ENG-683 Page Configuration Permissions (#914)

* ENG-683 Fixed permissions for categories, groups, languages and page templates; * ENG-683 added test coverage * ENG-683 fixed more permissions and added test coverage * ENG-683 fixed tests; Co-authored-by: Filipe Leandro <ffleandro>
entando · Jul 3, 2020 · 6958f10 · 6958f10
1 parent 2a6a33f
commit 6958f10
Show file tree

Hide file tree

Showing 15 changed files with 151 additions and 77 deletions.
diff --git a/.../src/main/java/org/entando/entando/aps/system/services/page/PageAuthorizationService.java b/.../src/main/java/org/entando/entando/aps/system/services/page/PageAuthorizationService.java
@@ -13,6 +13,8 @@
  */
 package org.entando.entando.aps.system.services.page;
 
+import static org.entando.entando.aps.system.services.page.PageService.ERRCODE_PAGE_NOT_FOUND;
+
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -23,6 +25,7 @@
 import com.agiletec.aps.system.services.page.IPage;
 import com.agiletec.aps.system.services.page.IPageManager;
 import com.agiletec.aps.system.services.user.UserDetails;
+import org.entando.entando.aps.system.exception.ResourceNotFoundException;
 import org.entando.entando.aps.system.services.auth.AbstractAuthorizationService;
 import org.entando.entando.aps.system.services.page.model.PageDto;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -63,6 +66,9 @@ public boolean isAuth(UserDetails user, PageDto pageDto) {
     @Override
     public boolean isAuth(UserDetails user, String pageCode) {
         IPage page = this.getPageManager().getDraftPage(pageCode);
+        if (page == null) {
+            throw new ResourceNotFoundException(ERRCODE_PAGE_NOT_FOUND, "page", pageCode);
+        }
         return this.isAuth(user, page);
     }
 

diff --git a/engine/src/main/java/org/entando/entando/aps/system/services/page/PageService.java b/engine/src/main/java/org/entando/entando/aps/system/services/page/PageService.java
@@ -91,16 +91,15 @@ public class PageService implements IPageService, GroupServiceUtilizer<PageDto>,
 
     private final Logger logger = LoggerFactory.getLogger(getClass());
 
-    private static final String ERRCODE_PAGE_NOT_FOUND = "1";
-    private static final String ERRCODE_PAGEMODEL_NOT_FOUND = "1";
-    private static final String ERRCODE_GROUP_NOT_FOUND = "2";
-    private static final String ERRCODE_PARENT_NOT_FOUND = "3";
-    private static final String ERRCODE_PAGE_ONLY_DRAFT = "3";
-    private static final String ERRCODE_FRAME_INVALID = "2";
-    private static final String ERRCODE_WIDGET_INVALID = "4";
-    private static final String ERRCODE_STATUS_INVALID = "3";
-
-    private static final String ERRCODE_PAGE_REFERENCES = "5";
+    public static final String ERRCODE_PAGE_NOT_FOUND = "1";
+    public static final String ERRCODE_PAGEMODEL_NOT_FOUND = "1";
+    public static final String ERRCODE_GROUP_NOT_FOUND = "2";
+    public static final String ERRCODE_PARENT_NOT_FOUND = "3";
+    public static final String ERRCODE_PAGE_ONLY_DRAFT = "3";
+    public static final String ERRCODE_FRAME_INVALID = "2";
+    public static final String ERRCODE_WIDGET_INVALID = "4";
+    public static final String ERRCODE_STATUS_INVALID = "3";
+    public static final String ERRCODE_PAGE_REFERENCES = "5";
 
     @Autowired
     private IPageManager pageManager;

