Merge branch '26-permission-checks-fail' into 'master'

Resolve "Permission checks fail" Closes #26 See merge request !23

Merge branch '26-permission-checks-fail' into 'master'
Resolve "Permission checks fail" Closes #26 See merge request !23
4a5aa9f0 · Matija Obreza · 6063bcaa · 4079e5e8 · 4a5aa9f0 · 4a5aa9f0
Commit 4a5aa9f0 authored Apr 30, 2018 by Matija Obreza
4 changed files
--- a/file-repository-core/src/main/java/org/genesys/filerepository/service/ImageGalleryService.java
+++ b/file-repository-core/src/main/java/org/genesys/filerepository/service/ImageGalleryService.java
@@ -20,9 +20,6 @@ import org.genesys.filerepository.InvalidRepositoryPathException;
 import org.genesys.filerepository.model.ImageGallery;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
-import org.springframework.security.access.prepost.PostAuthorize;
-import org.springframework.security.access.prepost.PostFilter;
-import org.springframework.security.access.prepost.PreAuthorize;

 // TODO: Auto-generated Javadoc
 /**
@@ -43,7 +40,6 @@ public interface ImageGalleryService {
 	 * @return the ImageGallery or <code>null</code> if no gallery exists at the
 	 * specified path.
 	 */
-	@PostAuthorize("returnObject == null or hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	ImageGallery loadImageGallery(String path);

 	/**
@@ -55,7 +51,6 @@ public interface ImageGalleryService {
 	 * @param description Image gallery description in English.
 	 * @return the new ImageGallery or existing gallery at the specified path.
 	 */
-	@PreAuthorize("isAuthenticated()")
 	ImageGallery createImageGallery(String path, String title, String description);

 	/**
@@ -64,7 +59,6 @@ public interface ImageGalleryService {
 	 * @param imageGallery the image gallery
 	 * @throws InvalidRepositoryPathException the invalid repository path exception
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageGallery, 'delete')")
 	void removeGallery(ImageGallery imageGallery) throws InvalidRepositoryPathException;

 	/**
@@ -75,7 +69,6 @@ public interface ImageGalleryService {
 	 * @param description the description
 	 * @return the image gallery
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageGallery, 'write')")
 	ImageGallery updateImageGalery(ImageGallery imageGallery, String title, String description);

 	/**
@@ -85,7 +78,6 @@ public interface ImageGalleryService {
 	 * @param imageGallery the image gallery
 	 * @return the image gallery
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageGallery, 'write')")
 	ImageGallery saveImageOrder(ImageGallery imageGallery);

 	/**
@@ -105,7 +97,6 @@ public interface ImageGalleryService {
 	 * @param pageable the pageable
 	 * @return paginated image gallery data
 	 */
-	@PostFilter("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	Page<ImageGallery> listImageGalleries(Pageable pageable);

 	/**
@@ -115,7 +106,6 @@ public interface ImageGalleryService {
 	 * @param pageable the pageable
 	 * @return paginated image gallery data
 	 */
-	@PostFilter("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	Page<ImageGallery> listImageGalleries(String prefix, Pageable pageable);

 }
--- a/file-repository-core/src/main/java/org/genesys/filerepository/service/RepositoryService.java
+++ b/file-repository-core/src/main/java/org/genesys/filerepository/service/RepositoryService.java
@@ -29,8 +29,6 @@ import org.genesys.filerepository.metadata.ImageMetadata;
 import org.genesys.filerepository.model.RepositoryFile;
 import org.genesys.filerepository.model.RepositoryImage;
 import org.springframework.data.domain.Pageable;
-import org.springframework.security.access.prepost.PostAuthorize;
-import org.springframework.security.access.prepost.PreAuthorize;

 // TODO: Auto-generated Javadoc
 /**
@@ -52,7 +50,6 @@ public interface RepositoryService {
 	 * exception
 	 * @throws IOException when things go wrong on bytes storage level
 	 */
-	@PreAuthorize("isAuthenticated()")
 	RepositoryFile addFile(String repositoryPath, String originalFilename, String contentType, byte[] bytes, RepositoryFile metaData) throws InvalidRepositoryPathException,
 			InvalidRepositoryFileDataException, IOException;

