[DURACOM-357] fix Collection Admin cannot see withdrawn item metadata

2025-10-07 18:14:26 +00:00 · 2025-04-29 11:57:38 +02:00
parent 4d79ea857f
commit 5e2bb4fb92
2 changed files with 65 additions and 3 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/converter/ItemConverter.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/converter/ItemConverter.java
@@ -8,7 +8,6 @@
 package org.dspace.app.rest.converter;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Objects;
@@ -76,8 +75,9 @@ public class ItemConverter
        List<MetadataValue> returnList = new LinkedList<>();
        try {
            if (obj.isWithdrawn() && (Objects.isNull(context) ||
-                                      Objects.isNull(context.getCurrentUser()) || !authorizeService.isAdmin(context))) {
+                                      Objects.isNull(context.getCurrentUser()) ||
-                return new MetadataValueList(new ArrayList<MetadataValue>());
+                !(authorizeService.isAdmin(context) || authorizeService.isCollectionAdmin(context)))) {
                return new MetadataValueList(List.of());
            }
            if (context != null && (authorizeService.isAdmin(context) || itemService.canEdit(context, obj))) {
                return new MetadataValueList(fullList);
--- a/dspace-server-webapp/src/test/java/org/dspace/app/rest/ItemRestRepositoryIT.java
+++ b/dspace-server-webapp/src/test/java/org/dspace/app/rest/ItemRestRepositoryIT.java
@@ -425,6 +425,68 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
                .andExpect(jsonPath("$", publicItem1Matcher));
    }
    @Test
    public void findOneWithdrawnAsCollectionAdminTest() throws Exception {
        context.turnOffAuthorisationSystem();
        // Create collection admin account
        EPerson collectionAdmin = EPersonBuilder.createEPerson(context)
            .withEmail("collection-admin@dspace.com")
            .withPassword("test")
            .withCanLogin(true)
            .build();
        parentCommunity = CommunityBuilder.createCommunity(context)
            .withName("Parent Community")
            .build();
        Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
            .withName("Sub Community")
            .build();
        // Create collection
        Collection adminCollection = CollectionBuilder.createCollection(context, child1)
            .withName("Collection Admin col")
            .withAdminGroup(collectionAdmin)
            .build();
        Collection noAdminCollection =
            CollectionBuilder.createCollection(context, child1).withName("Collection non Admin")
                .build();
        // both items are withdrawn
        Item administeredItem = ItemBuilder.createItem(context, adminCollection)
            .withTitle("Public item 1")
            .withIssueDate("2017-10-17")
            .withAuthor("Smith, Donald").withAuthor("Doe, John")
            .withSubject("ExtraEntry")
            .withdrawn()
            .build();
        Item nonAdministeredItem = ItemBuilder.createItem(context, noAdminCollection)
            .withTitle("Public item 2")
            .withIssueDate("2016-02-13")
            .withAuthor("Smith, Maria").withAuthor("Doe, Jane")
            .withSubject("TestingForMore").withSubject("ExtraEntry")
            .withdrawn()
            .build();
        context.restoreAuthSystemState();
        String collectionAdmintoken = getAuthToken(collectionAdmin.getEmail(), "test");
        // Metadata are retrieved since user is administering the item's collection
        getClient(collectionAdmintoken).perform(get("/api/core/items/" + administeredItem.getID())
                .param("projection", "full"))
            .andExpect(status().isOk())
            .andExpect(jsonPath("$.metadata").isNotEmpty());
        // No metadata is retrieved since user is not administering the item's collection
        getClient().perform(get("/api/core/items/" + nonAdministeredItem.getID())
            .param("projection", "full"))
            .andExpect(status().isOk())
            .andExpect(jsonPath("$.metadata").isEmpty());
    }
    @Test
    public void findOneFullProjectionTest() throws Exception {
        context.turnOffAuthorisationSystem();