PermissionWriter updated

- return no permissions if authentication is missing - return all permissions if has authority ADMINISTRATOR

PermissionWriter updated
- return no permissions if authentication is missing - return all permissions if has authority ADMINISTRATOR
669962d9 · Matija Obreza · bce713c2 · 669962d9
Commit 669962d9 authored Jul 19, 2018 by Matija Obreza
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 3 deletions

security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java ...ocks/security/serialization/CurrentPermissionsWriter.java +21 -3

No files found.
--- a/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java
+++ b/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java
@@ -24,6 +24,8 @@ import com.fasterxml.jackson.databind.introspect.BeanPropertyDefinition;
 import com.fasterxml.jackson.databind.ser.VirtualBeanPropertyWriter;
 import com.fasterxml.jackson.databind.util.Annotations;

+import java.util.concurrent.atomic.AtomicBoolean;
+
 import org.genesys.blocks.security.model.AclAwareModel;
 import org.genesys.blocks.util.CurrentApplicationContext;
 import org.slf4j.Logger;
@@ -37,8 +39,8 @@ import org.springframework.security.core.context.SecurityContextHolder;

 /**
 * The CurrentPermissionsWriter is applied to {@link AclAwareModel} and it
- * instructs Jackson to to include {@link Permissions} for current SID
- * for every ACL aware entity.
+ * instructs Jackson to to include {@link Permissions} for current SID for every
+ * ACL aware entity.
 * 
 * Serialization is enabled <code>@JsonAppend</code> annotation on
 * <code>AclAwareModel</code>:
@@ -65,6 +67,9 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
 	/** The permission evaluator. */
 	private static PermissionEvaluator permissionEvaluator;

+	private static final Permissions NO_PERMISSIONS = new Permissions().grantNone();
+	private static final Permissions ALL_PERMISSIONS = new Permissions().grantAll();
+
 	// Context initialization
 	static {
 		ApplicationContext context = CurrentApplicationContext.getContext();
@@ -107,8 +112,21 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
 	 */
 	@Override
 	protected Object value(Object bean, JsonGenerator gen, SerializerProvider prov) throws Exception {
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		if (authentication == null) {
+			return NO_PERMISSIONS;
+		}
+		AtomicBoolean isAdmin = new AtomicBoolean(false);
+		authentication.getAuthorities().forEach(authority -> {
+			// We don't have a Role.ADMINSITRATOR defined so we use a String comparison.
+			if ("ROLE_ADMINISTRATOR".equals(authority.getAuthority())) {
+				isAdmin.set(true);
+			}
+		});
+		if (isAdmin.get()) {
+			return ALL_PERMISSIONS;
+		}
 		if (permissionEvaluator != null) {
-			Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
 			if (authentication != null) {
 				Permissions perms = new Permissions();
 				perms.create = permissionEvaluator.hasPermission(authentication, bean, BasePermission.CREATE);