diff --git a/engine/src/main/java/org/entando/entando/web/category/CategoryController.java b/engine/src/main/java/org/entando/entando/web/category/CategoryController.java
@@ -79,23 +79,23 @@ public ResponseEntity<RestResponse<List<CategoryDto>, Map<String, String>>> getC
         return new ResponseEntity<>(new RestResponse<>(result, metadata), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.ENTER_BACKEND)
+    @RestAccessControl(permission = Permission.MANAGE_CATEGORIES)
     @RequestMapping(value = "/{categoryCode}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<SimpleRestResponse<CategoryDto>> getCategory(@PathVariable String categoryCode) {
         logger.debug("getting category {}", categoryCode);
         CategoryDto category = this.getCategoryService().getCategory(categoryCode);
         return new ResponseEntity<>(new SimpleRestResponse<>(category), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_CATEGORIES)
     @RequestMapping(value = "/{categoryCode}/references/{holder}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<PagedRestResponse<?>> getCategoryReferences(@PathVariable String categoryCode, @PathVariable String holder, RestListRequest requestList) {
         logger.debug("getting category references - {}", categoryCode);
         PagedMetadata<?> result = this.getCategoryService().getCategoryReferences(categoryCode, holder, requestList);
         return new ResponseEntity<>(new PagedRestResponse<>(result), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_CATEGORIES)
     @RequestMapping(method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<SimpleRestResponse<CategoryDto>> addCategory(@Valid @RequestBody CategoryDto categoryRequest, BindingResult bindingResult) throws ApsSystemException {
         //field validations
@@ -109,7 +109,7 @@ public ResponseEntity<SimpleRestResponse<CategoryDto>> addCategory(@Valid @Reque
         return new ResponseEntity<>(new SimpleRestResponse<>(category), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_CATEGORIES)
     @RequestMapping(value = "/{categoryCode}", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<CategoryDto, Map<String, String>>> updateCategory(@PathVariable String categoryCode, @Valid @RequestBody CategoryDto categoryRequest, BindingResult bindingResult) {
         logger.debug("updating category {} with request {}", categoryCode, categoryRequest);
@@ -126,7 +126,7 @@ public ResponseEntity<RestResponse<CategoryDto, Map<String, String>>> updateCate
         return new ResponseEntity<>(new RestResponse<>(category, metadata), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_CATEGORIES)
     @RequestMapping(value = "/{categoryCode}", method = RequestMethod.DELETE, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<SimpleRestResponse<Map<String, String>>> deleteCategory(@PathVariable String categoryCode) throws ApsSystemException {
         logger.debug("Deleting category -> " + categoryCode);

diff --git a/engine/src/main/java/org/entando/entando/web/group/GroupController.java b/engine/src/main/java/org/entando/entando/web/group/GroupController.java
@@ -70,7 +70,7 @@ public void setGroupValidator(GroupValidator groupValidator) {
         this.groupValidator = groupValidator;
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<PagedRestResponse<GroupDto>> getGroups(RestListRequest requestList) throws JsonProcessingException {
         this.getGroupValidator().validateRestListRequest(requestList, GroupDto.class);

diff --git a/engine/src/main/java/org/entando/entando/web/language/LanguageController.java b/engine/src/main/java/org/entando/entando/web/language/LanguageController.java
@@ -65,7 +65,7 @@ public void setLanguageValidator(LanguageValidator languageValidator) {
         this.languageValidator = languageValidator;
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<PagedRestResponse<LanguageDto>> getLanguages(RestListRequest requestList) {
         logger.trace("loading languages list");

diff --git a/engine/src/main/java/org/entando/entando/web/page/PageConfigurationController.java b/engine/src/main/java/org/entando/entando/web/page/PageConfigurationController.java
@@ -62,7 +62,7 @@ public void setPageService(IPageService pageService) {
         this.pageService = pageService;
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/configuration", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<PageConfigurationDto, Map>> getPageConfiguration(@PathVariable String pageCode, @RequestParam(value = "status", required = false, defaultValue = IPageService.STATUS_DRAFT) String status) {
         logger.debug("requested {} configuration", pageCode);
@@ -72,7 +72,7 @@ public ResponseEntity<RestResponse<PageConfigurationDto, Map>> getPageConfigurat
         return new ResponseEntity<>(new RestResponse<>(pageConfiguration, metadata), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/widgets", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<List<WidgetConfigurationDto>, Map>> getPageWidgets(@PathVariable String pageCode, @RequestParam(value = "status", required = false, defaultValue = IPageService.STATUS_DRAFT) String status) {
         logger.debug("requested {} widgets detail", pageCode);
@@ -87,7 +87,7 @@ public ResponseEntity<RestResponse<List<WidgetConfigurationDto>, Map>> getPageWi
         return new ResponseEntity<>(new RestResponse<>(widgetConfigDtos, metadata), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/widgets/{frameId}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<WidgetConfigurationDto, Map>> getPageWidget(@PathVariable String pageCode,
             @PathVariable String frameId,
@@ -110,7 +110,7 @@ public ResponseEntity<RestResponse<WidgetConfigurationDto, Map>> getPageWidget(@
     }
 
