Commit d7f3fd33 authored by Piotr Gawron's avatar Piotr Gawron
Browse files

privileges for fetching public overlay were invalid

parent 0c40a0b9
......@@ -58,7 +58,7 @@ public class OverlayController extends BaseController {
@PreAuthorize("hasAuthority('IS_ADMIN')" +
" or hasAuthority('IS_CURATOR') and hasAuthority('READ_PROJECT:' + #projectId)" +
" or hasAuthority('READ_PROJECT:' + #projectId) and "+
" or hasAuthority('READ_PROJECT:' + #projectId) and " +
" (@layoutService.getLayoutById(#overlayId)?.creator?.login == authentication.name or @layoutService.getLayoutById(#overlayId)?.publicLayout)")
@GetMapping(value = "/{overlayId}/models/{modelId}/bioEntities/")
public List<Map<String, Object>> getOverlayElements(
......@@ -70,7 +70,7 @@ public class OverlayController extends BaseController {
@PreAuthorize("hasAuthority('IS_ADMIN')" +
" or hasAuthority('IS_CURATOR') and hasAuthority('READ_PROJECT:' + #projectId)" +
" or hasAuthority('READ_PROJECT:' + #projectId) and "+
" or hasAuthority('READ_PROJECT:' + #projectId) and " +
" (@layoutService.getLayoutById(#overlayId)?.creator?.login == authentication.name or @layoutService.getLayoutById(#overlayId)?.publicLayout)")
@GetMapping(value = "/{overlayId}/models/{modelId}/bioEntities/reactions/{reactionId}/")
public Map<String, Object> getFullReaction(
......@@ -78,14 +78,15 @@ public class OverlayController extends BaseController {
@PathVariable(value = "modelId") String modelId,
@PathVariable(value = "overlayId") String overlayId,
@PathVariable(value = "reactionId") String reactionId,
@RequestParam(value = "columns", defaultValue = "") String columns) throws QueryException, NumberFormatException, ObjectNotFoundException {
@RequestParam(value = "columns", defaultValue = "") String columns)
throws QueryException, NumberFormatException, ObjectNotFoundException {
return overlayRestImp.getOverlayElement(projectId, Integer.valueOf(modelId), Integer.valueOf(overlayId),
Integer.valueOf(reactionId), "REACTION", columns);
}
@PreAuthorize("hasAuthority('IS_ADMIN')" +
" or hasAuthority('IS_CURATOR') and hasAuthority('READ_PROJECT:' + #projectId)" +
" or hasAuthority('READ_PROJECT:' + #projectId) and "+
" or hasAuthority('READ_PROJECT:' + #projectId) and " +
" (@layoutService.getLayoutById(#overlayId)?.creator?.login == authentication.name or @layoutService.getLayoutById(#overlayId)?.publicLayout)")
@GetMapping(value = "/{overlayId}/models/{modelId}/bioEntities/elements/{elementId}/")
public Map<String, Object> getFullSpecies(
......@@ -93,7 +94,8 @@ public class OverlayController extends BaseController {
@PathVariable(value = "modelId") String modelId,
@PathVariable(value = "overlayId") String overlayId,
@PathVariable(value = "elementId") String reactionId,
@RequestParam(value = "columns", defaultValue = "") String columns) throws QueryException, NumberFormatException, ObjectNotFoundException {
@RequestParam(value = "columns", defaultValue = "") String columns)
throws QueryException, NumberFormatException, ObjectNotFoundException {
return overlayRestImp.getOverlayElement(projectId, Integer.valueOf(modelId), Integer.valueOf(overlayId),
Integer.valueOf(reactionId), "ALIAS", columns);
}
......@@ -128,8 +130,7 @@ public class OverlayController extends BaseController {
}
@PreAuthorize("hasAuthority('IS_ADMIN')" +
" or hasAuthority('IS_CURATOR') and hasAuthority('WRITE_PROJECT:' + @layoutService.getLayoutById(#overlayId)?.project?.projectId)"
+
" or hasAuthority('IS_CURATOR') and hasAuthority('WRITE_PROJECT:' + #projectId)" +
" or hasAuthority('READ_PROJECT:' + @layoutService.getLayoutById(#overlayId)?.project?.projectId) and @layoutService.getLayoutById(#overlayId)?.creator?.login == authentication.name")
@PatchMapping(value = "/{overlayId}")
public Map<String, Object> updateOverlay(
......@@ -143,7 +144,8 @@ public class OverlayController extends BaseController {
@PreAuthorize("hasAuthority('IS_ADMIN')" +
" or hasAuthority('IS_CURATOR') and hasAuthority('READ_PROJECT:' + #projectId)" +
" or hasAuthority('READ_PROJECT:' + #projectId) and @layoutService.getLayoutById(#overlayId)?.creator?.login == authentication.name")
" or hasAuthority('READ_PROJECT:' + #projectId) and " +
" (@layoutService.getLayoutById(#overlayId)?.creator?.login == authentication.name or @layoutService.getLayoutById(#overlayId)?.publicLayout)")
@GetMapping(value = "/{overlayId}:downloadSource")
public ResponseEntity<byte[]> getOverlaySource(
@PathVariable(value = "projectId") String projectId,
......
......@@ -989,4 +989,23 @@ public class OverlayControllerIntegrationTest extends ControllerIntegrationTest
.andExpect(status().isNotFound());
}
@Test
public void testUserCanDownloadSourceOfPublicOverlay() throws Exception {
createUser(TEST_USER_LOGIN, TEST_USER_PASSWORD, project);
Layout overlay = createOverlay(null);
overlay.setPublicLayout(true);
layoutDao.update(overlay);
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
RequestBuilder request = get(
"/projects/" + TEST_PROJECT + "/overlays/" + overlay.getId() + ":downloadSource/")
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.session(session);
mockMvc.perform(request)
.andExpect(status().is2xxSuccessful());
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment