change authorization for tags

reqbaz/src/main/java/de/rwth/dbis/acis/bazaar/service/resources/ProjectsResource.java

@@ -668,7 +668,7 @@ public Response getTagsForProject(
     }
 
     /**
-     * This method add the current user to the followers list of a given project.
+     * This method adds a tag to a given project.
      *
      * @param projectId id of the project
      * @param tag       Tag to be created
@@ -693,7 +693,8 @@ public Response createTag(@PathParam("projectId") int projectId,
             dalFacade = bazaarService.getDBConnection();
             Integer internalUserId = dalFacade.getUserIdByLAS2PeerId(userId);
 
-            resourceHelper.checkAuthorization(new AuthorizationManager().isAuthorized(internalUserId, PrivilegeEnum.Create_CATEGORY, dalFacade), "error.authorization.category.create", true);
+            // Only Admins should be able to create new tags.
+            resourceHelper.checkAuthorization(new AuthorizationManager().isAuthorizedInContext(internalUserId, PrivilegeEnum.Modify_PROJECT, projectId, dalFacade), "error.authorization.project.modify", true);
 
             // Ensure no cross-injection happens
             tag.setProjectId(projectId);
@@ -738,6 +739,9 @@ public Response updateTags(@PathParam("projectId") int projectId,
 
             dalFacade = bazaarService.getDBConnection();
             Integer internalUserId = dalFacade.getUserIdByLAS2PeerId(userId);
+            // Only Admins should be able to edit tags.
+            resourceHelper.checkAuthorization(new AuthorizationManager().isAuthorizedInContext(internalUserId, PrivilegeEnum.Modify_PROJECT, projectId, dalFacade), "error.authorization.project.modify", true);
+
 
             // ensure the given tag exists
             dalFacade.getTagById(tag.getId());
@@ -771,6 +775,9 @@ public Response removeTag(
             String userId = resourceHelper.getUserId();
             dalFacade = bazaarService.getDBConnection();
             Integer internalUserId = dalFacade.getUserIdByLAS2PeerId(userId);
+            // Only Admins should be able to delete tags.
+            resourceHelper.checkAuthorization(new AuthorizationManager().isAuthorizedInContext(internalUserId, PrivilegeEnum.Modify_PROJECT, projectId, dalFacade), "error.authorization.project.modify", true);
+
             dalFacade.deleteTagById(tagId);
             bazaarService.getNotificationDispatcher().dispatchNotification(OffsetDateTime.now(), Activity.ActivityAction.UPDATE, MonitoringEvent.SERVICE_CUSTOM_MESSAGE_6, projectId, Activity.DataType.PROJECT, internalUserId);
             return Response.noContent().build();

reqbaz/src/main/resources/i18n/Translation_en.properties

@@ -23,6 +23,7 @@ error.registrars=Unknown error in registrators.
 error.first_login=Error during registering users at first login.
 error.authorization.project.create=Only logged-in users can create projects.
 error.authorization.anonymous=Even anonymous should be able to watch this. Inform maintainers.
+error.authorization.tag.create=Only admins can create tags.
 error.authorization.category.read=Only project members can see categories.
 error.authorization.category.create=Only admins can create categories.
 error.authorization.category.modify=Only admins can modify categories.