This is an automated email from the git hooks/post-receive script. New commit to branch feature/10218-modification-user in repository coselmar. See https://gitlab.nuiton.org/codelutin/coselmar.git commit 19a45e9fe3c8684a20a4f0346a11827f87d50e58 Author: Yannick Martel <martel@©odelutin.com> Date: Wed Apr 10 11:25:43 2019 +0200 Allow to see user information for Admin, and for Supervisor when user is a client --- .../coselmar/services/v1/UsersWebService.java | 40 +++++++++++++++++----- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java b/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java index 7732715..8b3fc00 100644 --- a/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java +++ b/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java @@ -83,9 +83,34 @@ public class UsersWebService extends CoselmarWebServiceSupport { // Check authentication String authorization = getContext().getHeader("Authorization"); - CoselmarUser user = checkUserAuthentication(authorization); + CoselmarUser curentUser = checkUserAuthentication(authorization); + + // Rebuild fullId + String fullId = getFullIdFromShort(CoselmarUser.class, userId); + UserBean userBean; + if (fullId.equals(curentUser.getTopiaId())) { + // Current user is asking for his info : ok + userBean = BeanEntityConverter.toBean(userId, curentUser); + } else { + // Current user wanna see an other profile ; only allowed to Admin or Supervisor (if it user is a client) + + // Get the asked user + CoselmarUser askedUser = getCoselmarUserDao().forTopiaIdEquals(fullId).findAny(); + + boolean isAdmin = curentUser.getRole() == CoselmarUserRole.ADMIN; + boolean isSupervisor4Client = (curentUser.getRole() == CoselmarUserRole.SUPERVISOR && askedUser.getRole() == CoselmarUserRole.CLIENT); + + if (!isAdmin && !isSupervisor4Client) { + if (log.isDebugEnabled()) { + String message = String.format("A non admin, non supervisor user is trying to access user info with shortId '%s'", userId); + log.debug(message); + } + throw new UnauthorizedException("Not allowed to see user infos"); + } + // Retrieve asked user + userBean = BeanEntityConverter.toBean(userId, askedUser); + } - UserBean userBean = BeanEntityConverter.toBean(userId, user); return userBean; } @@ -134,7 +159,7 @@ public class UsersWebService extends CoselmarWebServiceSupport { List<UserBean> result = new ArrayList<>(usersPage.getElements().size()); for (CoselmarUser user : usersPage.getElements()) { - String userLightId = getPersistenceContext().getTopiaIdFactory().getRandomPart(user.getTopiaId()); + String userLightId = getShortIdFromFull(user.getTopiaId()); UserBean userBean = BeanEntityConverter.toBean(userLightId, user); result.add(userBean); } @@ -183,7 +208,7 @@ public class UsersWebService extends CoselmarWebServiceSupport { List<UserBean> result = new ArrayList<>(userList.size()); for (CoselmarUser user : userList) { - String userLightId = getPersistenceContext().getTopiaIdFactory().getRandomPart(user.getTopiaId()); + String userLightId = getShortIdFromFull(user.getTopiaId()); UserBean userBean = BeanEntityConverter.toBean(userLightId, user); result.add(userBean); } @@ -375,8 +400,7 @@ public class UsersWebService extends CoselmarWebServiceSupport { JWTSigner.Options signerOption = new JWTSigner.Options(); signerOption.setAlgorithm(Algorithm.HS384); - String userTopiaId = user.getTopiaId(); - String shortId = getPersistenceContext().getTopiaIdFactory().getRandomPart(userTopiaId); + String shortId = getShortIdFromFull(user.getTopiaId()); Map<String, Object> claims = UserWebToken.toJwtClaims(shortId, user.getFirstname(), user.getName(), user.getRole().name()); String webToken = jwtSigner.sign(claims, signerOption); @@ -428,7 +452,7 @@ public class UsersWebService extends CoselmarWebServiceSupport { commit(); LostPasswordMail lostPasswordMail = new LostPasswordMail(getServicesContext().getLocale()); - String shortId = getPersistenceContext().getTopiaIdFactory().getRandomPart(user.getTopiaId()); + String shortId = getShortIdFromFull(user.getTopiaId()); UserBean userBean = BeanEntityConverter.toBean(shortId, user); lostPasswordMail.setUser(userBean); lostPasswordMail.setPassword(password); @@ -473,7 +497,7 @@ public class UsersWebService extends CoselmarWebServiceSupport { List<UserBean> users = new ArrayList<>(userList.size()); for (CoselmarUser user : userList) { - String userLightId = getPersistenceContext().getTopiaIdFactory().getRandomPart(user.getTopiaId()); + String userLightId = getShortIdFromFull(user.getTopiaId()); UserBean userBean = BeanEntityConverter.toBean(userLightId, user); users.add(userBean); } -- To stop receiving notification emails like this one, please contact codelutin.com SCM administrator <admin+scm@codelutin.com>.