Bugfix for role permissions

OpenConext · Oct 12, 2023 · 94dbc7f · 94dbc7f
1 parent 0ba6090
commit 94dbc7f
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 5 deletions.
diff --git a/server/pom.xml b/server/pom.xml
@@ -105,7 +105,7 @@
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
-            <optional>true</optional>
+            <version>1.18.30</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>

diff --git a/server/src/main/java/access/api/RoleController.java b/server/src/main/java/access/api/RoleController.java
@@ -75,9 +75,10 @@ public ResponseEntity<List<Role>> rolesByApplication(@Parameter(hidden = true) U
     public ResponseEntity<Role> role(@PathVariable("id") Long id, User user) {
         LOG.debug("/role");
         Role role = roleRepository.findById(id).orElseThrow(NotFoundException::new);
+        UserPermissions.assertRoleAccess(user, role, Authority.INVITER);
+
         Map<String, Object> provider = manage.providerById(role.getManageType(), role.getManageId());
         role.setApplication(provider);
-        UserPermissions.assertRoleAccess(user, role, Authority.INVITER);
         return ResponseEntity.ok(role);
     }
 

diff --git a/server/src/main/java/access/security/UserPermissions.java b/server/src/main/java/access/security/UserPermissions.java
@@ -100,9 +100,10 @@ public static void assertRoleAccess(User user, Role accessRole, Authority author
             return;
         }
         user.getUserRoles().stream()
-                .filter(userRole -> userRole.getRole().getId().equals(accessRole.getId()) ||
+                .filter(userRole -> (userRole.getRole().getId().equals(accessRole.getId()) &&
+                        userRole.getAuthority().hasEqualOrHigherRights(authority)) ||
                         (userRole.getRole().getManageId().equals(accessRole.getManageId()) &&
-                                userRole.getAuthority().hasEqualOrHigherRights(authority)))
+                                userRole.getAuthority().hasEqualOrHigherRights(Authority.MANAGER)))
                 .findFirst()
                 .orElseThrow(UserRestrictionException::new);
     }

diff --git a/server/src/test/java/access/security/UserPermissionsTest.java b/server/src/test/java/access/security/UserPermissionsTest.java
@@ -133,7 +133,7 @@ void assertRoleAccessInstitutionAdmin() {
     void assertRoleAccess() {
         String identifier = UUID.randomUUID().toString();
         User user = userWithRole(Authority.GUEST, identifier);
-        UserPermissions.assertRoleAccess(user, user.getUserRoles().iterator().next().getRole());
+        assertThrows(UserRestrictionException.class, () -> UserPermissions.assertRoleAccess(user, user.getUserRoles().iterator().next().getRole()));
     }
 
     @Test