Skip to content

Commit

Permalink
SB-23529: Check admin authorization in update api for admin activities (
Browse files Browse the repository at this point in the history 
#101)

* SB-23529: Check admin authorization in update api for admin activities
  • Loading branch information
@sknirmalkar89
sknirmalkar89 authored Mar 10, 2021
1 parent 1859ea8 commit a47bd21
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 4 deletions.
18 changes: 16 additions & 2 deletions group-actors/src/main/java/org/sunbird/actors/UpdateGroupActor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,8 @@ private void updateGroup(Request actorMessage) throws BaseException {
// Check if user is authorized to delete ,suspend and re-activate operation
// Allow all member to exit the group
if (!isExitGroupRequest) {
checkUserAuthorization(dbResGroup, membersInDB, group.getStatus(), userId);
checkUserAuthorization(
dbResGroup, membersInDB, group.getStatus(), userId, actorMessage.getRequest());
}

if (MapUtils.isNotEmpty((Map) actorMessage.getRequest().get(JsonKey.MEMBERS))) {
Expand Down Expand Up @@ -175,7 +176,8 @@ private void checkUserAuthorization(
Map<String, Object> dbResGroup,
List<MemberResponse> membersInDB,
String status,
String userId) {
String userId,
Map<String, Object> groupRequest) {
MemberResponse member =
membersInDB.stream().filter(x -> x.getUserId().equals(userId)).findAny().orElse(null);
// Check User is authorized Suspend , Re-activate or delete the group .
Expand All @@ -188,6 +190,18 @@ private void checkUserAuthorization(
&& !userId.equals((String) dbResGroup.get(JsonKey.CREATED_BY))) {
throw new AuthorizationException.NotAuthorized();
}

// check only admin should be able to update name, description, status ,add,edit or remove
// members
if (StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_DESC))
|| StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_NAME))
|| StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_MEMBERSHIP_TYPE))
|| StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_STATUS))
|| MapUtils.isNotEmpty((Map) groupRequest.get(JsonKey.MEMBERS))) {
if (member == null || !JsonKey.ADMIN.equals(member.getRole())) {
throw new AuthorizationException.NotAuthorized();
}
}
}

private List<Map<String, String>> validateActivityList(
Expand Down
2 changes: 1 addition & 1 deletion group-actors/src/test/java/org/sunbird/actors/CreateGroupActorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ public void testCreateGroup() throws Exception {
TestKit probe = new TestKit(system);
ActorRef subject = system.actorOf(props);
subject.tell(reqObj, probe.getRef());
Response res = probe.expectMsgClass(Duration.ofSeconds(30), Response.class);
Response res = probe.expectMsgClass(Duration.ofSeconds(20), Response.class);
System.out.println(res.getResult());
Assert.assertTrue(null != res && res.getResponseCode() == 200);
Assert.assertNotNull(res.getResult().get(JsonKey.GROUP_ID));
Expand Down
2 changes: 1 addition & 1 deletion group-actors/src/test/java/org/sunbird/actors/UpdateGroupActorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ public void testUpdateGroup() {

Request reqObj = updateGroupReq();
subject.tell(reqObj, probe.getRef());
Response res = probe.expectMsgClass(Duration.ofSeconds(20), Response.class);
Response res = probe.expectMsgClass(Duration.ofSeconds(30), Response.class);
Assert.assertTrue(null != res && res.getResponseCode() == 200);
}

Expand Down

0 comments on commit a47bd21

Please sign in to comment.