HAWKULAR-868 - Protected listing of memberships

hawkular · Dec 15, 2015 · 2b37835 · 2b37835
1 parent aa00756
commit 2b37835
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/accounts/src/main/java/org/hawkular/accounts/backend/boundary/OrganizationEndpoint.java b/accounts/src/main/java/org/hawkular/accounts/backend/boundary/OrganizationEndpoint.java
@@ -197,6 +197,11 @@ public Response getOrganization(@PathParam("id") String id) {
             return Response.status(Response.Status.NOT_FOUND).build();
         }
 
+        if (!permissionChecker.isAllowedTo(operationRead, organization.getId(), personaInstance.get())) {
+            String message = "The specified organization could not be found for this persona.";
+            return Response.status(Response.Status.NOT_FOUND).entity(new ErrorResponse(message)).build();
+        }
+
         return Response.ok().entity(organization).build();
     }
 

diff --git a/.../src/main/java/org/hawkular/accounts/backend/boundary/OrganizationMembershipEndpoint.java b/.../src/main/java/org/hawkular/accounts/backend/boundary/OrganizationMembershipEndpoint.java
@@ -20,6 +20,7 @@
 
 import javax.annotation.security.PermitAll;
 import javax.ejb.Stateless;
+import javax.enterprise.inject.Instance;
 import javax.inject.Inject;
 import javax.validation.constraints.NotNull;
 import javax.ws.rs.GET;
@@ -37,6 +38,7 @@
 import org.hawkular.accounts.api.model.Operation;
 import org.hawkular.accounts.api.model.Organization;
 import org.hawkular.accounts.api.model.OrganizationMembership;
+import org.hawkular.accounts.api.model.Persona;
 import org.hawkular.accounts.api.model.Role;
 import org.hawkular.accounts.backend.entity.rest.ErrorResponse;
 import org.hawkular.accounts.backend.entity.rest.OrganizationMembershipUpdateRequest;
@@ -66,6 +68,13 @@ public class OrganizationMembershipEndpoint {
     @NamedOperation("organization-change-role-of-members")
     Operation changeMemberRole;
 
+    @Inject
+    @NamedOperation("organization-read")
+    Operation readOrganization;
+
+    @Inject
+    Instance<Persona> personaInstance;
+
     @GET
     @Path("/{membershipId}")
     public Response getMembership(@PathParam("membershipId") String membershipId) {
@@ -80,12 +89,25 @@ public Response getMembership(@PathParam("membershipId") String membershipId) {
             return Response.status(Response.Status.NOT_FOUND).entity(new ErrorResponse(message)).build();
         }
 
+        if (!permissionChecker.isAllowedTo(readOrganization,
+                membership.getOrganization().getId(),
+                personaInstance.get())) {
+            String message = "The specified organization could not be found for this persona.";
+            return Response.status(Response.Status.NOT_FOUND).entity(new ErrorResponse(message)).build();
+        }
+
         return Response.ok().entity(membership).build();
     }
 
     @GET
     public Response getOrganizationMembershipsForOrganization(@QueryParam("organizationId") String organizationId) {
         Organization organization = organizationService.get(organizationId);
+
+        if (!permissionChecker.isAllowedTo(readOrganization, organization.getId(), personaInstance.get())) {
+            String message = "The specified organization could not be found for this persona.";
+            return Response.status(Response.Status.NOT_FOUND).entity(new ErrorResponse(message)).build();
+        }
+
         List<OrganizationMembership> memberships = membershipService.getMembershipsForOrganization(organization);
         return Response.ok().entity(memberships).build();
     }