Examples with AccessDeniedException - org.springframework.security.access.AccessDeniedException

Example 66 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class InterpretationController method updateComment.

@RequestMapping(value = "/{uid}/comments/{cuid}", method = RequestMethod.PUT)
@ResponseStatus(HttpStatus.NO_CONTENT)
public void updateComment(@PathVariable("uid") String uid, @PathVariable("cuid") String cuid, HttpServletResponse response, @RequestBody String content) throws WebMessageException {
    Interpretation interpretation = interpretationService.getInterpretation(uid);
    if (interpretation == null) {
        throw new WebMessageException(WebMessageUtils.conflict("Interpretation does not exist: " + uid));
    }
    for (InterpretationComment comment : interpretation.getComments()) {
        if (comment.getUid().equals(cuid)) {
            if (!currentUserService.getCurrentUser().equals(comment.getUser()) && !currentUserService.currentUserIsSuper()) {
                throw new AccessDeniedException("You are not allowed to update this comment.");
            }
            comment.setText(content);
        }
    }
    interpretationService.updateInterpretation(interpretation);
}

Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) WebMessageException(org.hisp.dhis.dxf2.webmessage.WebMessageException) InterpretationComment(org.hisp.dhis.interpretation.InterpretationComment) Interpretation(org.hisp.dhis.interpretation.Interpretation) ResponseStatus(org.springframework.web.bind.annotation.ResponseStatus) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 67 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class AddUserAction method execute.

// -------------------------------------------------------------------------
// Action implementation
// -------------------------------------------------------------------------
@Override
public String execute() throws Exception {
    if (!userService.canAddOrUpdateUser(ugSelected)) {
        throw new AccessDeniedException("You cannot add this user");
    }
    User currentUser = currentUserService.getCurrentUser();
    // ---------------------------------------------------------------------
    // User credentials and user
    // ---------------------------------------------------------------------
    UserCredentials userCredentials = new UserCredentials();
    User user = new User();
    userCredentials.setUserInfo(user);
    user.setUserCredentials(userCredentials);
    userCredentials.setUsername(StringUtils.trimToNull(username));
    userCredentials.setExternalAuth(externalAuth);
    userCredentials.setOpenId(StringUtils.trimToNull(openId));
    userCredentials.setLdapId(StringUtils.trimToNull(ldapId));
    if (ACCOUNT_ACTION_INVITE.equals(accountAction)) {
        userCredentials.setUsername(StringUtils.trimToNull(inviteUsername));
        userCredentials.setInvitation(true);
        user.setEmail(StringUtils.trimToNull(inviteEmail));
        securityService.prepareUserForInvite(user);
    } else {
        user.setSurname(StringUtils.trimToNull(surname));
        user.setFirstName(StringUtils.trimToNull(firstName));
        user.setEmail(StringUtils.trimToNull(email));
        user.setPhoneNumber(StringUtils.trimToNull(phoneNumber));
        userService.encodeAndSetPassword(userCredentials, StringUtils.trimToNull(rawPassword));
    }
    if (jsonAttributeValues != null) {
        attributeService.updateAttributeValues(user, jsonAttributeValues);
    }
    // ---------------------------------------------------------------------
    // Organisation units
    // ---------------------------------------------------------------------
    Set<OrganisationUnit> dataCaptureOrgUnits = new HashSet<>(selectionManager.getSelectedOrganisationUnits());
    user.updateOrganisationUnits(dataCaptureOrgUnits);
    Set<OrganisationUnit> dataViewOrgUnits = new HashSet<>(selectionTreeManager.getReloadedSelectedOrganisationUnits());
    user.setDataViewOrganisationUnits(dataViewOrgUnits);
    if (dataViewOrgUnits.size() == 0 && currentUser.getDataViewOrganisationUnits().size() != 0) {
        user.setDataViewOrganisationUnits(new HashSet<>(currentUser.getDataViewOrganisationUnits()));
    }
    // ---------------------------------------------------------------------
    // User roles
    // ---------------------------------------------------------------------
    Set<UserAuthorityGroup> userAuthorityGroups = new HashSet<>();
    for (String id : urSelected) {
        userAuthorityGroups.add(userService.getUserAuthorityGroup(id));
    }
    userService.canIssueFilter(userAuthorityGroups);
    userCredentials.setUserAuthorityGroups(userAuthorityGroups);
    // ---------------------------------------------------------------------
    // Dimension constraints. Note that any new user must inherit dimension 
    // constraints if any from the current user.
    // ---------------------------------------------------------------------
    userCredentials.setCogsDimensionConstraints(new HashSet<>(currentUser.getUserCredentials().getCogsDimensionConstraints()));
    userCredentials.setCatDimensionConstraints(new HashSet<>(currentUser.getUserCredentials().getCatDimensionConstraints()));
    for (String id : dcSelected) {
        CategoryOptionGroupSet cogs = categoryService.getCategoryOptionGroupSet(id);
        if (cogs != null) {
            userCredentials.getCogsDimensionConstraints().add(cogs);
            continue;
        }
        DataElementCategory cat = categoryService.getDataElementCategory(id);
        if (cat != null) {
            userCredentials.getCatDimensionConstraints().add(cat);
            continue;
        }
    }
    // ---------------------------------------------------------------------
    // Add User
    // ---------------------------------------------------------------------
    userService.addUser(user);
    userService.addUserCredentials(userCredentials);
    // ---------------------------------------------------------------------
    // User settings
    // ---------------------------------------------------------------------
    userSettingService.saveUserSetting(UserSettingKey.UI_LOCALE, LocaleUtils.getLocale(localeUi), user);
    userSettingService.saveUserSetting(UserSettingKey.DB_LOCALE, LocaleUtils.getLocale(localeDb), user);
    if (ACCOUNT_ACTION_INVITE.equals(accountAction)) {
        RestoreOptions restoreOptions = inviteUsername == null || inviteUsername.isEmpty() ? RestoreOptions.INVITE_WITH_USERNAME_CHOICE : RestoreOptions.INVITE_WITH_DEFINED_USERNAME;
        securityService.sendRestoreMessage(userCredentials, getRootPath(), restoreOptions);
    }
    for (String id : ugSelected) {
        UserGroup userGroup = userGroupService.getUserGroup(id);
        userGroup.addUser(user);
        userGroupService.updateUserGroup(userGroup);
    }
    if (ouwtSelected != null && manager.search(OrganisationUnit.class, ouwtSelected) != null) {
        selectionManager.setSelectedOrganisationUnits(Lists.newArrayList(manager.search(OrganisationUnit.class, ouwtSelected)));
    } else {
        selectionManager.setSelectedOrganisationUnits(currentUser.getOrganisationUnits());
    }
    return SUCCESS;
}

