diff --git a/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java b/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java index b976e77d6a..c5dd5180bf 100644 --- a/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java +++ b/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java @@ -16,6 +16,7 @@ */ package alfio.config; +import alfio.config.authentication.support.OpenIdAlfioAuthentication; import lombok.extern.log4j.Log4j2; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContext; @@ -26,7 +27,8 @@ import org.springframework.web.context.request.ServletRequestAttributes; import javax.servlet.http.HttpServletRequest; -import java.sql.*; +import java.sql.Connection; +import java.sql.SQLException; import java.util.Objects; import java.util.Set; import java.util.TreeSet; @@ -67,6 +69,14 @@ private static boolean isLoggedUser() { return false; } + private static boolean isPublic() { + SecurityContext context = SecurityContextHolder.getContext(); + if (context != null && context.getAuthentication() instanceof OpenIdAlfioAuthentication) { + return ((OpenIdAlfioAuthentication) context.getAuthentication()).isPublicUser(); + } + return false; + } + private static boolean isAdmin() { if(isLoggedUser()) { return SecurityContextHolder.getContext().getAuthentication() @@ -85,7 +95,7 @@ public static void prepareTransactionalConnection(Connection connection) throws if (!isInAHttpRequest()) { return; } - boolean mustCheck = !isCurrentlyInAPublicUrlRequest() && isLoggedUser() && !isAdmin(); + boolean mustCheck = !isCurrentlyInAPublicUrlRequest() && isLoggedUser() && !isPublic() && !isAdmin(); if (!mustCheck) { return; } diff --git a/src/main/java/alfio/config/authentication/support/OpenIdAlfioAuthentication.java b/src/main/java/alfio/config/authentication/support/OpenIdAlfioAuthentication.java index c2cc7deb8f..376c6e5d2a 100644 --- a/src/main/java/alfio/config/authentication/support/OpenIdAlfioAuthentication.java +++ b/src/main/java/alfio/config/authentication/support/OpenIdAlfioAuthentication.java @@ -19,20 +19,28 @@ import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.core.GrantedAuthority; +import java.io.Serializable; import java.util.Collection; -public class OpenIdAlfioAuthentication extends AbstractAuthenticationToken { +public class OpenIdAlfioAuthentication extends AbstractAuthenticationToken implements Serializable { private final String idToken; private final String subject; private final String email; private final String idpLogoutRedirectionUrl; + private final boolean publicUser; - public OpenIdAlfioAuthentication(Collection authorities, String idToken, String subject, String email, String idpLogoutRedirectionUrl) { + public OpenIdAlfioAuthentication(Collection authorities, + String idToken, + String subject, + String email, + String idpLogoutRedirectionUrl, + boolean publicUser) { super(authorities); this.idToken = idToken; this.subject = subject; this.email = email; this.idpLogoutRedirectionUrl = idpLogoutRedirectionUrl; + this.publicUser = publicUser; } @Override @@ -53,4 +61,8 @@ public String getName() { public String getIdpLogoutRedirectionUrl() { return idpLogoutRedirectionUrl; } + + public boolean isPublicUser() { + return publicUser; + } } diff --git a/src/main/java/alfio/config/authentication/support/OpenIdAlfioUser.java b/src/main/java/alfio/config/authentication/support/OpenIdAlfioUser.java index 17e92fd3d5..68391d7062 100644 --- a/src/main/java/alfio/config/authentication/support/OpenIdAlfioUser.java +++ b/src/main/java/alfio/config/authentication/support/OpenIdAlfioUser.java @@ -17,6 +17,7 @@ package alfio.config.authentication.support; import alfio.model.user.Role; +import alfio.model.user.User; import lombok.AllArgsConstructor; import lombok.Getter; @@ -29,7 +30,15 @@ public class OpenIdAlfioUser { private final String idToken; private final String subject; private final String email; - private final boolean isAdmin; + private final User.Type userType; private final Set alfioRoles; private final Map> alfioOrganizationAuthorizations; + + public boolean isAdmin() { + return userType == User.Type.INTERNAL && alfioRoles.contains(Role.ADMIN); + } + + public boolean isPublicUser() { + return userType == User.Type.PUBLIC; + } } diff --git a/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java b/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java index 512fb2d2bf..a010c4166f 100644 --- a/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java +++ b/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java @@ -81,7 +81,7 @@ protected OpenIdAlfioUser fromToken(String idToken, String subject, String email if (isAdmin) { log.trace("User is admin"); - return new OpenIdAlfioUser(idToken, subject, email, true, Set.of(Role.ADMIN), null); + return new OpenIdAlfioUser(idToken, subject, email, getUserType(), Set.of(Role.ADMIN), null); } log.trace("User is NOT admin"); @@ -96,7 +96,7 @@ protected OpenIdAlfioUser fromToken(String idToken, String subject, String email log.trace("IdToken contains the following alfioGroups: {}", alfioOrganizationAuthorizationsRaw); Map> alfioOrganizationAuthorizations = extractOrganizationRoles(alfioOrganizationAuthorizationsRaw); Set alfioRoles = extractAlfioRoles(alfioOrganizationAuthorizations); - return new OpenIdAlfioUser(idToken, subject, email, false, alfioRoles, alfioOrganizationAuthorizations); + return new OpenIdAlfioUser(idToken, subject, email, getUserType(), alfioRoles, alfioOrganizationAuthorizations); } @SneakyThrows diff --git a/src/main/java/alfio/manager/openid/BaseOpenIdAuthenticationManager.java b/src/main/java/alfio/manager/openid/BaseOpenIdAuthenticationManager.java index 444a648386..21205e4b29 100644 --- a/src/main/java/alfio/manager/openid/BaseOpenIdAuthenticationManager.java +++ b/src/main/java/alfio/manager/openid/BaseOpenIdAuthenticationManager.java @@ -124,7 +124,7 @@ private OpenIdAlfioAuthentication createOrRetrieveUser(OpenIdAlfioUser user, Map List authorities = user.getAlfioRoles().stream().map(Role::getRoleName) .map(SimpleGrantedAuthority::new).collect(Collectors.toList()); - return new OpenIdAlfioAuthentication(authorities, user.getIdToken(), user.getSubject(), user.getEmail(), buildLogoutUrl()); + return new OpenIdAlfioAuthentication(authorities, user.getIdToken(), user.getSubject(), user.getEmail(), buildLogoutUrl(), user.isPublicUser()); } private static String retrieveClaimOrBlank(Map claims, String name) { diff --git a/src/main/java/alfio/manager/openid/PublicOpenIdAuthenticationManager.java b/src/main/java/alfio/manager/openid/PublicOpenIdAuthenticationManager.java index 3f18324879..9a6a176ca1 100644 --- a/src/main/java/alfio/manager/openid/PublicOpenIdAuthenticationManager.java +++ b/src/main/java/alfio/manager/openid/PublicOpenIdAuthenticationManager.java @@ -67,7 +67,7 @@ public PublicOpenIdAuthenticationManager(HttpClient httpClient, @Override protected OpenIdAlfioUser fromToken(String idToken, String subject, String email, Map claims) { - return new OpenIdAlfioUser(idToken, subject, email, false, Set.of(), Map.of()); + return new OpenIdAlfioUser(idToken, subject, email, getUserType(), Set.of(), Map.of()); } @Override