@@ -70,7 +67,6 @@ public interface RepositoryService {
 	 * exception
 	 * @throws IOException when things go wrong on bytes storage level
 	 */
-	@PreAuthorize("isAuthenticated()")
 	RepositoryImage addImage(String repositoryPath, String originalFilename, String contentType, byte[] bytes, RepositoryImage metaData) throws InvalidRepositoryPathException,
 			InvalidRepositoryFileDataException, IOException;

@@ -82,7 +78,6 @@ public interface RepositoryService {
 	 * @throws NoSuchRepositoryFileException when file is not available in the
 	 * repository
 	 */
-	@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	RepositoryFile getFile(UUID fileUuid) throws NoSuchRepositoryFileException;

 	/**
@@ -94,7 +89,6 @@ public interface RepositoryService {
 	 * @throws NoSuchRepositoryFileException when file is not available in the
 	 * repository
 	 */
-	@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	<T extends RepositoryFile> T getFile(UUID fileUuid, int version) throws NoSuchRepositoryFileException;

 	/**
@@ -105,7 +99,6 @@ public interface RepositoryService {
 	 * @return the file
 	 * @throws NoSuchRepositoryFileException the no such repository file exception
 	 */
-	@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	RepositoryFile getFile(String path, String filename) throws NoSuchRepositoryFileException;

 	/**
@@ -125,7 +118,6 @@ public interface RepositoryService {
 	 * @return the file bytes
 	 * @throws IOException Signals that an I/O exception has occurred.
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'read')")
 	byte[] getFileBytes(RepositoryFile repositoryFile) throws IOException;

 	/**
@@ -154,7 +146,6 @@ public interface RepositoryService {
 	 * @throws NoSuchRepositoryFileException when file is not available in the
 	 * repository
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#fileData, 'write')")
 	<T extends RepositoryFile> T updateMetadata(T fileData) throws NoSuchRepositoryFileException;

 	/**
@@ -167,7 +158,6 @@ public interface RepositoryService {
 	 * @throws NoSuchRepositoryFileException the no such repository file exception
 	 * @throws IOException Signals that an I/O exception has occurred.
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#fileData, 'write')")
 	<T extends RepositoryFile> T updateBytes(T fileData, String contentType, byte[] bytes) throws NoSuchRepositoryFileException, IOException;

 	/**
@@ -181,7 +171,6 @@ public interface RepositoryService {
 	 * @throws NoSuchRepositoryFileException the no such repository file exception
 	 * @throws IOException Signals that an I/O exception has occurred.
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageData, 'write')")
 	RepositoryImage updateImageBytes(RepositoryImage imageData, String contentType, byte[] bytes) throws NoSuchRepositoryFileException, IOException;

 	/**
@@ -193,7 +182,6 @@ public interface RepositoryService {
 	 * repository
 	 * @throws IOException Signals that an I/O exception has occurred.
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'delete')")
 	RepositoryFile removeFile(RepositoryFile repositoryFile) throws NoSuchRepositoryFileException, IOException;

 	/**
@@ -205,7 +193,6 @@ public interface RepositoryService {
 	 * @throws NoSuchRepositoryFileException the no such repository file exception
 	 * @throws InvalidRepositoryPathException when the new path is invalid
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'write')")
 	RepositoryFile moveFile(RepositoryFile repositoryFile, String newPath) throws NoSuchRepositoryFileException, InvalidRepositoryPathException;

 	/**
@@ -218,7 +205,6 @@ public interface RepositoryService {
 	 * @throws InvalidRepositoryFileDataException the invalid repository file data
 	 * exception
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'write')")
 	RepositoryFile moveAndRenameFile(RepositoryFile repositoryFile, String fullPath) throws InvalidRepositoryPathException, InvalidRepositoryFileDataException;

 	/**
@@ -259,7 +245,6 @@ public interface RepositoryService {
 	 * @throws NoSuchRepositoryFileException when file is not available in the
 	 * repository
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageData, 'write')")
 	RepositoryImage updateImageMetadata(RepositoryImage imageData) throws NoSuchRepositoryFileException;

