Commit f4ad25ea authored by Piotr Gawron's avatar Piotr Gawron
Browse files

filtering for admin parameters didn't work properly

parent 9b97b6b3
Pipeline #11857 failed with stage
in 11 minutes and 59 seconds
package lcsb.mapviewer.api.configuration;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import java.util.*;
import java.util.stream.Collectors;
import javax.servlet.ServletContext;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.web.bind.annotation.*;
import lcsb.mapviewer.api.BaseController;
import lcsb.mapviewer.api.QueryException;
import lcsb.mapviewer.model.security.PrivilegeType;
import lcsb.mapviewer.services.interfaces.IConfigurationService;
@RestController
@RequestMapping(value = "/configuration", produces = MediaType.APPLICATION_JSON_VALUE)
public class ConfigurationController extends BaseController {
Logger logger = LogManager.getLogger();
private ConfigurationRestImpl configurationController;
private IConfigurationService configurationService;
private ServletContext context;
@Autowired
public ConfigurationController(ConfigurationRestImpl configurationController,
IConfigurationService configurationService,
ServletContext context) {
IConfigurationService configurationService,
ServletContext context) {
this.configurationController = configurationController;
this.configurationService = configurationService;
this.context = context;
......@@ -61,9 +64,10 @@ public class ConfigurationController extends BaseController {
@GetMapping(value = "/options/")
public List<Map<String, Object>> getOptions(Authentication authentication) {
boolean isAdmin = authentication.getAuthorities().contains((GrantedAuthority) () -> "IS_ADMIN");
boolean isAdmin = authentication.getAuthorities()
.contains(new SimpleGrantedAuthority(PrivilegeType.IS_ADMIN.toString()));
return configurationController.getAllValues().stream()
.filter(option -> !(Boolean) option.get("isServerSide") || isAdmin)
.filter(option -> !((Boolean) option.get("isServerSide")) || isAdmin)
.collect(Collectors.toList());
}
......
package lcsb.mapviewer.web;
import static org.junit.Assert.*;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
import java.util.HashMap;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
......@@ -17,7 +20,7 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.RequestBuilder;
import org.springframework.transaction.annotation.Transactional;
import com.google.gson.Gson;
import com.google.gson.*;
import lcsb.mapviewer.model.security.PrivilegeType;
import lcsb.mapviewer.model.user.ConfigurationElementType;
......@@ -28,16 +31,21 @@ import lcsb.mapviewer.services.interfaces.IUserService;
@Transactional
@Rollback
public class ConfigurationControllerIntegrationTest extends ControllerIntegrationTest {
Logger logger = LogManager.getLogger();
private static final String TEST_USER_PASSWORD = "test_pass";
private static final String TEST_USER_LOGIN = "test_user";
private static final String TEST_ADMIN_PASSWORD = "test_admin_pass";
private static final String TEST_ADMIN_LOGIN = "test_admin";
@Autowired
private IUserService userService;
private User user;
@Before
public void setup() {
user = createUser(TEST_USER_LOGIN, TEST_USER_PASSWORD);
......@@ -71,6 +79,43 @@ public class ConfigurationControllerIntegrationTest extends ControllerIntegratio
.andExpect(status().is2xxSuccessful());
}
@Test
public void accessConfigurationOptionsAsAnonymous() throws Exception {
RequestBuilder request = get("/configuration/options/");
String response = mockMvc.perform(request)
.andExpect(status().is2xxSuccessful()).andReturn().getResponse().getContentAsString();
JsonArray options = new JsonParser()
.parse(response)
.getAsJsonArray();
for (JsonElement jsonElement : options) {
assertFalse(jsonElement.getAsJsonObject().get("isServerSide").getAsBoolean());
}
}
@Test
public void accessConfigurationOptionsAsAdmin() throws Exception {
createAdmin(TEST_ADMIN_LOGIN, TEST_ADMIN_PASSWORD);
MockHttpSession session = createSession(TEST_ADMIN_LOGIN, TEST_ADMIN_PASSWORD);
RequestBuilder request = get("/configuration/options/").session(session);
String response = mockMvc.perform(request)
.andExpect(status().is2xxSuccessful()).andReturn().getResponse().getContentAsString();
JsonArray options = new JsonParser()
.parse(response)
.getAsJsonArray();
boolean includeServerSide = false;
for (JsonElement jsonElement : options) {
includeServerSide |= jsonElement.getAsJsonObject().get("isServerSide").getAsBoolean();
}
assertTrue(includeServerSide);
}
@Test
public void testSetSmtpPortWithoutAdminPrivileges() throws Exception {
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment