Skip to content

Commit

Permalink
SED-3018 modification-of-global-entities-from-another-project-should-… (
Browse files Browse the repository at this point in the history
#244)

SED-3018 modification-of-global-entities-from-another-project-should-not-be-allowed
  • Loading branch information
david-stephan authored Apr 16, 2024
1 parent e2a9bc2 commit f0697f3
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ protected static boolean isProtected(Parameter oldParameter) {
@Override
public Parameter clone(String id) {
Parameter sourceParameter = parameterAccessor.get(new ObjectId(id));
assertEntityIsAcceptableInContext(sourceParameter);
// Create a clone of the source parameter
Parameter newParameter = parameterAccessor.get(new ObjectId(id));
newParameter.setId(new ObjectId());
Expand All @@ -158,6 +159,7 @@ public Parameter clone(String id) {
@Override
public void delete(String id) {
Parameter parameter = get(id);
assertEntityIsAcceptableInContext(parameter);
assertRights(parameter);

parameterAccessor.remove(new ObjectId(id));
Expand Down Expand Up @@ -213,7 +215,9 @@ public List<Parameter> getAllParameters(@QueryParam("skip") Integer skip, @Query

@Override
public Parameter restoreVersion(String id, String versionId) {
assertRights(parameterAccessor.get(id));
Parameter parameter = parameterAccessor.get(id);
assertEntityIsAcceptableInContext(parameter);
assertRights(parameter);
return super.restoreVersion(id, versionId);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ public Function save(Function function) {
@Override
public Function clone(String id) {
try {
assertEntityIsAcceptableInContext(getEntity(id));
return functionManager.copyFunction(id);
} catch (FunctionTypeException e) {
throw new ControllerServiceException(e.getMessage());
Expand All @@ -164,6 +165,7 @@ public Function clone(String id) {
@Override
public void delete(String functionId) {
try {
assertEntityIsAcceptableInContext(getEntity(functionId));
functionManager.deleteFunction(functionId);
} catch (FunctionTypeException e) {
throw new ControllerServiceException(e.getMessage());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ public List<T> findManyByAttributes(Map<String, String> attributes) {
@Path("/{id}")
@Secured(right = "{entity}-delete")
public void delete(@PathParam("id") String id) {
assertEntityIsAcceptableInContext(getEntity(id));
accessor.remove(new ObjectId(id));
}

Expand Down Expand Up @@ -114,10 +115,8 @@ public T save(T entity) {
@Produces(MediaType.APPLICATION_JSON)
@Secured(right = "{entity}-write")
public T clone(@PathParam("id") String id) {
T entity = get(id);
if (entity == null) {
throw new ControllerServiceException("The entity with Id " + id + " doesn't exist");
}
T entity = getEntity(id);
assertEntityIsAcceptableInContext(entity);
T clonedEntity = cloneEntity(entity);

if (clonedEntity instanceof AbstractOrganizableObject) {
Expand Down Expand Up @@ -196,6 +195,7 @@ public History(String id, long updateTime) {
@Secured(right = "{entity}-write")
@Path("{id}/restore/{versionId}")
public T restoreVersion(@PathParam("id") String id, @PathParam("versionId") String versionId) {
assertEntityIsAcceptableInContext(getEntity(id));
return accessor.restoreVersion(new ObjectId(id), new ObjectId(versionId));
}

Expand All @@ -217,14 +217,15 @@ public boolean isLocked(@PathParam("id") String id) {
@Path("{id}/locked")
public void setLocked(@PathParam("id") String id, Boolean locked) {
T t = getEntity(id);
assertEntityIsAcceptableInContext(t);
t.addCustomField(CUSTOM_FIELD_LOCKED, locked);
accessor.save(t);
}

private T getEntity(String id) {
protected T getEntity(String id) {
T t = accessor.get(id);
if (t == null) {
throw new ControllerServiceException("Entity with id '" + id + "' does not exists.");
throw new ControllerServiceException("The entity with id '" + id + "' does not exists.");
} else {
return t;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,12 @@
import jakarta.inject.Inject;

import ch.exense.commons.app.Configuration;
import org.apache.http.HttpStatus;
import step.core.GlobalContext;
import step.core.access.User;
import step.core.accessors.AbstractIdentifiableObject;
import step.core.execution.ExecutionContext;
import step.core.objectenricher.ObjectEnricher;
import step.core.objectenricher.ObjectFilter;
import step.core.objectenricher.ObjectHookRegistry;
import step.core.objectenricher.ObjectPredicate;
import step.core.objectenricher.*;
import step.core.scheduler.ExecutionScheduler;
import step.framework.server.AbstractServices;
import step.framework.server.Session;
Expand Down Expand Up @@ -96,4 +95,19 @@ protected void checkRightsOnBehalfOf(String right, String userOnBehalfOf) {
throw new AuthorizationException(ex.getMessage());
}
}

/**
* The ObjectHookInterceptor.aroundReadFrom can only be used for POST request passing an entity as request BODY
* This method can be used as helper for all other cases where checking if the entity is acceptable in given context (i.e. DELETE request...(
* @param entity the entity to be asserted
*/
protected void assertEntityIsAcceptableInContext(AbstractIdentifiableObject entity) {
if(entity instanceof EnricheableObject) {
EnricheableObject enricheableObject = (EnricheableObject) entity;
Session session = getSession();
if (!objectHookRegistry.isObjectAcceptableInContext(session, enricheableObject)) {
throw new ControllerServiceException(HttpStatus.SC_FORBIDDEN, "Authorization error", "You're not allowed to edit this object from within this context");
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ public void enableExecutionTask(@PathParam("id") String executionTaskID, @QueryP

@Override
public void delete(String id) {
assertEntityIsAcceptableInContext(getEntity(id));
scheduler.removeExecutionTask(id);
}
}

0 comments on commit f0697f3

Please sign in to comment.