 	/**
@@ -271,7 +256,6 @@ public interface RepositoryService {
 	 * repository
 	 * @throws IOException Signals that an I/O exception has occurred.
 	 */
-	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryImage, 'delete')")
 	RepositoryImage removeImage(RepositoryImage repositoryImage) throws NoSuchRepositoryFileException, IOException;

 	/**

--- a/file-repository-core/src/main/java/org/genesys/filerepository/service/impl/ImageGalleryServiceImpl.java
+++ b/file-repository-core/src/main/java/org/genesys/filerepository/service/impl/ImageGalleryServiceImpl.java
@@ -34,6 +34,9 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
+import org.springframework.security.access.prepost.PostAuthorize;
+import org.springframework.security.access.prepost.PostFilter;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.CollectionUtils;
@@ -72,6 +75,7 @@ public class ImageGalleryServiceImpl implements ImageGalleryService {
 	 * lang.String)
 	 */
 	@Override
+	@PostAuthorize("returnObject == null or hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	public ImageGallery loadImageGallery(final String path) {
 		final ImageGallery imageGallery = imageGalleryPersistence.findByPath(path);
 		return deepLoad(imageGallery);
@@ -99,6 +103,7 @@ public class ImageGalleryServiceImpl implements ImageGalleryService {
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("isAuthenticated()")
 	public ImageGallery createImageGallery(final String path, final String title, final String description) {
 		LOG.debug("Creating ImageGallery at path={}", path);

@@ -129,6 +134,7 @@ public class ImageGalleryServiceImpl implements ImageGalleryService {
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageGallery, 'delete')")
 	public void removeGallery(final ImageGallery imageGallery) throws InvalidRepositoryPathException {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("Deleting ImageGallery with id=" + imageGallery.getId());
@@ -168,6 +174,7 @@ public class ImageGalleryServiceImpl implements ImageGalleryService {
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageGallery, 'write')")
 	public ImageGallery updateImageGalery(final ImageGallery imageGallery, final String title, final String description) {
 		final ImageGallery imageGallery2 = imageGalleryPersistence.findOne(imageGallery.getId());

@@ -186,6 +193,7 @@ public class ImageGalleryServiceImpl implements ImageGalleryService {
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageGallery, 'write')")
 	public ImageGallery saveImageOrder(final ImageGallery imageGallery) {
 		final ImageGallery imageGallery2 = imageGalleryPersistence.findOne(imageGallery.getId());

@@ -285,6 +293,7 @@ public class ImageGalleryServiceImpl implements ImageGalleryService {
 	 * @return the page
 	 */
 	@Override
+	@PostFilter("hasRole('ADMINISTRATOR') or hasPermission(filterObject, 'read')")
 	public Page<ImageGallery> listImageGalleries(final Pageable pageable) {
 		return imageGalleryPersistence.findAll(pageable);
 	}
@@ -296,6 +305,7 @@ public class ImageGalleryServiceImpl implements ImageGalleryService {
 	 * java.lang.String, org.springframework.data.domain.Pageable)
 	 */
 	@Override
+	@PostFilter("hasRole('ADMINISTRATOR') or hasPermission(filterObject, 'read')")
 	public Page<ImageGallery> listImageGalleries(final String prefix, final Pageable pageable) {
 		return imageGalleryPersistence.listByPath(prefix, pageable);
 	}

--- a/file-repository-core/src/main/java/org/genesys/filerepository/service/impl/RepositoryServiceImpl.java
+++ b/file-repository-core/src/main/java/org/genesys/filerepository/service/impl/RepositoryServiceImpl.java
@@ -47,6 +47,8 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Pageable;
+import org.springframework.security.access.prepost.PostAuthorize;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;

@@ -110,6 +112,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional(rollbackFor = Throwable.class)
+	@PreAuthorize("isAuthenticated()")
 	public RepositoryFile addFile(final String repositoryPath, final String originalFilename, String contentType, final byte[] bytes, final RepositoryFile metaData)
 			throws InvalidRepositoryPathException, InvalidRepositoryFileDataException, IOException {

@@ -168,6 +171,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional(rollbackFor = Throwable.class)
+	@PreAuthorize("isAuthenticated()")
 	public RepositoryImage addImage(final String repositoryPath, final String originalFilename, String contentType, final byte[] bytes, final RepositoryImage metaData)
 			throws InvalidRepositoryPathException, InvalidRepositoryFileDataException, IOException {