Also used : OrganisationUnit(org.hisp.dhis.organisationunit.OrganisationUnit) RestoreOptions(org.hisp.dhis.security.RestoreOptions) AccessDeniedException(org.springframework.security.access.AccessDeniedException) User(org.hisp.dhis.user.User) CategoryOptionGroupSet(org.hisp.dhis.dataelement.CategoryOptionGroupSet) DataElementCategory(org.hisp.dhis.dataelement.DataElementCategory) UserGroup(org.hisp.dhis.user.UserGroup) UserAuthorityGroup(org.hisp.dhis.user.UserAuthorityGroup) UserCredentials(org.hisp.dhis.user.UserCredentials) HashSet(java.util.HashSet)

Aggregations

AccessDeniedException (org.springframework.security.access.AccessDeniedException)67 Test (org.junit.Test)21 Authentication (org.springframework.security.core.Authentication)14 ConfigAttribute (org.springframework.security.access.ConfigAttribute)13 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)8 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)7 HttpServletRequest (javax.servlet.http.HttpServletRequest)6 HttpServletResponse (javax.servlet.http.HttpServletResponse)6 WebMessageException (org.hisp.dhis.dxf2.webmessage.WebMessageException)6 ArrayList (java.util.ArrayList)5 AuthorizationFailureEvent (org.springframework.security.access.event.AuthorizationFailureEvent)5 InsufficientAuthenticationException (org.springframework.security.authentication.InsufficientAuthenticationException)5 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)5 MethodInvocation (org.aopalliance.intercept.MethodInvocation)4 Interpretation (org.hisp.dhis.interpretation.Interpretation)4 User (org.hisp.dhis.user.User)4 SecurityConfig (org.springframework.security.access.SecurityConfig)4 IOException (java.io.IOException)3 InsufficientScopeException (org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)3 FilterInvocation (org.springframework.security.web.FilterInvocation)3