[CST-5306] Added security check in EPersonAuthority

2025-10-17 15:03:18 +00:00 · 2022-05-16 15:30:17 +02:00
parent 5a0b9ea456
commit d532829e73
5 changed files with 98 additions and 20 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/EPersonRestAuthenticationProvider.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/EPersonRestAuthenticationProvider.java
@@ -21,7 +21,6 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.dspace.app.rest.login.PostLoggedInAction;
 import org.dspace.app.rest.utils.ContextUtil;
-import org.dspace.app.util.AuthorizeUtil;
 import org.dspace.authenticate.AuthenticationMethod;
 import org.dspace.authenticate.service.AuthenticationService;
 import org.dspace.authorize.service.AuthorizeService;
@@ -198,20 +197,15 @@ public class EPersonRestAuthenticationProvider implements AuthenticationProvider
        EPerson eperson = context.getCurrentUser();
        if (eperson != null) {
            boolean isAdmin = false;
-            boolean isCommunityAdmin = false;
-            boolean isCollectionAdmin = false;
            try {
                isAdmin = authorizeService.isAdmin(context, eperson);
-                isCommunityAdmin = authorizeService.isCommunityAdmin(context);
-                isCollectionAdmin = authorizeService.isCollectionAdmin(context);
            } catch (SQLException e) {
                log.error("SQL error while checking for admin rights", e);
            }

            if (isAdmin) {
                authorities.add(new SimpleGrantedAuthority(ADMIN_GRANT));
-            } else if ((isCommunityAdmin && AuthorizeUtil.canCommunityAdminManageAccounts())
-                       || (isCollectionAdmin && AuthorizeUtil.canCollectionAdminManageAccounts())) {
+            } else if (authorizeService.isAccountManager(context)) {
                authorities.add(new SimpleGrantedAuthority(MANAGE_ACCESS_GROUP));
            }

--- a/dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonAuthorityIT.java
+++ b/dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonAuthorityIT.java
@@ -9,6 +9,7 @@ package org.dspace.app.rest;

 import static org.dspace.app.rest.matcher.VocabularyMatcher.matchVocabularyEntry;
 import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.empty;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -38,7 +39,7 @@ public class EPersonAuthorityIT extends AbstractControllerIntegrationTest {
        String thirdEPersonId = createEPerson("Luca", "Bollini");
        context.restoreAuthSystemState();

-        String token = getAuthToken(eperson.getEmail(), password);
+        String token = getAuthToken(admin.getEmail(), password);
        getClient(token).perform(get("/api/submission/vocabularies/EPersonAuthority/entries")
            .param("filter", "Luca"))
            .andExpect(status().isOk())
@@ -65,7 +66,7 @@ public class EPersonAuthorityIT extends AbstractControllerIntegrationTest {
        String thirdEPersonId = createEPerson("Luca", "Bollini");
        context.restoreAuthSystemState();

-        String token = getAuthToken(eperson.getEmail(), password);
+        String token = getAuthToken(admin.getEmail(), password);
        getClient(token).perform(get("/api/submission/vocabularies/EPersonAuthority/entries")
            .param("filter", "Giamminonni"))
            .andExpect(status().isOk())
@@ -91,7 +92,7 @@ public class EPersonAuthorityIT extends AbstractControllerIntegrationTest {
        String secondEPersonId = createEPerson("Andrea", "Bollini");
        context.restoreAuthSystemState();

-        String token = getAuthToken(eperson.getEmail(), password);
+        String token = getAuthToken(admin.getEmail(), password);
        getClient(token).perform(get("/api/submission/vocabularies/EPersonAuthority/entries")
            .param("filter", firstEPersonId))
            .andExpect(status().isOk())
@@ -108,6 +109,38 @@ public class EPersonAuthorityIT extends AbstractControllerIntegrationTest {

    }

+    @Test
+    public void testEPersonAuthorityWithAnonymousUser() throws Exception {
+
+        context.turnOffAuthorisationSystem();
+        createEPerson("Luca", "Giamminonni");
+        createEPerson("Andrea", "Bollini");
+        context.restoreAuthSystemState();
+
+        getClient().perform(get("/api/submission/vocabularies/EPersonAuthority/entries")
+            .param("filter", "Luca"))
+            .andExpect(status().isUnauthorized());
+
+    }
+
+    @Test
+    public void testEPersonAuthorityWithNotAdminUser() throws Exception {
+
+        context.turnOffAuthorisationSystem();
+        createEPerson("Luca", "Giamminonni");
+        createEPerson("Andrea", "Bollini");
+        createEPerson("Luca", "Bollini");
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+        getClient(token).perform(get("/api/submission/vocabularies/EPersonAuthority/entries")
+            .param("filter", "Luca"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$._embedded.entries", empty()))
+            .andExpect(jsonPath("$.page.totalElements", Matchers.is(0)));
+
+    }
+
    private String createEPerson(String firstName, String lastName) throws SQLException {
        return EPersonBuilder.createEPerson(context)
            .withNameInMetadata(firstName, lastName)