diff --git a/CHANGELOG b/CHANGELOG
index 1d8446744a4e53ee3c341574b278ed3e94b5bec7..7104282e37885b8422f0ca88c8fb67aed61e5635 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -15,6 +15,8 @@ minerva (14.0.0~beta.2) unstable; urgency=low
* Bug fix: version of the project is limited to 20 characters (#951)
* Bug fix: link to comment on map from admin panel was broken (#941)
* Bug fix: hide glyphs tab when necessary (#949)
+ * Bug fix: user with write access but without can_create_privileges cannot
+ create data overlay (#939)
-- Piotr Gawron <piotr.gawron@uni.lu> Mon, 16 Sep 2019 21:00:00 +0200
diff --git a/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java b/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java
index a39ed1b5687428b41c12a8cc8c801d523c5dffb6..7cfd280fc1d4f4f8f510f2ee985f8fad9a6b1c0d 100644
--- a/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java
+++ b/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java
@@ -37,7 +37,8 @@ public class OverlayController extends BaseController {
public List<Map<String, Object>> getOverlayList(
@PathVariable(value = "projectId") String projectId,
@RequestParam(value = "creator", defaultValue = "") String creator,
- @RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay) throws lcsb.mapviewer.api.ObjectNotFoundException {
+ @RequestParam(value = "publicOverlay", defaultValue = "false") boolean publicOverlay)
+ throws lcsb.mapviewer.api.ObjectNotFoundException {
return overlayRestImp.getOverlayList(projectId).stream()
.filter(overlay -> !publicOverlay || (Boolean) overlay.get("publicOverlay"))
.filter(
@@ -99,7 +100,8 @@ public class OverlayController extends BaseController {
Integer.valueOf(reactionId), "ALIAS", columns);
}
- @PreAuthorize("hasAnyAuthority('IS_ADMIN', 'WRITE_PROJECT:' + #projectId)" +
+ @PreAuthorize("hasAuthority('IS_ADMIN')" +
+ " or (hasAuthority('IS_CURATOR') and hasAuthority('WRITE_PROJECT:' + #projectId))" +
" or (hasAuthority('READ_PROJECT:' + #projectId) and hasAuthority('CAN_CREATE_OVERLAYS'))")
@PostMapping(value = "/")
public Map<String, Object> addOverlay(
diff --git a/web/src/test/java/lcsb/mapviewer/web/OverlayControllerIntegrationTest.java b/web/src/test/java/lcsb/mapviewer/web/OverlayControllerIntegrationTest.java
index 67b26e67e10ca3c106a840394bbe09ca7370cb36..11839fc471841ce28451344588980e80c4a9c623 100644
--- a/web/src/test/java/lcsb/mapviewer/web/OverlayControllerIntegrationTest.java
+++ b/web/src/test/java/lcsb/mapviewer/web/OverlayControllerIntegrationTest.java
@@ -1246,4 +1246,31 @@ public class OverlayControllerIntegrationTest extends ControllerIntegrationTest
assertEquals(3, overlay4.getOrderIndex());
}
+ @Test
+ public void testCreateOverlayWithoutCreateDataOverlayAccess() throws Exception {
+ User user = createUser(TEST_USER_LOGIN, TEST_USER_PASSWORD);
+ userService.grantUserPrivilege(user, PrivilegeType.WRITE_PROJECT, project.getProjectId());
+
+ UploadedFileEntry file = createFile("elementIdentifier\tvalue\n\t-1", user);
+
+ MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
+
+ String body = EntityUtils.toString(new UrlEncodedFormEntity(Arrays.asList(
+ new BasicNameValuePair("fileId", String.valueOf(file.getId())),
+ new BasicNameValuePair("name", "overlay name"),
+ new BasicNameValuePair("description", "overlay name"),
+ new BasicNameValuePair("filename", "overlay name"),
+ new BasicNameValuePair("googleLicenseConsent", "overlay name"),
+ new BasicNameValuePair("type", "GENERIC"))));
+
+ RequestBuilder request = post("/projects/"+TEST_PROJECT+"/overlays/")
+ .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+ .content(body)
+ .session(session);
+
+ mockMvc.perform(request)
+ .andExpect(status().isForbidden());
+ }
+
+
}