthority('IS_ADMIN', 'WRITE_PROJECT:' + #projectId)" +
+  @PreAuthorize("hasAuthority('IS_ADMIN')" +
+      " or (hasAuthority('IS_CURATOR') and hasAuthority('WRITE_PROJECT:' + #projectId))" +
       " or (hasAuthority('READ_PROJECT:' + #projectId) and hasAuthority('CAN_CREATE_OVERLAYS'))")
   @PostMapping(value = "/")
   public Map<String, Object> addOverlay(

web/src/test/java/lcsb/mapviewer/web/OverlayControllerIntegrationTest.java

@@ -1246,4 +1246,31 @@ public class OverlayControllerIntegrationTest extends ControllerIntegrationTest
     assertEquals(3, overlay4.getOrderIndex());
   }
 
+  @Test
+  public void testCreateOverlayWithoutCreateDataOverlayAccess() throws Exception {
+    User user = createUser(TEST_USER_LOGIN, TEST_USER_PASSWORD);
+    userService.grantUserPrivilege(user, PrivilegeType.WRITE_PROJECT, project.getProjectId());
+
+    UploadedFileEntry file = createFile("elementIdentifier\tvalue\n\t-1", user);
+
+    MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
+
+    String body = EntityUtils.toString(new UrlEncodedFormEntity(Arrays.asList(
+        new BasicNameValuePair("fileId", String.valueOf(file.getId())),
+        new BasicNameValuePair("name", "overlay name"),
+        new BasicNameValuePair("description", "overlay name"),
+        new BasicNameValuePair("filename", "overlay name"),
+        new BasicNameValuePair("googleLicenseConsent", "overlay name"),
+        new BasicNameValuePair("type", "GENERIC"))));
+
+    RequestBuilder request = post("/projects/"+TEST_PROJECT+"/overlays/")
+        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+        .content(body)
+        .session(session);
+
+    mockMvc.perform(request)
+        .andExpect(status().isForbidden());
+  }
+
+
 }