Example 1 with ForbiddenEntityException
use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.
the class AbstractFormableService method publish.
@Override
@Transactional
public EventContext<DTO> publish(EntityEvent<DTO> event, EntityEvent<?> parentEvent, BasePermission... permission) {
// check access to filled form values
// access has to be evaluated before event is published - is not available in save internal method
BasePermission[] permissions = PermissionUtils.trimNull(permission);
if (!ObjectUtils.isEmpty(permissions)) {
FormableEntity owner = getOwner(event.getContent());
FormValueService<FormableEntity> formValueService = formService.getFormValueService(getDtoClass());
event.getContent().getEavs().forEach(formInstance -> {
formInstance.getValues().forEach(formValue -> {
// set owner is needed for checking access on new values
formValue.setOwner(owner);
Set<String> availablePermissions = formValueService.getPermissions(formValue);
if (event.hasType(CoreEventType.CREATE)) {
// Create or update permission, when owner is created.
if (!PermissionUtils.hasAnyPermission(availablePermissions, IdmBasePermission.CREATE, IdmBasePermission.UPDATE)) {
throw new ForbiddenEntityException(formValue, IdmBasePermission.CREATE, IdmBasePermission.UPDATE);
}
} else {
// UPDATE is enough for all CUD otherwise.
if (!PermissionUtils.hasPermission(availablePermissions, IdmBasePermission.UPDATE)) {
throw new ForbiddenEntityException(formValue, IdmBasePermission.UPDATE);
}
}
});
});
}
//
return super.publish(event, parentEvent, permission);
}
Also used :
IdmBasePermission(eu.bcvsolutions.idm.core.security.api.domain.IdmBasePermission)
BasePermission(eu.bcvsolutions.idm.core.security.api.domain.BasePermission)
FormableEntity(eu.bcvsolutions.idm.core.eav.api.entity.FormableEntity)
ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)
Transactional(org.springframework.transaction.annotation.Transactional)
Example 2 with ForbiddenEntityException
use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.
the class IdmTreeTypeController method getDefaultTreeType.
/**
* Returns default tree type or {@code null}, if no default tree type is defined
*
* @return
*/
@ResponseBody
@RequestMapping(value = "/search/default", method = RequestMethod.GET)
@PreAuthorize("hasAuthority('" + CoreGroupPermission.TREETYPE_AUTOCOMPLETE + "')" + " or hasAuthority('" + CoreGroupPermission.TREETYPE_READ + "')")
@ApiOperation(value = "Get default tree type detail", nickname = "getDefaultTreeType", response = IdmTreeTypeDto.class, tags = { IdmTreeTypeController.TAG }, authorizations = { @Authorization(value = SwaggerConfig.AUTHENTICATION_BASIC, scopes = { @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_AUTOCOMPLETE, description = ""), @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_READ, description = "") }), @Authorization(value = SwaggerConfig.AUTHENTICATION_CIDMST, scopes = { @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_AUTOCOMPLETE, description = ""), @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_READ, description = "") }) })
public ResponseEntity<?> getDefaultTreeType() {
IdmTreeTypeDto defaultTreeType = service.getDefaultTreeType();
if (defaultTreeType == null) {
throw new ResultCodeException(CoreResultCode.NOT_FOUND, ImmutableMap.of("entity", "default tree type"));
}
Set<String> permissions = getService().getPermissions(defaultTreeType.getId());
if (!PermissionUtils.hasAnyPermission(permissions, IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ)) {
throw new ForbiddenEntityException(defaultTreeType.getId(), IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ);
}
return new ResponseEntity<>(toResource(defaultTreeType), HttpStatus.OK);
}
Also used :
IdmTreeTypeDto(eu.bcvsolutions.idm.core.api.dto.IdmTreeTypeDto)
ResponseEntity(org.springframework.http.ResponseEntity)
ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException)
ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)
ApiOperation(io.swagger.annotations.ApiOperation)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
ResponseBody(org.springframework.web.bind.annotation.ResponseBody)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 3 with ForbiddenEntityException
use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.
the class DefaultLongRunningTaskManager method getAttachment.
@Override
public IdmAttachmentDto getAttachment(UUID longRunningTaskId, UUID attachmentId, BasePermission... permission) {
Assert.notNull(longRunningTaskId, "Task identifier is required.");
Assert.notNull(attachmentId, "Attachment identifier is required");
IdmLongRunningTaskDto longRunningTaskDto = service.get(longRunningTaskId, permission);
if (longRunningTaskDto == null) {
throw new EntityNotFoundException(service.getEntityClass(), longRunningTaskId);
}
IdmAttachmentDto attachmentDto = attachmentManager.get(attachmentId, permission);
if (attachmentDto == null) {
throw new EntityNotFoundException(IdmAttachment.class, attachmentId);
}
if (!ObjectUtils.isEmpty(PermissionUtils.trimNull(permission)) && !attachmentDto.getOwnerId().equals(longRunningTaskDto.getId())) {
throw new ForbiddenEntityException((Serializable) attachmentId, PermissionUtils.trimNull(permission));
}
//
return attachmentDto;
}
Also used :
IdmAttachmentDto(eu.bcvsolutions.idm.core.ecm.api.dto.IdmAttachmentDto)
IdmLongRunningTaskDto(eu.bcvsolutions.idm.core.scheduler.api.dto.IdmLongRunningTaskDto)
EntityNotFoundException(eu.bcvsolutions.idm.core.api.exception.EntityNotFoundException)
ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)
Example 4 with ForbiddenEntityException
use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.
the class DefaultIdentityProjectionManager method saveOtherPositions.
protected List<IdmContractPositionDto> saveOtherPositions(EntityEvent<IdmIdentityProjectionDto> event, BasePermission... permission) {
IdmIdentityProjectionDto dto = event.getContent();
IdmIdentityProjectionDto previousProjection = event.getOriginalSource();
List<IdmContractPositionDto> savedPositions = new ArrayList<>(dto.getOtherPositions().size());
IdmIdentityContractDto contract = dto.getContract();
//
// check other contract position has to be saved
IdmIdentityDto identity = dto.getIdentity();
if (identity.getFormProjection() != null) {
IdmFormProjectionDto formProjection = lookupService.lookupEmbeddedDto(dto.getIdentity(), IdmIdentity_.formProjection);
if (!formProjection.getProperties().getBooleanValue(IdentityFormProjectionRoute.PARAMETER_OTHER_POSITION)) {
LOG.debug("Projection [{}] doesn't save other contract positions.", formProjection.getCode());
return savedPositions;
}
}
//
for (IdmContractPositionDto otherPosition : dto.getOtherPositions()) {
if (otherPosition.getIdentityContract() == null) {
if (contract == null) {
throw new ForbiddenEntityException("contract", IdmBasePermission.READ);
}
otherPosition.setIdentityContract(contract.getId());
}
ContractPositionEventType positionEventType = ContractPositionEventType.CREATE;
if (!contractPositionService.isNew(otherPosition)) {
positionEventType = ContractPositionEventType.UPDATE;
}
ContractPositionEvent positionEvent = new ContractPositionEvent(positionEventType, otherPosition);
//
savedPositions.add(contractPositionService.publish(positionEvent, event, permission).getContent());
if (previousProjection != null) {
previousProjection.getOtherPositions().removeIf(p -> {
return Objects.equals(p.getId(), otherPosition.getId());
});
}
}
// remove not sent positions, if previous exists
if (previousProjection != null) {
for (IdmContractPositionDto contractPosition : previousProjection.getOtherPositions()) {
ContractPositionEventType positionEventType = ContractPositionEventType.DELETE;
ContractPositionEvent positionEvent = new ContractPositionEvent(positionEventType, contractPosition);
//
contractPositionService.publish(positionEvent, event, PermissionUtils.isEmpty(permission) ? null : IdmBasePermission.DELETE);
}
}
//
return savedPositions;
}
Also used :
IdmFormProjectionDto(eu.bcvsolutions.idm.core.eav.api.dto.IdmFormProjectionDto)
ContractPositionEventType(eu.bcvsolutions.idm.core.model.event.ContractPositionEvent.ContractPositionEventType)
IdmContractPositionDto(eu.bcvsolutions.idm.core.api.dto.IdmContractPositionDto)
ArrayList(java.util.ArrayList)
ContractPositionEvent(eu.bcvsolutions.idm.core.model.event.ContractPositionEvent)
IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)
IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)
IdmIdentityProjectionDto(eu.bcvsolutions.idm.core.api.dto.projection.IdmIdentityProjectionDto)
ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)
Example 5 with ForbiddenEntityException
use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.
the class RoleRequestByWfEvaluatorIntegrationTest method testHistoricRoleRequestByWfInvolvedIdentityEvaluator.
@Test
public void testHistoricRoleRequestByWfInvolvedIdentityEvaluator() {
// approve only by help desk
configurationService.setValue(APPROVE_BY_SECURITY_ENABLE, "false");
configurationService.setValue(APPROVE_BY_MANAGER_ENABLE, "false");
configurationService.setValue(APPROVE_BY_HELPDESK_ENABLE, "true");
configurationService.setValue(APPROVE_BY_USERMANAGER_ENABLE, "false");
loginAsAdmin();
IdmIdentityDto applicant = getHelper().createIdentity();
IdmIdentityDto otherUser = getHelper().createIdentity();
IdmIdentityDto helpdeskIdentity = getHelper().createIdentity();
//
IdmRoleDto role = getHelper().createRole();
IdmRoleDto policyRole = getHelper().createRole();
//
// helpdesk role and identity
IdmRoleDto helpdeskRole = getHelper().createRole();
// Create policy with RoleRequestByWfInvolvedIdentityEvaluator.
