Merge pull request #172 from rwth-acis/feature/user-authorization-inf…

…ormation Feature/user authorization information
rwth-acis · Jul 8, 2022 · 9aae2ea · 9aae2ea
2 parents 246b4ef + 3e59b4d
commit 9aae2ea
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/reqbaz/src/main/java/de/rwth/dbis/acis/bazaar/service/dal/entities/UserContext.java b/reqbaz/src/main/java/de/rwth/dbis/acis/bazaar/service/dal/entities/UserContext.java
@@ -42,6 +42,16 @@ public class UserContext extends EntityBase {
     )
     private Boolean isContributor;
 
+    @ApiModelProperty(
+            value = "Whether the user has privilege to move the requirement. Only returned when requesting requirement resources."
+    )
+    private Boolean isMoveAllowed;
+
+    @ApiModelProperty(
+            value = "Whether the user has privilege to delete the requirement, category, or project."
+    )
+    private Boolean isDeleteAllowed;
+
     @JsonIgnore
     @Override
     public int getId() {

diff --git a/...ain/java/de/rwth/dbis/acis/bazaar/service/dal/repositories/RequirementRepositoryImpl.java b/...ain/java/de/rwth/dbis/acis/bazaar/service/dal/repositories/RequirementRepositoryImpl.java
@@ -33,6 +33,7 @@
 import de.rwth.dbis.acis.bazaar.service.exception.ErrorCode;
 import de.rwth.dbis.acis.bazaar.service.exception.ExceptionHandler;
 import de.rwth.dbis.acis.bazaar.service.exception.ExceptionLocation;
+import de.rwth.dbis.acis.bazaar.service.security.AuthorizationManager;
 import org.apache.commons.lang3.tuple.ImmutablePair;
 import org.jetbrains.annotations.NotNull;
 import org.jooq.Record;
@@ -311,6 +312,12 @@ private ImmutablePair<List<Requirement>, Integer> getFilteredRequirements(Collec
                 requirement.setAttachments(attachmentList);
             }
 
+            // TODO We should refactor here: the same authorization check is made in the RequirementResource#moveRequirement(..) method
+            boolean authorizedToModifyRequirement = new AuthorizationManager().isAuthorizedInContext(userId, PrivilegeEnum.Modify_REQUIREMENT, requirement.getProjectId(), dalFacade);
+            userContext.isMoveAllowed(authorizedToModifyRequirement);
+
+            userContext.isDeleteAllowed(authorizedToModifyRequirement || requirement.isOwner(userId));
+
             requirement.setContext(EntityContextFactory.create(pageable.getEmbed(), queryResult, dalFacade));
             requirement.setUserContext(userContext.build());
             requirements.add(requirement);