Only return object with view permission

cms-core/src/main/java/com/gentics/contentnode/rest/resource/impl/PublishProtocolResourceImpl.java

@@ -1,29 +1,38 @@
 package com.gentics.contentnode.rest.resource.impl;
 
-import static com.gentics.contentnode.factory.Trx.supply;
-
 import com.gentics.api.lib.exception.NodeException;
 import com.gentics.contentnode.etc.ContentNodeHelper;
 import com.gentics.contentnode.etc.Function;
+import com.gentics.contentnode.factory.Transaction;
 import com.gentics.contentnode.factory.Trx;
+import com.gentics.contentnode.i18n.I18NHelper;
+import com.gentics.contentnode.object.Form;
+import com.gentics.contentnode.object.NodeObject;
+import com.gentics.contentnode.object.Page;
+import com.gentics.contentnode.perm.PermHandler;
 import com.gentics.contentnode.publish.protocol.PublishLogEntry;
 import com.gentics.contentnode.publish.protocol.PublishProtocolService;
 import com.gentics.contentnode.rest.model.PublishLogDto;
 import com.gentics.contentnode.rest.model.response.GenericItemList;
 import com.gentics.contentnode.rest.resource.PublishProtocolResource;
 import com.gentics.contentnode.rest.resource.parameter.PagingParameterBean;
 import com.gentics.contentnode.rest.util.ListBuilder;
+import com.gentics.lib.log.NodeLogger;
 import javax.ws.rs.BeanParam;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 
+
 @Produces({MediaType.APPLICATION_JSON})
 @Path("/publish/state")
 public class PublishProtocolResourceImpl implements PublishProtocolResource {
 
+	private static final NodeLogger logger = NodeLogger.getNodeLogger(
+			PublishProtocolResourceImpl.class);
+
 	private final PublishProtocolService publishProtocolService = new PublishProtocolService();
 
 	private final Function<PublishLogEntry, PublishLogDto> MAP2REST = (publishLogEntry) -> new PublishLogDto(
@@ -39,7 +48,13 @@ public class PublishProtocolResourceImpl implements PublishProtocolResource {
 	@Path("/{objId}")
 	public PublishLogDto get(@PathParam("objId") Integer objId) throws NodeException {
 		try (Trx trx = ContentNodeHelper.trx()) {
-			return MAP2REST.apply(this.publishProtocolService.getPublishLogEntryByObjectId(objId));
+			var publishLogEntry = this.publishProtocolService.getPublishLogEntryByObjectId(objId);
+
+			if (!canView(publishLogEntry, trx.getTransaction())) {
+				throw new NodeException(I18NHelper.get("rest.permission.required"));
+			}
+
+			return MAP2REST.apply(publishLogEntry);
 		}
 	}
 
@@ -48,11 +63,35 @@ public PublishLogDto get(@PathParam("objId") Integer objId) throws NodeException
 	@Path("/")
 	public GenericItemList<PublishLogDto> list(
 			@BeanParam PagingParameterBean paging) throws NodeException {
-		var publishLogEntries = supply(publishProtocolService::getPublishLogEntries);
+		try (Trx trx = ContentNodeHelper.trx()) {
+			var publishLogEntries = publishProtocolService.getPublishLogEntries();
 
-		return ListBuilder.from(publishLogEntries, MAP2REST)
-				.page(paging)
-				.to(new GenericItemList<>());
+			publishLogEntries = publishLogEntries.stream()
+					.filter(entry -> canView(entry, trx.getTransaction())).toList();
+
+			return ListBuilder.from(publishLogEntries, MAP2REST)
+					.page(paging)
+					.to(new GenericItemList<>());
+		}
+	}
+
+
+	private boolean canView(PublishLogEntry publishLogEntry, Transaction transaction) {
+		NodeObject nodeObject;
+		try {
+			switch (publishLogEntry.getType()) {
+				case "PAGE" -> nodeObject = transaction.getObject(Page.class, publishLogEntry.getObjId());
+				case "FORM" -> nodeObject = transaction.getObject(Form.class, publishLogEntry.getObjId());
+				default -> {
+					logger.error("Unsupported publish log entry type: " + publishLogEntry.getType());
+					return false;
+				}
+			}
+			return PermHandler.ObjectPermission.view.checkObject(nodeObject);
+		} catch (NodeException e) {
+			logger.error("Something went while checking the node object permission.", e);
+			return false;
+		}
 	}
 
 }