From a6d527429b4dd52dd06b585dbfff465c9e8e7610 Mon Sep 17 00:00:00 2001
From: oleg-odysseus <oleg.himself@gmail.com>
Date: Fri, 1 Nov 2024 16:37:22 +0100
Subject: [PATCH] Allowed reading non-enabled tools by a user having 'tool:post
 && tool:put && tool:*:delete' permissions

---
 .../java/org/ohdsi/webapi/tool/ToolServiceImpl.java    | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/ohdsi/webapi/tool/ToolServiceImpl.java b/src/main/java/org/ohdsi/webapi/tool/ToolServiceImpl.java
index bf9b60bfc..f68d87b96 100644
--- a/src/main/java/org/ohdsi/webapi/tool/ToolServiceImpl.java
+++ b/src/main/java/org/ohdsi/webapi/tool/ToolServiceImpl.java
@@ -2,6 +2,9 @@
 
 import java.util.List;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import org.apache.shiro.SecurityUtils;
 import org.ohdsi.webapi.service.AbstractDaoService;
 import org.ohdsi.webapi.shiro.Entities.UserEntity;
 import org.ohdsi.webapi.tool.converter.ToolConvertor;
@@ -20,7 +23,7 @@ public ToolServiceImpl(ToolRepository toolRepository, ToolConvertor toolConverto
 
     @Override
     public List<ToolDTO> getTools() {
-        List<Tool> tools = isAdmin() ? toolRepository.findAll() : toolRepository.findAllByIsEnabled(true);
+        List<Tool> tools = (isAdmin() || canManageTools()) ? toolRepository.findAll() : toolRepository.findAllByIsEnabled(true);
         return tools.stream()
                 .map(toolConvertor::toDTO).collect(Collectors.toList());
     }
@@ -49,4 +52,9 @@ public ToolDTO getById(Integer id) {
     public void delete(Integer id) {
         toolRepository.delete(id);
     }
+
+    private boolean canManageTools() {
+        return Stream.of("tool:put", "tool:post", "tool:*:delete")
+                .allMatch(permission -> SecurityUtils.getSubject().isPermitted(permission));
+    }
 }
\ No newline at end of file