Commit f7631ba8 authored by Piotr Gawron's avatar Piotr Gawron
Browse files

user is able to update his own terms of use consent

parent d4f98f30
......@@ -85,10 +85,11 @@ public class UserController extends BaseController {
@PatchMapping(value = "/{login:.+}")
public Map<String, Object> updateUser(
@RequestBody String body,
@PathVariable(value = "login") String login) throws QueryException, IOException {
@PathVariable(value = "login") String login,
Authentication authentication) throws QueryException, IOException {
Map<String, Object> node = parseBody(body);
Map<String, Object> data = getData(node, "user");
return userRest.updateUser(login, data);
return userRest.updateUser(login, data, authentication.getAuthorities());
}
@PreAuthorize("hasAuthority('IS_ADMIN')")
......
......@@ -5,6 +5,9 @@ import java.util.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
......@@ -627,8 +630,11 @@ public class UserRestImpl extends BaseRestImpl {
}
public Map<String, Object> updateUser(String login, Map<String, Object> userData)
public Map<String, Object> updateUser(String login, Map<String, Object> userData,
Collection<? extends GrantedAuthority> authorities)
throws QueryException {
boolean isAdmin = authorities.contains(new SimpleGrantedAuthority(PrivilegeType.IS_ADMIN.toString()));
if (userData == null) {
throw new QueryException("user field cannot be undefined");
}
......@@ -651,7 +657,11 @@ public class UserRestImpl extends BaseRestImpl {
} else if (key.equalsIgnoreCase("termsofuseconsent")) {
user.setTermsOfUseConsent((Boolean) value);
} else if (key.equalsIgnoreCase("connectedtoldap")) {
user.setConnectedToLdap((Boolean) value);
if (isAdmin) {
user.setConnectedToLdap((Boolean) value);
} else {
throw new AccessDeniedException("connectedtoldap can be updated by admin");
}
} else if (key.equalsIgnoreCase("password")) {
if (stringValue != null && !stringValue.trim().isEmpty()) {
user.setCryptedPassword(passwordEncoder.encode(stringValue));
......
......@@ -422,4 +422,19 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
assertNotNull(sessionWithNewPass);
}
@Test
public void userCannotUpdateOwnLdapConnection() throws Exception {
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
String body = "{\"user\":{\"connectedtoldap\":false}}";
RequestBuilder grantRequest = patch("/users/" + TEST_USER_LOGIN)
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.content(body)
.session(session);
mockMvc.perform(grantRequest)
.andExpect(status().isForbidden());
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment