Commit e68cc1c4 authored by Matija Obreza's avatar Matija Obreza
Browse files

Fix: Check institute permissions when creating subsets

parent 3a4f05c4
...@@ -23,7 +23,9 @@ import java.util.UUID; ...@@ -23,7 +23,9 @@ import java.util.UUID;
import org.genesys.catalog.api.FilteredPage; import org.genesys.catalog.api.FilteredPage;
import org.genesys.catalog.service.ShortFilterService; import org.genesys.catalog.service.ShortFilterService;
import org.genesys2.server.api.ApiBaseController; import org.genesys2.server.api.ApiBaseController;
import org.genesys2.server.model.impl.FaoInstitute;
import org.genesys2.server.model.impl.Subset; import org.genesys2.server.model.impl.Subset;
import org.genesys2.server.service.InstituteService;
import org.genesys2.server.service.SubsetService; import org.genesys2.server.service.SubsetService;
import org.genesys2.server.service.filter.SubsetFilter; import org.genesys2.server.service.filter.SubsetFilter;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
...@@ -59,6 +61,9 @@ public class SubsetController { ...@@ -59,6 +61,9 @@ public class SubsetController {
@Autowired @Autowired
private SubsetService subsetService; private SubsetService subsetService;
@Autowired
private InstituteService instituteService;
/** The short filter service. */ /** The short filter service. */
@Autowired @Autowired
protected ShortFilterService shortFilterService; protected ShortFilterService shortFilterService;
...@@ -71,7 +76,8 @@ public class SubsetController { ...@@ -71,7 +76,8 @@ public class SubsetController {
*/ */
@PostMapping(value = "/create", produces = { MediaType.APPLICATION_JSON_VALUE }) @PostMapping(value = "/create", produces = { MediaType.APPLICATION_JSON_VALUE })
public Subset create(@RequestBody final Subset subset) { public Subset create(@RequestBody final Subset subset) {
return subsetService.create(subset); FaoInstitute institute = instituteService.findInstitute(subset.getWiewsCode());
return subsetService.create(institute, subset);
} }
/** /**
......
...@@ -22,6 +22,7 @@ import java.util.UUID; ...@@ -22,6 +22,7 @@ import java.util.UUID;
import org.genesys.catalog.exceptions.NotFoundElement; import org.genesys.catalog.exceptions.NotFoundElement;
import org.genesys2.server.model.genesys.AccessionId; import org.genesys2.server.model.genesys.AccessionId;
import org.genesys2.server.model.impl.FaoInstitute;
import org.genesys2.server.model.impl.Subset; import org.genesys2.server.model.impl.Subset;
import org.genesys2.server.model.impl.SubsetCreator; import org.genesys2.server.model.impl.SubsetCreator;
import org.genesys2.server.service.filter.SubsetFilter; import org.genesys2.server.service.filter.SubsetFilter;
...@@ -62,10 +63,11 @@ public interface SubsetService { ...@@ -62,10 +63,11 @@ public interface SubsetService {
/** /**
* Method creating Subset. * Method creating Subset.
* *
* @param subset new Subset * @param institute the institute owning the subset
* @param source the source
* @return saved Subset in db. * @return saved Subset in db.
*/ */
Subset create(Subset subset); Subset create(FaoInstitute institute, Subset source);
/** /**
* Load subset based on identifiers and version provided in the input. * Load subset based on identifiers and version provided in the input.
...@@ -238,4 +240,5 @@ public interface SubsetService { ...@@ -238,4 +240,5 @@ public interface SubsetService {
*/ */
List<SubsetCreator> autocompleteCreators(String text); List<SubsetCreator> autocompleteCreators(String text);
} }
...@@ -23,6 +23,8 @@ import java.util.UUID; ...@@ -23,6 +23,8 @@ import java.util.UUID;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import com.querydsl.core.types.Predicate; import com.querydsl.core.types.Predicate;
import org.apache.commons.lang3.StringUtils;
import org.genesys.catalog.exceptions.InvalidApiUsageException; import org.genesys.catalog.exceptions.InvalidApiUsageException;
import org.genesys2.server.exception.NotFoundElement; import org.genesys2.server.exception.NotFoundElement;
import org.genesys2.server.model.PublishState; import org.genesys2.server.model.PublishState;
...@@ -123,9 +125,12 @@ public class SubsetServiceImpl implements SubsetService { ...@@ -123,9 +125,12 @@ public class SubsetServiceImpl implements SubsetService {
*/ */
@Override @Override
@Transactional @Transactional
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#source, 'WRITE')") @PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#institute, 'WRITE')")
public Subset create(final Subset source) { public Subset create(final FaoInstitute institute, final Subset source) {
LOG.info("Create Subset."); LOG.info("Create Subset.");
if (! StringUtils.equals(institute.getCode(), source.getWiewsCode())) {
throw new InvalidApiUsageException("Institute code of the subset does not match the code of Institute");
}
final Subset subset = new Subset(); final Subset subset = new Subset();
copyValues(subset, source); copyValues(subset, source);
copyAccessions(subset, source.getAccessionIds()); copyAccessions(subset, source.getAccessionIds());
......
