Skip to content

Commit

Permalink
Enable check of user
Browse files Browse the repository at this point in the history
  • Loading branch information
@pvannierop
pvannierop committed May 3, 2024
1 parent 2466b12 commit f1e52f0
Showing 1 changed file with 14 additions and 8 deletions.
22 changes: 14 additions & 8 deletions ...ard-backend/src/main/java/org/radarbase/datadashboard/api/resource/ObservationResource.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,21 +22,22 @@ import jakarta.annotation.Resource
import jakarta.ws.rs.*
import jakarta.ws.rs.container.ContainerRequestContext
import jakarta.ws.rs.core.Context
import jakarta.ws.rs.core.Response
import org.radarbase.datadashboard.api.service.ObservationService
import org.radarbase.auth.authorization.Permission
import org.radarbase.datadashboard.api.api.ObservationDto
import org.radarbase.datadashboard.api.api.ObservationListDto
import org.radarbase.jersey.auth.Authenticated
import org.radarbase.jersey.auth.NeedsPermission
import org.radarbase.jersey.auth.filter.RadarSecurityContext
import org.slf4j.LoggerFactory

@Path("subject/{subjectId}/topic/{topicId}")
@Resource
@Produces("application/json")
@Consumes("application/json")
@Authenticated
class ObservationResource(
@Context private val observationService: ObservationService
@Context private val observationService: ObservationService,
@Context private val request: ContainerRequestContext
) {
@GET
@Path("observations")
Expand All @@ -45,11 +46,16 @@ class ObservationResource(
@PathParam("subjectId") subjectId: String,
@PathParam("topicId") topicId: String
): ObservationListDto {
// if (request.securityContext != null && request.securityContext is RadarSecurityContext) {
// val userName = (request.securityContext as RadarSecurityContext).userPrincipal
// if (!subjectId.equals(userName)) throw NotFoundException("Subjects can only access their own data.")
if (request.securityContext != null && request.securityContext is RadarSecurityContext) {
val userName = (request.securityContext as RadarSecurityContext).userPrincipal
log.info("User $userName is accessing observations for $subjectId")
if (!subjectId.equals(userName)) throw NotFoundException("Subjects can only request their own observations.")
return observationService.getObservations(topicId, subjectId)
// }
// return emptyList()
}
return ObservationListDto(emptyList())
}

companion object {
private val log = LoggerFactory.getLogger(ObservationResource::class.java)
}
}

0 comments on commit f1e52f0

Please sign in to comment.