Fix authz issue on epersons endpoint

DSpace · Jun 1, 2018 · 1d7efbd · 1d7efbd
1 parent 07b4926
commit 1d7efbd
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/EPersonRestRepository.java b/dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/EPersonRestRepository.java
@@ -12,8 +12,10 @@
 import java.util.UUID;
 
 import org.dspace.app.rest.converter.EPersonConverter;
+import org.dspace.app.rest.exception.RESTAuthorizationException;
 import org.dspace.app.rest.model.EPersonRest;
 import org.dspace.app.rest.model.hateoas.EPersonResource;
+import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.factory.EPersonServiceFactory;
@@ -33,6 +35,9 @@
 @Component(EPersonRest.CATEGORY + "." + EPersonRest.NAME)
 public class EPersonRestRepository extends DSpaceRestRepository<EPersonRest, UUID> {
     EPersonService es = EPersonServiceFactory.getInstance().getEPersonService();
+
+    @Autowired
+    AuthorizeService authorizeService;
 
     @Autowired
     EPersonConverter converter;
@@ -56,6 +61,10 @@ public Page<EPersonRest> findAll(Context context, Pageable pageable) {
         List<EPerson> epersons = null;
         int total = 0;
         try {
+            if (!authorizeService.isAdmin(context)) {
+                throw new RESTAuthorizationException(
+                        "The EPerson collection endpoint is reserved to system administrators");
+            }
             total = es.countTotal(context);
             epersons = es.findAll(context, EPerson.ID, pageable.getPageSize(), pageable.getOffset());
         } catch (SQLException e) {