Examples with AccessDeniedException org.springframework.security.access.AccessDeniedException used on opensource projects

Example 76 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class DefaultTrackerOwnershipManager method transferOwnership.

// -------------------------------------------------------------------------
// Implementation
// -------------------------------------------------------------------------
@Override
@Transactional
public void transferOwnership(TrackedEntityInstance entityInstance, Program program, OrganisationUnit orgUnit, boolean skipAccessValidation, boolean createIfNotExists) {
    if (entityInstance == null || program == null || orgUnit == null) {
        return;
    }
    if (hasAccess(currentUserService.getCurrentUser(), entityInstance, program) || skipAccessValidation) {
        TrackedEntityProgramOwner teProgramOwner = trackedEntityProgramOwnerService.getTrackedEntityProgramOwner(entityInstance.getId(), program.getId());
        if (teProgramOwner != null) {
            if (!teProgramOwner.getOrganisationUnit().equals(orgUnit)) {
                ProgramOwnershipHistory programOwnershipHistory = new ProgramOwnershipHistory(program, entityInstance, teProgramOwner.getOrganisationUnit(), teProgramOwner.getLastUpdated(), teProgramOwner.getCreatedBy());
                programOwnershipHistoryService.addProgramOwnershipHistory(programOwnershipHistory);
                trackedEntityProgramOwnerService.updateTrackedEntityProgramOwner(entityInstance, program, orgUnit);
            }
        } else if (createIfNotExists) {
            trackedEntityProgramOwnerService.createTrackedEntityProgramOwner(entityInstance, program, orgUnit);
        }
        ownerCache.invalidate(getOwnershipCacheKey(() -> entityInstance.getId(), program));
    } else {
        log.error("Unauthorized attempt to change ownership");
        throw new AccessDeniedException("User does not have access to change ownership for the entity-program combination");
    }
}

Example 77 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class MessageConversationController method postMessageConversationReply.

// --------------------------------------------------------------------------
// POST for reply on existing MessageConversation
// --------------------------------------------------------------------------
@PostMapping("/{uid}")
@ResponseBody
public WebMessage postMessageConversationReply(@PathVariable("uid") String uid, @RequestBody String message, @RequestParam(value = "internal", defaultValue = "false") boolean internal, @RequestParam(value = "attachments", required = false) Set<String> attachments, @CurrentUser User currentUser, HttpServletRequest request) {
    String metaData = MessageService.META_USER_AGENT + request.getHeader(ContextUtils.HEADER_USER_AGENT);
    org.hisp.dhis.message.MessageConversation conversation = messageService.getMessageConversation(uid);
    if (conversation == null) {
        return notFound("Message conversation does not exist: " + uid);
    }
    if (internal && !messageService.hasAccessToManageFeedbackMessages(currentUser)) {
        throw new AccessDeniedException("Not authorized to send internal messages");
    }
    Set<FileResource> fileResources = new HashSet<>();
    if (attachments == null) {
        attachments = new HashSet<>();
    }
    for (String fileResourceUid : attachments) {
        FileResource fileResource = fileResourceService.getFileResource(fileResourceUid);
        if (fileResource == null) {
            return conflict("Attachment '" + fileResourceUid + "' not found.");
        }
        if (!fileResource.getDomain().equals(FileResourceDomain.MESSAGE_ATTACHMENT) || fileResource.isAssigned()) {
            return conflict("Attachment '" + fileResourceUid + "' is already used or not a valid attachment.");
        }
        fileResource.setAssigned(true);
        fileResourceService.updateFileResource(fileResource);
        fileResources.add(fileResource);
    }
    messageService.sendReply(conversation, message, metaData, internal, fileResources);
    return created("Message conversation created").setLocation(MessageConversationSchemaDescriptor.API_ENDPOINT + "/" + conversation.getUid());
}

Example 78 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class MessageConversationController method getMessage.

/**
 * /* Returns the specified message after making sure the user has access to
 * it.
 *
 * @param mcUid the message conversation UID.
 * @param msgUid the message UID.
 * @param user the user.
 * @return a {@link Message}.
 * @throws WebMessageException
 */
private Message getMessage(String mcUid, String msgUid, User user) throws WebMessageException {
    org.hisp.dhis.message.MessageConversation conversation = messageService.getMessageConversation(mcUid);
    if (conversation == null) {
        throw new WebMessageException(notFound(String.format("No message conversation with uid '%s'", mcUid)));
    }
    if (!canReadMessageConversation(user, conversation)) {
        throw new AccessDeniedException("Not authorized to access this conversation.");
    }
    List<Message> messages = conversation.getMessages().stream().filter(msg -> msg.getUid().equals(msgUid)).collect(Collectors.toList());
    if (messages.size() < 1) {
        throw new WebMessageException(notFound(String.format("No message with uid '%s' in messageConversation '%s", msgUid, mcUid)));
    }
    Message message = messages.get(0);
    if (message.isInternal() && !configurationService.isUserInFeedbackRecipientUserGroup(user)) {
        throw new WebMessageException(conflict("Not authorized to access this message"));
    }
    return message;
}

Example 79 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class InterpretationController method deleteComment.

@DeleteMapping("/{uid}/comments/{cuid}")
@ResponseStatus(HttpStatus.NO_CONTENT)
@ResponseBody
public WebMessage deleteComment(@PathVariable("uid") String uid, @PathVariable("cuid") String cuid, HttpServletResponse response) {
    Interpretation interpretation = interpretationService.getInterpretation(uid);
    if (interpretation == null) {
        return conflict("Interpretation does not exist: " + uid);
    }
    Iterator<InterpretationComment> iterator = interpretation.getComments().iterator();
    while (iterator.hasNext()) {
        InterpretationComment comment = iterator.next();
        if (comment.getUid().equals(cuid)) {
            if (!currentUserService.getCurrentUser().equals(comment.getCreatedBy()) && !currentUserService.currentUserIsSuper()) {
                throw new AccessDeniedException("You are not allowed to delete this comment.");
            }
            iterator.remove();
        }
    }
    interpretationService.updateInterpretation(interpretation);
    return null;
}

Example 80 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class InterpretationController method updateInterpretation.

// -------------------------------------------------------------------------
// Interpretation update
// -------------------------------------------------------------------------
@PutMapping("/{uid}")
@ResponseStatus(HttpStatus.NO_CONTENT)
@ResponseBody
public WebMessage updateInterpretation(@PathVariable("uid") String uid, @RequestBody String text) {
    Interpretation interpretation = interpretationService.getInterpretation(uid);
    if (interpretation == null) {
        return notFound("Interpretation does not exist: " + uid);
    }
    if (!currentUserService.getCurrentUser().equals(interpretation.getCreatedBy()) && !currentUserService.currentUserIsSuper()) {
        throw new AccessDeniedException("You are not allowed to update this interpretation.");
    }
    interpretationService.updateInterpretationText(interpretation, text);
    return null;
}