From 0a14f477086e9e3958f412987351933b9f8d6ba8 Mon Sep 17 00:00:00 2001 From: Marc Savy Date: Thu, 7 Apr 2016 17:53:32 +0100 Subject: [PATCH] (Bug) Check for appropriate permissions on delete operations --- .../manager/api/jpa/AbstractJpaStorage.java | 25 ------------------- .../rest/impl/OrganizationResourceImpl.java | 11 ++++++-- 2 files changed, 9 insertions(+), 27 deletions(-) diff --git a/manager/api/jpa/src/main/java/io/apiman/manager/api/jpa/AbstractJpaStorage.java b/manager/api/jpa/src/main/java/io/apiman/manager/api/jpa/AbstractJpaStorage.java index 48ee2af32c..d3a12749f8 100644 --- a/manager/api/jpa/src/main/java/io/apiman/manager/api/jpa/AbstractJpaStorage.java +++ b/manager/api/jpa/src/main/java/io/apiman/manager/api/jpa/AbstractJpaStorage.java @@ -118,20 +118,6 @@ protected void rollbackTx() { } } - protected void rollbackTx(Exception e) { - e.printStackTrace(); - - if (activeEM.get() == null) { - throw new RuntimeException("Transaction not active."); //$NON-NLS-1$ - } - try { - JpaUtil.rollbackQuietly(activeEM.get()); - } finally { - activeEM.get().close(); - activeEM.set(null); - } - } - /** * @return the thread's entity manager * @throws StorageException if a storage problem occurs while storing a bean @@ -454,17 +440,6 @@ public T next() { return rval; } - /** - * @throws StorageException - */ - private EntityManager entityManager() { - try { - return getActiveEntityManager(); - } catch (StorageException e) { - throw new RuntimeException(e); - } - } - /** * @see java.util.Iterator#remove() */ diff --git a/manager/api/rest-impl/src/main/java/io/apiman/manager/api/rest/impl/OrganizationResourceImpl.java b/manager/api/rest-impl/src/main/java/io/apiman/manager/api/rest/impl/OrganizationResourceImpl.java index 2f62afab61..0977995953 100644 --- a/manager/api/rest-impl/src/main/java/io/apiman/manager/api/rest/impl/OrganizationResourceImpl.java +++ b/manager/api/rest-impl/src/main/java/io/apiman/manager/api/rest/impl/OrganizationResourceImpl.java @@ -286,8 +286,10 @@ public OrganizationBean create(NewOrganizationBean bean) throws OrganizationAlre @Override public void delete(@PathParam("organizationId") String organizationId) throws OrganizationNotFoundException, NotAuthorizedException, EntityStillActiveException { try { - storage.beginTx(); + if (!securityContext.hasPermission(PermissionType.orgAdmin, organizationId)) + throw ExceptionFactory.notAuthorizedException(); + storage.beginTx(); OrganizationBean organizationBean = storage.getOrganization(organizationId); if (organizationBean == null) { throw ExceptionFactory.organizationNotFoundException(organizationId); @@ -334,6 +336,9 @@ public void delete(@PathParam("organizationId") String organizationId) throws Or @Override public void deleteClient(@PathParam("organizationId") String organizationId, @PathParam("clientId") String clientId) throws OrganizationNotFoundException, NotAuthorizedException, EntityStillActiveException { try { + if (!securityContext.hasPermission(PermissionType.clientAdmin, organizationId)) + throw ExceptionFactory.notAuthorizedException(); + storage.beginTx(); ClientBean client = storage.getClient(organizationId, clientId); if (client == null) { @@ -366,8 +371,10 @@ public void deleteClient(@PathParam("organizationId") String organizationId, @Pa @Override public void deleteApi(@PathParam("organizationId") String organizationId, @PathParam("apiId") String apiId) throws OrganizationNotFoundException, NotAuthorizedException, EntityStillActiveException { try { - storage.beginTx(); + if (!securityContext.hasPermission(PermissionType.apiAdmin, organizationId)) + throw ExceptionFactory.notAuthorizedException(); + storage.beginTx(); ApiBean api = storage.getApi(organizationId, apiId); if (api == null) { throw ExceptionFactory.apiNotFoundException(apiId);