request made with a system API Key must skip row level security

alfio-event · Apr 21, 2023 · 774ed9e · 774ed9e
1 parent d233b42
commit 774ed9e
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java b/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java
@@ -34,9 +34,14 @@
 import java.util.TreeSet;
 import java.util.stream.Collectors;
 
+import static alfio.config.authentication.support.AuthenticationConstants.ADMIN;
+import static alfio.config.authentication.support.AuthenticationConstants.SYSTEM_API_CLIENT;
+
 @Log4j2
 class RoleAndOrganizationsTransactionPreparer {
 
+    private RoleAndOrganizationsTransactionPreparer() {}
+
     private static final OrRequestMatcher IS_PUBLIC_URLS = new OrRequestMatcher(
         new AntPathRequestMatcher("/resources/**"),
         new AntPathRequestMatcher("/webjars/**"),
@@ -82,7 +87,7 @@ private static boolean isAdmin() {
             return SecurityContextHolder.getContext().getAuthentication()
                 .getAuthorities().stream()
                 .map(GrantedAuthority::getAuthority)
-                .anyMatch("ROLE_ADMIN"::equals);
+                .anyMatch(authority -> authority.equals("ROLE_" + SYSTEM_API_CLIENT) || authority.equals("ROLE_" + ADMIN));
         }
         return false;
     }