Add the PreAuthorize attribute to getAccessStatus

2025-10-07 01:54:22 +00:00 · 2022-05-05 14:00:45 -04:00
parent 845a552911
commit 34350dd468
2 changed files with 4 additions and 2 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ItemAccessStatusLinkRepository.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ItemAccessStatusLinkRepository.java
@@ -23,6 +23,7 @@ import org.dspace.core.Context;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.rest.webmvc.ResourceNotFoundException;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;

 /**
@@ -38,6 +39,7 @@ public class ItemAccessStatusLinkRepository extends AbstractDSpaceRestRepository
    @Autowired
    AccessStatusService accessStatusService;

+    @PreAuthorize("hasPermission(#itemId, 'ITEM', 'READ')")
    public AccessStatusRest getAccessStatus(@Nullable HttpServletRequest request,
                                            UUID itemId,
                                            @Nullable Pageable optionalPageable,
--- a/dspace-server-webapp/src/test/java/org/dspace/app/rest/ItemRestRepositoryIT.java
+++ b/dspace-server-webapp/src/test/java/org/dspace/app/rest/ItemRestRepositoryIT.java
@@ -3887,7 +3887,7 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
        getClient(tokenEperson).perform(get("/api/core/items/" + item.getID())
                 .param("projection", "full"))
                 .andExpect(status().isOk())
-                 .andExpect(jsonPath("$", HalMatcher.matchEmbeds("accessStatus")))
+                 .andExpect(jsonPath("$", HalMatcher.matchNoEmbeds()))
                 .andExpect(jsonPath("$.uuid", Matchers.is(item.getID().toString())))
                 .andExpect(jsonPath("$.name", Matchers.is(item.getName())))
                 .andExpect(jsonPath("$.handle", Matchers.is(item.getHandle())))
@@ -3920,7 +3920,7 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
        getClient().perform(get("/api/core/items/" + item.getID())
                   .param("projection", "full"))
                   .andExpect(status().isOk())
-                   .andExpect(jsonPath("$", HalMatcher.matchEmbeds("accessStatus")))
+                   .andExpect(jsonPath("$", HalMatcher.matchNoEmbeds()))
                   .andExpect(jsonPath("$.uuid", Matchers.is(item.getID().toString())))
                   .andExpect(jsonPath("$.name", Matchers.is(item.getName())))
                   .andExpect(jsonPath("$.handle", Matchers.is(item.getHandle())))