@@ -234,6 +238,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 * .util.UUID)
 	 */
 	@Override
+	@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	public RepositoryFile getFile(final UUID fileUuid) throws NoSuchRepositoryFileException {
 		RepositoryFile file = repositoryFilePersistence.findByUuid(fileUuid);
 		if (file != null) {
@@ -251,6 +256,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea

 	@SuppressWarnings("unchecked")
 	@Override
+	@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	public <T extends RepositoryFile> T getFile(UUID fileUuid, int version) throws NoSuchRepositoryFileException {
 		RepositoryFile file = repositoryFilePersistence.findByUuidAndVersion(fileUuid, version);
 		if (file != null) {
@@ -272,6 +278,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 * String, java.lang.String)
 	 */
 	@Override
+	@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'read')")
 	public RepositoryFile getFile(final String path, final String originalFilename) throws NoSuchRepositoryFileException {
 		final RepositoryFile repositoryFile = repositoryFilePersistence.findByPathAndOriginalFilename(path, originalFilename);
 		if (repositoryFile == null) {
@@ -305,6 +312,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 * .filerepository.model.RepositoryFile)
 	 */
 	@Override
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'read')")
 	public byte[] getFileBytes(final RepositoryFile repositoryFile) throws IOException {
 		return bytesStorageService.get(repositoryFile.getStoragePath(), repositoryFile.getFilename());
 	}
@@ -335,6 +343,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	@SuppressWarnings("unchecked")
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#fileData, 'write')")
 	public <T extends RepositoryFile> T updateMetadata(final T fileData) throws NoSuchRepositoryFileException {
 		RepositoryFile repositoryFile = repositoryFilePersistence.findByUuidAndVersion(fileData.getUuid(), fileData.getVersion());
 		if (repositoryFile == null) {
@@ -357,6 +366,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#imageData, 'write')")
 	public RepositoryImage updateImageMetadata(final RepositoryImage imageData) throws NoSuchRepositoryFileException {
 		final RepositoryImage repositoryImage = repositoryImagePersistence.findByUuidAndVersion(imageData.getUuid(), imageData.getVersion());

@@ -378,6 +388,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	@SuppressWarnings("unchecked")
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'write')")
 	public <T extends RepositoryFile> T updateBytes(final T repositoryFile, String contentType, final byte[] bytes) throws NoSuchRepositoryFileException, IOException {
 		T storedFile = getFile(repositoryFile.getUuid(), repositoryFile.getVersion());
 		
@@ -410,6 +421,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryImage, 'write')")
 	public RepositoryImage updateImageBytes(final RepositoryImage repositoryImage, String contentType, final byte[] bytes) throws NoSuchRepositoryFileException, IOException {
 		RepositoryImage storedFile = getFile(repositoryImage.getUuid(), repositoryImage.getVersion());

@@ -458,6 +470,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'delete')")
 	public RepositoryFile removeFile(final RepositoryFile repositoryFile) throws NoSuchRepositoryFileException, IOException {
 		if (repositoryFile == null) {
 			throw new NoSuchRepositoryFileException();
@@ -480,6 +493,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryImage, 'delete')")
 	public RepositoryImage removeImage(final RepositoryImage repositoryImage) throws NoSuchRepositoryFileException, IOException {
 		if (repositoryImage == null) {
 			throw new NoSuchRepositoryFileException();
@@ -497,6 +511,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'write')")
 	public RepositoryFile moveFile(final RepositoryFile repositoryFile, final String newPath) throws NoSuchRepositoryFileException, InvalidRepositoryPathException {

 		PathValidator.checkValidPath(newPath);
@@ -525,6 +540,7 @@ public class RepositoryServiceImpl implements RepositoryService, InitializingBea
 	 */
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#repositoryFile, 'write')")
 	public RepositoryFile moveAndRenameFile(final RepositoryFile repositoryFile, final String fullPath) throws InvalidRepositoryPathException, InvalidRepositoryFileDataException {
 		if (fullPath == null) {
 			throw new NullPointerException("Full path cannot be null");