diff --git a/src/main/java/org/radarbase/appserver/controller/NotificationStateEventController.java b/src/main/java/org/radarbase/appserver/controller/NotificationStateEventController.java index 60d729c8..3deb789b 100644 --- a/src/main/java/org/radarbase/appserver/controller/NotificationStateEventController.java +++ b/src/main/java/org/radarbase/appserver/controller/NotificationStateEventController.java @@ -48,7 +48,7 @@ public NotificationStateEventController( this.notificationStateEventService = notificationStateEventService; } - @Authorized(permission = AuthPermissions.CREATE, entity = AuthEntities.MEASUREMENT) + @Authorized(permission = AuthPermissions.READ, entity = AuthEntities.PROJECT) @GetMapping( value = "/" @@ -64,8 +64,8 @@ public ResponseEntity> getNotificationStateEvent } @Authorized( - permission = AuthPermissions.CREATE, - entity = AuthEntities.MEASUREMENT, + permission = AuthPermissions.READ, + entity = AuthEntities.SUBJECT, permissionOn = PermissionOn.SUBJECT) @GetMapping( value = @@ -93,8 +93,8 @@ public ResponseEntity> getNotificationStateEvent } @Authorized( - permission = AuthPermissions.CREATE, - entity = AuthEntities.MEASUREMENT, + permission = AuthPermissions.UPDATE, + entity = AuthEntities.SUBJECT, permissionOn = PermissionOn.SUBJECT) @PostMapping( value = diff --git a/src/main/java/org/radarbase/appserver/controller/RadarProjectController.java b/src/main/java/org/radarbase/appserver/controller/RadarProjectController.java index a4b8062c..f51de00d 100644 --- a/src/main/java/org/radarbase/appserver/controller/RadarProjectController.java +++ b/src/main/java/org/radarbase/appserver/controller/RadarProjectController.java @@ -120,16 +120,36 @@ public ResponseEntity addProject( * org.radarbase.appserver.exception.NotFoundException} if project was not found. */ @Authorized( - permission = AuthPermissions.CREATE, - entity = AuthEntities.MEASUREMENT, + permission = AuthPermissions.UPDATE, + entity = AuthEntities.SUBJECT, permissionOn = PermissionOn.PROJECT) @PutMapping( value = "/" + PathsUtil.PROJECT_PATH + "/" + PathsUtil.PROJECT_ID_CONSTANT, consumes = {MediaType.APPLICATION_JSON_VALUE}) public ResponseEntity updateProject( - @Valid @PathParam("projectId") String projectId, @Valid @RequestBody ProjectDto projectDto) { - ProjectDto projectDto1 = this.projectService.updateProject(projectDto); - return ResponseEntity.ok(projectDto1); + @Valid @PathParam("projectId") String projectId, @Valid @RequestBody ProjectDto projectDto, + HttpServletRequest request) { + + if (authorization != null) { + RadarToken token = (RadarToken) request.getAttribute(AuthAspect.TOKEN_KEY); + if (authorization.hasPermission( + token, + AuthPermissions.UPDATE, + AuthEntities.SUBJECT, + PermissionOn.PROJECT, + projectDto.getProjectId(), + null, + null)) { + ProjectDto projectDto1 = this.projectService.updateProject(projectDto); + return ResponseEntity.ok(projectDto1); + } else { + throw new AuthorizationFailedException( + "The token does not have permission for the project " + projectDto.getProjectId()); + } + } else { + ProjectDto projectDto1 = this.projectService.updateProject(projectDto); + return ResponseEntity.ok(projectDto1); + } } @Authorized(permission = AuthPermissions.READ, entity = AuthEntities.PROJECT) @@ -160,7 +180,7 @@ public ResponseEntity getAllProjects(HttpServletRequest request) { } // TODO think about plain authorized - @Authorized(permission = AuthPermissions.CREATE, entity = AuthEntities.MEASUREMENT) + @Authorized(permission = AuthPermissions.READ, entity = AuthEntities.PROJECT) @GetMapping("/" + PathsUtil.PROJECT_PATH + "/project") public ResponseEntity getProjectsUsingId( HttpServletRequest request, @Valid @PathParam("id") Long id) { @@ -169,8 +189,8 @@ public ResponseEntity getProjectsUsingId( RadarToken token = (RadarToken) request.getAttribute(AuthAspect.TOKEN_KEY); if (authorization.hasPermission( token, - AuthPermissions.CREATE, - AuthEntities.MEASUREMENT, + AuthPermissions.READ, + AuthEntities.PROJECT, PermissionOn.PROJECT, projectDto.getProjectId(), null,