[DURACOM-318] update security annotations on ResourcePolicyRepository

(cherry picked from commit fabcc692db68e5232986ff062e849e4ec5c68c8b)

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ResourcePolicyRestRepository.java

@@ -25,6 +25,7 @@ import org.dspace.app.rest.exception.UnprocessableEntityException;
 import org.dspace.app.rest.model.ResourcePolicyRest;
 import org.dspace.app.rest.model.patch.Patch;
 import org.dspace.app.rest.repository.patch.ResourcePatch;
+import org.dspace.app.rest.security.DSpacePermissionEvaluator;
 import org.dspace.app.rest.utils.DSpaceObjectUtils;
 import org.dspace.app.rest.utils.Utils;
 import org.dspace.authorize.AuthorizeException;
@@ -44,6 +45,8 @@ import org.springframework.data.domain.Pageable;
 import org.springframework.data.rest.webmvc.ResourceNotFoundException;
 import org.springframework.hateoas.Link;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 
 /**
@@ -73,6 +76,9 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
     @Autowired
     ResourcePatch<ResourcePolicy> resourcePatch;
 
+    @Autowired
+    private DSpacePermissionEvaluator permissionEvaluator;
+
     @Autowired
     DiscoverableEndpointsService discoverableEndpointsService;
 
@@ -225,14 +231,13 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
     }
 
     @Override
-    @PreAuthorize("hasAuthority('ADMIN')")
+    @PreAuthorize("isAuthenticated()")
     protected ResourcePolicyRest createAndReturn(Context context) throws AuthorizeException, SQLException {
 
         String resourceUuidStr = getRequestService().getCurrentRequest().getServletRequest().getParameter("resource");
         String epersonUuidStr = getRequestService().getCurrentRequest().getServletRequest().getParameter("eperson");
         String groupUuidStr = getRequestService().getCurrentRequest().getServletRequest().getParameter("group");
 
-
         if (resourceUuidStr == null) {
             throw new MissingParameterException("Missing resource (uuid) parameter");
         }
@@ -246,6 +251,11 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
 
         UUID resourceUuid = UUID.fromString(resourceUuidStr);
 
+        if (isNotAuthorized(resourceUuid, "WRITE")) {
+            throw new AuthorizeException(
+                    "User unauthorized to create a new ResourcePolicy for resource: " + resourceUuid);
+        }
+
         try {
             resourcePolicyRest = mapper.readValue(req.getInputStream(), ResourcePolicyRest.class);
         } catch (IOException exIO) {
@@ -300,7 +310,7 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
     }
 
     @Override
-    @PreAuthorize("hasAuthority('ADMIN')")
+    @PreAuthorize("hasPermission(#id, 'resourcepolicy', 'ADMIN')")
     protected void delete(Context context, Integer id) throws AuthorizeException {
         ResourcePolicy resourcePolicy = null;
         try {
@@ -334,4 +344,10 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
                       Link.of("/api/" + ResourcePolicyRest.CATEGORY + "/" + ResourcePolicyRest.PLURAL_NAME + "/search",
                                          ResourcePolicyRest.PLURAL_NAME + "-search")));
     }
+
+    private boolean isNotAuthorized(UUID id, String permission) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        return !permissionEvaluator.hasPermission(authentication, id, "resourcepolicy", permission);
+    }
+
 }