(Bug) Check for appropriate permissions on delete operations

apiman · Apr 8, 2016 · 0a14f47 · 0a14f47
1 parent 5037664
commit 0a14f47
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 27 deletions.
diff --git a/manager/api/jpa/src/main/java/io/apiman/manager/api/jpa/AbstractJpaStorage.java b/manager/api/jpa/src/main/java/io/apiman/manager/api/jpa/AbstractJpaStorage.java
@@ -118,20 +118,6 @@ protected void rollbackTx() {
         }
     }
 
-    protected void rollbackTx(Exception e) {
-        e.printStackTrace();
-
-        if (activeEM.get() == null) {
-            throw new RuntimeException("Transaction not active."); //$NON-NLS-1$
-        }
-        try {
-            JpaUtil.rollbackQuietly(activeEM.get());
-        } finally {
-            activeEM.get().close();
-            activeEM.set(null);
-        }
-    }
-
     /**
      * @return the thread's entity manager
      * @throws StorageException if a storage problem occurs while storing a bean
@@ -454,17 +440,6 @@ public T next() {
             return rval;
         }
 
-        /**
-         * @throws StorageException
-         */
-        private EntityManager entityManager() {
-            try {
-                return getActiveEntityManager();
-            } catch (StorageException e) {
-                throw new RuntimeException(e);
-            }
-        }
-
         /**
          * @see java.util.Iterator#remove()
          */

diff --git a/...api/rest-impl/src/main/java/io/apiman/manager/api/rest/impl/OrganizationResourceImpl.java b/...api/rest-impl/src/main/java/io/apiman/manager/api/rest/impl/OrganizationResourceImpl.java
@@ -286,8 +286,10 @@ public OrganizationBean create(NewOrganizationBean bean) throws OrganizationAlre
     @Override
     public void delete(@PathParam("organizationId") String organizationId) throws OrganizationNotFoundException, NotAuthorizedException, EntityStillActiveException {
         try {
-            storage.beginTx();
+            if (!securityContext.hasPermission(PermissionType.orgAdmin, organizationId))
+                throw ExceptionFactory.notAuthorizedException();
 
+            storage.beginTx();
             OrganizationBean organizationBean = storage.getOrganization(organizationId);
             if (organizationBean == null) {
                 throw ExceptionFactory.organizationNotFoundException(organizationId);
@@ -334,6 +336,9 @@ public void delete(@PathParam("organizationId") String organizationId) throws Or
     @Override
     public void deleteClient(@PathParam("organizationId") String organizationId, @PathParam("clientId") String clientId) throws OrganizationNotFoundException, NotAuthorizedException, EntityStillActiveException {
         try {
+            if (!securityContext.hasPermission(PermissionType.clientAdmin, organizationId))
+                throw ExceptionFactory.notAuthorizedException();
+
             storage.beginTx();
             ClientBean client = storage.getClient(organizationId, clientId);
             if (client == null) {
@@ -366,8 +371,10 @@ public void deleteClient(@PathParam("organizationId") String organizationId, @Pa
     @Override
     public void deleteApi(@PathParam("organizationId") String organizationId, @PathParam("apiId") String apiId) throws OrganizationNotFoundException, NotAuthorizedException, EntityStillActiveException {
         try {
-            storage.beginTx();
+            if (!securityContext.hasPermission(PermissionType.apiAdmin, organizationId))
+                throw ExceptionFactory.notAuthorizedException();
 
+            storage.beginTx();
             ApiBean api = storage.getApi(organizationId, apiId);
             if (api == null) {
                 throw ExceptionFactory.apiNotFoundException(apiId);