...@@ -170,7 +170,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -170,7 +170,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
public void updateSubsetTest() throws Exception { public void updateSubsetTest() throws Exception {
final Subset storedSubset = subsetService.create(setUpSubset()); final Subset storedSubset = subsetService.create(institute, setUpSubset());
storedSubset.setTitle(TITLE_2); storedSubset.setTitle(TITLE_2);
storedSubset.setDescription(DESCRIPTION_2); storedSubset.setDescription(DESCRIPTION_2);
...@@ -204,7 +204,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -204,7 +204,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
public void getSubsetTest() throws Exception { public void getSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset()); final Subset subset = subsetService.create(institute, setUpSubset());
/*@formatter:off*/ /*@formatter:off*/
mockMvc.perform(get(SubsetController.API_BASE.concat("/{UUID}"), subset.getUuid()) mockMvc.perform(get(SubsetController.API_BASE.concat("/{UUID}"), subset.getUuid())
...@@ -218,7 +218,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -218,7 +218,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
public void deleteSubsetTest() throws Exception { public void deleteSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset()); final Subset subset = subsetService.create(institute, setUpSubset());
/*@formatter:off*/ /*@formatter:off*/
mockMvc.perform(delete(SubsetController.API_BASE.concat("/{UUID},{version}"), subset.getUuid(), subset.getVersion()) mockMvc.perform(delete(SubsetController.API_BASE.concat("/{UUID},{version}"), subset.getUuid(), subset.getVersion())
...@@ -233,7 +233,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -233,7 +233,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
public void listSubsetsTest() throws Exception { public void listSubsetsTest() throws Exception {
Subset subset = subsetService.create(setUpSubset()); Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT); assertEquals(subset.getState(), PublishState.DRAFT);
subset = subsetService.reviewSubset(subset); subset = subsetService.reviewSubset(subset);
assertEquals(subset.getState(), PublishState.REVIEWING); assertEquals(subset.getState(), PublishState.REVIEWING);
...@@ -258,7 +258,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -258,7 +258,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
public void removeAccessionsFromSubsetTest() throws Exception { public void removeAccessionsFromSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset()); final Subset subset = subsetService.create(institute, setUpSubset());
assertThat(subset.getAccessionIds().size(), is(2)); assertThat(subset.getAccessionIds().size(), is(2));
final Set<UUID> accessionsUuid = subset.getAccessionIds().stream().map(AccessionId::getUuid).collect(Collectors.toSet()); final Set<UUID> accessionsUuid = subset.getAccessionIds().stream().map(AccessionId::getUuid).collect(Collectors.toSet());
...@@ -278,7 +278,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -278,7 +278,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
public void addAccessionsToSubsetTest() throws Exception { public void addAccessionsToSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset()); final Subset subset = subsetService.create(institute, setUpSubset());
assertThat(subset.getAccessionIds().size(), is(2)); assertThat(subset.getAccessionIds().size(), is(2));
List<AccessionId> newAccessions = setUpAccessions(); List<AccessionId> newAccessions = setUpAccessions();
...@@ -300,7 +300,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -300,7 +300,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
@WithMockOAuth2Authentication(roles = { "ADMINISTRATOR" }, scopes = { "write" }) @WithMockOAuth2Authentication(roles = { "ADMINISTRATOR" }, scopes = { "write" })
public void approveSubsetTest() throws Exception { public void approveSubsetTest() throws Exception {
Subset subset = subsetService.create(setUpSubset()); Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT); assertEquals(subset.getState(), PublishState.DRAFT);
subset = subsetService.reviewSubset(subset); subset = subsetService.reviewSubset(subset);
assertEquals(subset.getState(), PublishState.REVIEWING); assertEquals(subset.getState(), PublishState.REVIEWING);
...@@ -321,7 +321,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -321,7 +321,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
@WithMockUser(username = "user", password = "user", roles = "ADMINISTRATOR") @WithMockUser(username = "user", password = "user", roles = "ADMINISTRATOR")
public void reviewSubsetTest() throws Exception { public void reviewSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset()); final Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT); assertEquals(subset.getState(), PublishState.DRAFT);
/*@formatter:off*/ /*@formatter:off*/
...@@ -340,7 +340,7 @@ public class SubsetRestControllerTest extends AbstractApiTest { ...@@ -340,7 +340,7 @@ public class SubsetRestControllerTest extends AbstractApiTest {
@Test @Test
@WithMockUser(username = "user", password = "user", roles = "ADMINISTRATOR") @WithMockUser(username = "user", password = "user", roles = "ADMINISTRATOR")
public void rejectSubsetTest() throws Exception { public void rejectSubsetTest() throws Exception {
final Subset subset = subsetService.create(setUpSubset()); final Subset subset = subsetService.create(institute, setUpSubset());
assertEquals(subset.getState(), PublishState.DRAFT); assertEquals(subset.getState(), PublishState.DRAFT);
/*@formatter:off*/ /*@formatter:off*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment