From f1e52f0790192dd7c3b634c83d94a9c4c660fd8a Mon Sep 17 00:00:00 2001
From: Pim van Nierop <pim@thehyve.nl>
Date: Fri, 3 May 2024 12:41:24 +0200
Subject: [PATCH] Enable check of user

---
 .../api/resource/ObservationResource.kt       | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/data-dashboard-backend/src/main/java/org/radarbase/datadashboard/api/resource/ObservationResource.kt b/data-dashboard-backend/src/main/java/org/radarbase/datadashboard/api/resource/ObservationResource.kt
index 34616fc..9770b9c 100644
--- a/data-dashboard-backend/src/main/java/org/radarbase/datadashboard/api/resource/ObservationResource.kt
+++ b/data-dashboard-backend/src/main/java/org/radarbase/datadashboard/api/resource/ObservationResource.kt
@@ -22,13 +22,13 @@ import jakarta.annotation.Resource
 import jakarta.ws.rs.*
 import jakarta.ws.rs.container.ContainerRequestContext
 import jakarta.ws.rs.core.Context
-import jakarta.ws.rs.core.Response
 import org.radarbase.datadashboard.api.service.ObservationService
 import org.radarbase.auth.authorization.Permission
-import org.radarbase.datadashboard.api.api.ObservationDto
 import org.radarbase.datadashboard.api.api.ObservationListDto
 import org.radarbase.jersey.auth.Authenticated
 import org.radarbase.jersey.auth.NeedsPermission
+import org.radarbase.jersey.auth.filter.RadarSecurityContext
+import org.slf4j.LoggerFactory
 
 @Path("subject/{subjectId}/topic/{topicId}")
 @Resource
@@ -36,7 +36,8 @@ import org.radarbase.jersey.auth.NeedsPermission
 @Consumes("application/json")
 @Authenticated
 class ObservationResource(
-    @Context private val observationService: ObservationService
+    @Context private val observationService: ObservationService,
+    @Context private val request: ContainerRequestContext
 ) {
     @GET
     @Path("observations")
@@ -45,11 +46,16 @@ class ObservationResource(
         @PathParam("subjectId") subjectId: String,
         @PathParam("topicId") topicId: String
     ): ObservationListDto {
-//        if (request.securityContext != null && request.securityContext is RadarSecurityContext) {
-//            val userName = (request.securityContext as RadarSecurityContext).userPrincipal
-//            if (!subjectId.equals(userName)) throw NotFoundException("Subjects can only access their own data.")
+        if (request.securityContext != null && request.securityContext is RadarSecurityContext) {
+            val userName = (request.securityContext as RadarSecurityContext).userPrincipal
+            log.info("User $userName is accessing observations for $subjectId")
+            if (!subjectId.equals(userName)) throw NotFoundException("Subjects can only request their own observations.")
             return observationService.getObservations(topicId, subjectId)
-//        }
-//        return emptyList()
+        }
+        return ObservationListDto(emptyList())
+    }
+
+    companion object {
+        private val log = LoggerFactory.getLogger(ObservationResource::class.java)
     }
 }