diff --git a/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java b/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java index 5c15d49ff..8c1e485b4 100644 --- a/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java +++ b/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java @@ -4,6 +4,7 @@ import fr.insee.rmes.config.auth.roles.Roles; import fr.insee.rmes.config.auth.user.Stamp; import fr.insee.rmes.exceptions.RmesRuntimeBadRequestException; +import org.json.JSONArray; import org.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -173,6 +174,9 @@ private boolean checkStampIsContributor(String body) { private static @Nullable String extractContributorStampFromBody(String body) { return (new JSONObject(body)).optString("contributor"); } + private static @Nullable JSONArray extractContributorStampsFromBody(String body) { + return (new JSONObject(body)).optJSONArray("contributor"); + } //for PUT and DELETE structure public boolean isStructureContributor(String structureId){ @@ -183,7 +187,13 @@ public boolean isStructureContributor(String structureId){ // for POST structure or component public boolean isStructureAndComponentContributor(String body) { logger.trace("Check if {} can create the structure or component", methodSecurityExpressionRoot.getPrincipal()); - return hasRole(Roles.STRUCTURES_CONTRIBUTOR)&& checkStampIsContributor(body); + Optional stamp = getStamp(); + JSONArray contributors = extractContributorStampsFromBody(body); + + if(contributors == null){ + return false; + } + return hasRole(Roles.STRUCTURES_CONTRIBUTOR) && contributors.toList().stream().anyMatch(s -> ((String) s).equalsIgnoreCase(stamp.get().stamp())); } diff --git a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java index 77d34a186..f5e7fd295 100644 --- a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java +++ b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java @@ -12,7 +12,6 @@ import fr.insee.rmes.config.auth.security.DefaultSecurityContext; import fr.insee.rmes.config.auth.security.OpenIDConnectSecurityContext; import fr.insee.rmes.config.auth.user.Stamp; -import fr.insee.rmes.model.ValidationStatus; import fr.insee.rmes.webservice.StructureResources; import org.junit.jupiter.api.Test; import org.mockito.Mockito; @@ -28,7 +27,6 @@ import static fr.insee.rmes.integration.authorizations.TokenForTestsConfiguration.*; import static fr.insee.rmes.integration.authorizations.TokenForTestsConfiguration.KEY_FOR_ROLES_IN_ROLE_CLAIM; -import static fr.insee.rmes.model.ValidationStatus.UNPUBLISHED; import static org.mockito.Mockito.when; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; @@ -68,7 +66,6 @@ class TestStructuresResourcesEnvProd { int structureId=10; int componentId=12; - ValidationStatus status= UNPUBLISHED; @Test void putStructureAdmin_ok() throws Exception { @@ -139,7 +136,7 @@ void postStructureAsStructureContributor_ok() throws Exception { mvc.perform(post("/structures/structure").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \""+timbre+"\"}")) + .content("{\"id\": \"1\",\"contributor\": [\""+timbre+"\"]}")) .andExpect(status().isOk()); } @@ -168,7 +165,7 @@ void postStructureAsStructureContributorWrongStamp_ko() throws Exception { mvc.perform(post("/structures/structure").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \"wrong\"}")) + .content("{\"id\": \"1\",\"contributor\": [\"wrong\"]}")) .andExpect(status().isForbidden()); } @@ -228,7 +225,7 @@ void postComponentAsStructureContributor_ok() throws Exception { mvc.perform(post("/structures/components").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \""+timbre+"\"}")) + .content("{\"id\": \"1\",\"contributor\": [\""+timbre+"\"]}")) .andExpect(status().isCreated()); } @@ -257,7 +254,7 @@ void postComponentAsStructureContributorWrongStamp_ko() throws Exception { mvc.perform(post("/structures/components").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \"wrong\"}")) + .content("{\"id\": \"1\",\"contributor\": [\"wrong\"]}")) .andExpect(status().isForbidden()); }