From a47bd21e8c0642bb28bc9859d10ce5873d1d8e9d Mon Sep 17 00:00:00 2001 From: sknirmalkar89 <59080585+sknirmalkar89@users.noreply.github.com> Date: Wed, 10 Mar 2021 13:28:07 +0530 Subject: [PATCH] SB-23529: Check admin authorization in update api for admin activities (#101) * SB-23529: Check admin authorization in update api for admin activities --- .../org/sunbird/actors/UpdateGroupActor.java | 18 ++++++++++++++++-- .../sunbird/actors/CreateGroupActorTest.java | 2 +- .../sunbird/actors/UpdateGroupActorTest.java | 2 +- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/group-actors/src/main/java/org/sunbird/actors/UpdateGroupActor.java b/group-actors/src/main/java/org/sunbird/actors/UpdateGroupActor.java index cbc7a7ad..d204d00f 100644 --- a/group-actors/src/main/java/org/sunbird/actors/UpdateGroupActor.java +++ b/group-actors/src/main/java/org/sunbird/actors/UpdateGroupActor.java @@ -88,7 +88,8 @@ private void updateGroup(Request actorMessage) throws BaseException { // Check if user is authorized to delete ,suspend and re-activate operation // Allow all member to exit the group if (!isExitGroupRequest) { - checkUserAuthorization(dbResGroup, membersInDB, group.getStatus(), userId); + checkUserAuthorization( + dbResGroup, membersInDB, group.getStatus(), userId, actorMessage.getRequest()); } if (MapUtils.isNotEmpty((Map) actorMessage.getRequest().get(JsonKey.MEMBERS))) { @@ -175,7 +176,8 @@ private void checkUserAuthorization( Map dbResGroup, List membersInDB, String status, - String userId) { + String userId, + Map groupRequest) { MemberResponse member = membersInDB.stream().filter(x -> x.getUserId().equals(userId)).findAny().orElse(null); // Check User is authorized Suspend , Re-activate or delete the group . @@ -188,6 +190,18 @@ private void checkUserAuthorization( && !userId.equals((String) dbResGroup.get(JsonKey.CREATED_BY))) { throw new AuthorizationException.NotAuthorized(); } + + // check only admin should be able to update name, description, status ,add,edit or remove + // members + if (StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_DESC)) + || StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_NAME)) + || StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_MEMBERSHIP_TYPE)) + || StringUtils.isNotEmpty((String) groupRequest.get(JsonKey.GROUP_STATUS)) + || MapUtils.isNotEmpty((Map) groupRequest.get(JsonKey.MEMBERS))) { + if (member == null || !JsonKey.ADMIN.equals(member.getRole())) { + throw new AuthorizationException.NotAuthorized(); + } + } } private List> validateActivityList( diff --git a/group-actors/src/test/java/org/sunbird/actors/CreateGroupActorTest.java b/group-actors/src/test/java/org/sunbird/actors/CreateGroupActorTest.java index b064a922..a83b98ed 100644 --- a/group-actors/src/test/java/org/sunbird/actors/CreateGroupActorTest.java +++ b/group-actors/src/test/java/org/sunbird/actors/CreateGroupActorTest.java @@ -117,7 +117,7 @@ public void testCreateGroup() throws Exception { TestKit probe = new TestKit(system); ActorRef subject = system.actorOf(props); subject.tell(reqObj, probe.getRef()); - Response res = probe.expectMsgClass(Duration.ofSeconds(30), Response.class); + Response res = probe.expectMsgClass(Duration.ofSeconds(20), Response.class); System.out.println(res.getResult()); Assert.assertTrue(null != res && res.getResponseCode() == 200); Assert.assertNotNull(res.getResult().get(JsonKey.GROUP_ID)); diff --git a/group-actors/src/test/java/org/sunbird/actors/UpdateGroupActorTest.java b/group-actors/src/test/java/org/sunbird/actors/UpdateGroupActorTest.java index eda93bf3..0d41a5d2 100644 --- a/group-actors/src/test/java/org/sunbird/actors/UpdateGroupActorTest.java +++ b/group-actors/src/test/java/org/sunbird/actors/UpdateGroupActorTest.java @@ -122,7 +122,7 @@ public void testUpdateGroup() { Request reqObj = updateGroupReq(); subject.tell(reqObj, probe.getRef()); - Response res = probe.expectMsgClass(Duration.ofSeconds(20), Response.class); + Response res = probe.expectMsgClass(Duration.ofSeconds(30), Response.class); Assert.assertTrue(null != res && res.getResponseCode() == 200); }