Commit e68cc1c4 authored by Matija Obreza's avatar Matija Obreza
Browse files

Fix: Check institute permissions when creating subsets

parent 3a4f05c4
......@@ -23,7 +23,9 @@ import java.util.UUID;
import org.genesys.catalog.api.FilteredPage;
import org.genesys.catalog.service.ShortFilterService;
import org.genesys2.server.api.ApiBaseController;
import org.genesys2.server.model.impl.FaoInstitute;
import org.genesys2.server.model.impl.Subset;
import org.genesys2.server.service.InstituteService;
import org.genesys2.server.service.SubsetService;
import org.genesys2.server.service.filter.SubsetFilter;
import org.springframework.beans.factory.annotation.Autowired;
......@@ -59,6 +61,9 @@ public class SubsetController {
@Autowired
private SubsetService subsetService;
@Autowired
private InstituteService instituteService;
/** The short filter service. */
@Autowired
protected ShortFilterService shortFilterService;
......@@ -71,7 +76,8 @@ public class SubsetController {
*/
@PostMapping(value = "/create", produces = { MediaType.APPLICATION_JSON_VALUE })
public Subset create(@RequestBody final Subset subset) {
return subsetService.create(subset);
FaoInstitute institute = instituteService.findInstitute(subset.getWiewsCode());
return subsetService.create(institute, subset);
}
/**
......
......@@ -22,6 +22,7 @@ import java.util.UUID;
import org.genesys.catalog.exceptions.NotFoundElement;
import org.genesys2.server.model.genesys.AccessionId;
import org.genesys2.server.model.impl.FaoInstitute;
import org.genesys2.server.model.impl.Subset;
import org.genesys2.server.model.impl.SubsetCreator;
import org.genesys2.server.service.filter.SubsetFilter;
......@@ -62,10 +63,11 @@ public interface SubsetService {
/**
* Method creating Subset.
*
* @param subset new Subset
* @param institute the institute owning the subset
* @param source the source
* @return saved Subset in db.
*/
Subset create(Subset subset);
Subset create(FaoInstitute institute, Subset source);
/**
* Load subset based on identifiers and version provided in the input.
......@@ -238,4 +240,5 @@ public interface SubsetService {
*/
List<SubsetCreator> autocompleteCreators(String text);
}
......@@ -23,6 +23,8 @@ import java.util.UUID;
import java.util.stream.Collectors;
import com.querydsl.core.types.Predicate;
import org.apache.commons.lang3.StringUtils;
import org.genesys.catalog.exceptions.InvalidApiUsageException;
import org.genesys2.server.exception.NotFoundElement;
import org.genesys2.server.model.PublishState;
......@@ -123,9 +125,12 @@ public class SubsetServiceImpl implements SubsetService {
*/
@Override
@Transactional
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#source, 'WRITE')")
public Subset create(final Subset source) {
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#institute, 'WRITE')")
public Subset create(final FaoInstitute institute, final Subset source) {
LOG.info("Create Subset.");
if (! StringUtils.equals(institute.getCode(), source.getWiewsCode())) {
throw new InvalidApiUsageException("Institute code of the subset does not match the code of Institute");
}
final Subset subset = new Subset();
copyValues(subset, source);
copyAccessions(subset, source.getAccessionIds());
......
......@@ -170,7 +170,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
public void updateSubsetTest() throws Exception {
final Subset storedSubset = subsetService.create(setUpSubset());
final Subset storedSubset = subsetService.create(institute, setUpSubset());
storedSubset.setTitle(TITLE_2);
storedSubset.setDescription(DESCRIPTION_2);
......@@ -204,7 +204,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
public void getSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset());
final Subset subset = subsetService.create(institute, setUpSubset());
/*@formatter:off*/
mockMvc.perform(get(SubsetController.API_BASE.concat("/{UUID}"), subset.getUuid())
......@@ -218,7 +218,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
public void deleteSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset());
final Subset subset = subsetService.create(institute, setUpSubset());
/*@formatter:off*/
mockMvc.perform(delete(SubsetController.API_BASE.concat("/{UUID},{version}"), subset.getUuid(), subset.getVersion())
......@@ -233,7 +233,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
public void listSubsetsTest() throws Exception {
Subset subset = subsetService.create(setUpSubset());
Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT);
subset = subsetService.reviewSubset(subset);
assertEquals(subset.getState(), PublishState.REVIEWING);
......@@ -258,7 +258,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
public void removeAccessionsFromSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset());
final Subset subset = subsetService.create(institute, setUpSubset());
assertThat(subset.getAccessionIds().size(), is(2));
final Set<UUID> accessionsUuid = subset.getAccessionIds().stream().map(AccessionId::getUuid).collect(Collectors.toSet());
......@@ -278,7 +278,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
public void addAccessionsToSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset());
final Subset subset = subsetService.create(institute, setUpSubset());
assertThat(subset.getAccessionIds().size(), is(2));
List<AccessionId> newAccessions = setUpAccessions();
......@@ -300,7 +300,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
@WithMockOAuth2Authentication(roles = { "ADMINISTRATOR" }, scopes = { "write" })
public void approveSubsetTest() throws Exception {
Subset subset = subsetService.create(setUpSubset());
Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT);
subset = subsetService.reviewSubset(subset);
assertEquals(subset.getState(), PublishState.REVIEWING);
......@@ -321,7 +321,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
@WithMockUser(username = "user", password = "user", roles = "ADMINISTRATOR")
public void reviewSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset());
final Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT);
/*@formatter:off*/
......@@ -340,7 +340,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test
@WithMockUser(username = "user", password = "user", roles = "ADMINISTRATOR")
public void rejectSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset());
final Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT);
/*@formatter:off*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment