Moderator cannot delete reusable despite reusable:*:delete permission …

…#2158 (#2159)
OHDSI · Nov 11, 2022 · 16d69d6 · 16d69d6
1 parent e79e04f
commit 16d69d6
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 3 deletions.
diff --git a/pom.xml b/pom.xml
@@ -242,6 +242,7 @@
 
     <!-- Sensitive Info settings -->
     <sensitiveinfo.admin.role>admin</sensitiveinfo.admin.role>
+    <sensitiveinfo.moderator.role>Moderator</sensitiveinfo.moderator.role>
     <!-- Use "-" for files without extension, "*" for all files, extension must not include a leading dot. Use comma to separate values.
      In case of "*" other values will be ignored -->
     <sensitiveinfo.analysis.extensions>txt</sensitiveinfo.analysis.extensions>

diff --git a/src/main/java/org/ohdsi/webapi/common/sensitiveinfo/AbstractAdminService.java b/src/main/java/org/ohdsi/webapi/common/sensitiveinfo/AbstractAdminService.java
@@ -18,6 +18,9 @@ public abstract class AbstractAdminService {
     @Value("${sensitiveinfo.admin.role}")
     private String adminRole;
 
+    @Value("${sensitiveinfo.moderator.role}")
+    private String moderatorRole;
+
     @Value("${security.provider}")
     private String securityProvider;
 
@@ -29,17 +32,25 @@ protected boolean isSecured() {
     }
 
     protected boolean isAdmin() {
+        return isInRole(this.adminRole);
+    }
+
+    protected boolean isModerator() {
+        return isInRole(this.moderatorRole);
+    }
+
+    private boolean isInRole(final String role) {
         if (!isSecured()) {
             return true;
         }
         try {
             UserEntity currentUser = permissionManager.getCurrentUser();
             if (Objects.nonNull(currentUser)) {
                 Set<RoleEntity> roles = permissionManager.getUserRoles(currentUser.getId());
-                return roles.stream().anyMatch(r -> Objects.nonNull(r.getName()) && r.getName().equals(adminRole));
+                return roles.stream().anyMatch(r -> Objects.nonNull(r.getName()) && r.getName().equalsIgnoreCase(role));
             }
         } catch (Exception e) {
-            LOGGER.warn("Failed to check administrative rights, fallback to regular", e);
+            LOGGER.warn("Failed to check rights, fallback to regular", e);
         }
         return false;
     }

diff --git a/src/main/java/org/ohdsi/webapi/reusable/ReusableService.java b/src/main/java/org/ohdsi/webapi/reusable/ReusableService.java
@@ -133,7 +133,7 @@ public void unassignTag(Integer id, int tagId) {
     public void delete(Integer id) {
         Reusable existing = reusableRepository.findOne(id);
 
-        checkOwnerOrAdmin(existing.getCreatedBy());
+        checkOwnerOrAdminOrModerator(existing.getCreatedBy());
 
         reusableRepository.delete(id);
     }

diff --git a/src/main/java/org/ohdsi/webapi/service/AbstractDaoService.java b/src/main/java/org/ohdsi/webapi/service/AbstractDaoService.java
@@ -399,6 +399,19 @@ protected void checkOwnerOrAdmin(UserEntity owner) {
     }
   }
 
+  protected void checkOwnerOrAdminOrModerator(UserEntity owner) {
+    if (security instanceof DisabledSecurity) {
+      return;
+    }
+
+    UserEntity user = getCurrentUser();
+    Long ownerId = Objects.nonNull(owner) ? owner.getId() : null;
+
+    if (!(user.getId().equals(ownerId) || isAdmin() || isModerator())) {
+      throw new ForbiddenException();
+    }
+  }
+
   protected void checkOwnerOrAdminOrGranted(CommonEntity<?> entity) {
     if (security instanceof DisabledSecurity) {
       return;

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -240,6 +240,7 @@ jdbc.suppressInvalidApiException=${jdbc.suppressInvalidApiException}
 
 #Sensitive info settings
 sensitiveinfo.admin.role=${sensitiveinfo.admin.role}
+sensitiveinfo.moderator.role=${sensitiveinfo.moderator.role}
 sensitiveinfo.analysis.extensions=${sensitiveinfo.analysis.extensions}
 analysis.result.zipVolumeSizeMb=${analysis.result.zipVolumeSizeMb}