IdmAuthorizationPolicyDto roleRequestPolicy = getHelper().createBasePolicy(policyRole.getId(), CoreGroupPermission.ROLEREQUEST, IdmRoleRequest.class, IdmBasePermission.ADMIN);
roleRequestPolicy.setEvaluator(RoleRequestByWfInvolvedIdentityEvaluator.class);
getHelper().getService(IdmAuthorizationPolicyService.class).save(roleRequestPolicy);
// Assign policy to all our's users.
getHelper().createIdentityRole(applicant, policyRole);
getHelper().createIdentityRole(otherUser, policyRole);
getHelper().createIdentityRole(helpdeskIdentity, policyRole);
// add role directly
getHelper().createIdentityRole(helpdeskIdentity, helpdeskRole);
configurationService.setValue(APPROVE_BY_HELPDESK_ROLE, helpdeskRole.getCode());
IdmIdentityContractDto contract = getHelper().getPrimeContract(applicant.getId());
loginAsNoAdmin(applicant.getUsername());
IdmRoleRequestDto request = createRoleRequest(applicant);
request = roleRequestService.save(request);
IdmConceptRoleRequestDto concept = createRoleConcept(role, contract, request);
conceptRoleRequestService.save(concept);
roleRequestService.startRequestInternal(request.getId(), true);
request = roleRequestService.get(request.getId());
assertEquals(RoleRequestState.IN_PROGRESS, request.getState());
// Approve the task - process will be ended and move to history.
loginAsNoAdmin(helpdeskIdentity.getUsername());
WorkflowFilterDto taskFilter = new WorkflowFilterDto();
taskFilter.setProcessInstanceId(request.getWfProcessId());
this.checkAndCompleteOneTask(taskFilter, applicant.getUsername(), "approve", null);
loginAsNoAdmin(otherUser.getUsername());
try {
roleRequestService.checkAccess(request, IdmBasePermission.READ);
fail("This user: " + otherUser.getUsername() + " can't read this role-request");
} catch (ForbiddenEntityException ex) {
// OK
} catch (Exception e) {
fail("Some problem: " + e.getLocalizedMessage());
}
loginAsNoAdmin(helpdeskIdentity.getUsername());
try {
roleRequestService.checkAccess(request, IdmBasePermission.READ);
} catch (ResultCodeException ex) {
fail("This user: " + helpdeskIdentity.getUsername() + " can read this role-request.");
} catch (Exception e) {
fail("Some problem: " + e.getLocalizedMessage());
}
}
Also used :
IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)
WorkflowFilterDto(eu.bcvsolutions.idm.core.workflow.model.dto.WorkflowFilterDto)
IdmAuthorizationPolicyService(eu.bcvsolutions.idm.core.api.service.IdmAuthorizationPolicyService)
ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException)
IdmAuthorizationPolicyDto(eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto)
IdmConceptRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto)
IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)
IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)
IdmRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto)
ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)
ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException)
ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)
Test(org.junit.Test)
AbstractEvaluatorIntegrationTest(eu.bcvsolutions.idm.test.api.AbstractEvaluatorIntegrationTest)
Aggregations
ForbiddenEntityException (eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)21
IdmIdentityDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)12
ResultCodeException (eu.bcvsolutions.idm.core.api.exception.ResultCodeException)9
Test (org.junit.Test)8
IdmIdentityContractDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)7
IdmRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)7
UUID (java.util.UUID)7
OperationResult (eu.bcvsolutions.idm.core.api.entity.OperationResult)5
IdmBasePermission (eu.bcvsolutions.idm.core.security.api.domain.IdmBasePermission)5
AbstractEvaluatorIntegrationTest (eu.bcvsolutions.idm.test.api.AbstractEvaluatorIntegrationTest)5
IdmBulkActionDto (eu.bcvsolutions.idm.core.api.bulk.action.dto.IdmBulkActionDto)4
IdmConceptRoleRequestDto (eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto)4
IdmRoleRequestDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto)4
DefaultResultModel (eu.bcvsolutions.idm.core.api.dto.DefaultResultModel)3
IdmContractGuaranteeDto (eu.bcvsolutions.idm.core.api.dto.IdmContractGuaranteeDto)3
IdmIdentityRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto)3
IdmIdentityProjectionDto (eu.bcvsolutions.idm.core.api.dto.projection.IdmIdentityProjectionDto)3
IdmFormAttributeDto (eu.bcvsolutions.idm.core.eav.api.dto.IdmFormAttributeDto)3
BasePermission (eu.bcvsolutions.idm.core.security.api.domain.BasePermission)3
ArrayList (java.util.ArrayList)3