     @ActivityStreamAuditable
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/widgets/{frameId}", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<WidgetConfigurationDto, Map>> updatePageWidget(
             @PathVariable String pageCode,
@@ -131,7 +131,7 @@ public ResponseEntity<RestResponse<WidgetConfigurationDto, Map>> updatePageWidge
     }
 
     @ActivityStreamAuditable
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/widgets/{frameId}", method = RequestMethod.DELETE, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<Map, Map>> deletePageWidget(@PathVariable String pageCode, @PathVariable String frameId) {
         logger.debug("removing widget configuration in page {} and frame {}", pageCode, frameId);
@@ -149,7 +149,7 @@ public ResponseEntity<RestResponse<Map, Map>> deletePageWidget(@PathVariable Str
     }
 
     @ActivityStreamAuditable
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/configuration/restore", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<PageConfigurationDto, Map>> updatePageConfiguration(@PathVariable String pageCode) {
         logger.debug("restore configuration on page {}", pageCode);
@@ -159,7 +159,7 @@ public ResponseEntity<RestResponse<PageConfigurationDto, Map>> updatePageConfigu
     }
 
     @ActivityStreamAuditable
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/configuration/defaultWidgets", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<SimpleRestResponse<PageConfigurationDto>> applyDefaultWidgetsPageConfiguration(@PathVariable String pageCode) {
         logger.debug("applying default widgets on page {}", pageCode);

diff --git a/engine/src/main/java/org/entando/entando/web/page/PageController.java b/engine/src/main/java/org/entando/entando/web/page/PageController.java
@@ -220,7 +220,7 @@ public ResponseEntity<RestResponse<PageDto, Map<String, String>>> updatePage(@Mo
 
 
     @ActivityStreamAuditable
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/pages/{pageCode}/status", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<RestResponse<PageDto, Map<String, String>>> updatePageStatus(
             @ModelAttribute("user") UserDetails user, @PathVariable String pageCode,
@@ -292,14 +292,17 @@ public ResponseEntity<SimpleRestResponse<?>> deletePage(@ModelAttribute("user")
     @RequestMapping(value = "/pages/{pageCode}/position", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<SimpleRestResponse<PageDto>> movePage(@ModelAttribute("user") UserDetails user, @PathVariable String pageCode, @Valid @RequestBody PagePositionRequest pageRequest, BindingResult bindingResult) {
         logger.debug("changing position for page {} with request {}", pageCode, pageRequest);
-        if (!this.getAuthorizationService().isAuth(user, pageCode)) {
-            return new ResponseEntity<>(new SimpleRestResponse<>(new PageDto()), HttpStatus.UNAUTHORIZED);
-        }
+
         //field validations
         if (bindingResult.hasErrors()) {
             throw new ValidationGenericException(bindingResult);
         }
         this.getPageValidator().validateMovePage(pageCode, bindingResult, pageRequest);
+
+        if (!this.getAuthorizationService().isAuth(user, pageCode)) {
+            return new ResponseEntity<>(new SimpleRestResponse<>(new PageDto()), HttpStatus.UNAUTHORIZED);
+        }
+
         PageDto page = this.getPageService().movePage(pageCode, pageRequest);
         return new ResponseEntity<>(new SimpleRestResponse<>(page), HttpStatus.OK);
     }

diff --git a/engine/src/main/java/org/entando/entando/web/pagemodel/PageModelController.java b/engine/src/main/java/org/entando/entando/web/pagemodel/PageModelController.java
@@ -58,7 +58,7 @@ public PageModelController(IPageModelService pageModelService, PageModelValidato
             @ApiResponse(code = 200, message = "OK"),
             @ApiResponse(code = 400, message = "Bad Request")
     })
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @GetMapping
     public ResponseEntity<PagedRestResponse<PageModelDto>> getPageModels(
             RestListRequest requestList, @RequestParam Map<String, String> requestParams) {

diff --git a/engine/src/main/java/org/entando/entando/web/widget/WidgetController.java b/engine/src/main/java/org/entando/entando/web/widget/WidgetController.java
@@ -52,7 +52,7 @@ public class WidgetController {
     @Autowired
     private WidgetValidator widgetValidator;
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/widgets/{widgetCode}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<SimpleRestResponse<WidgetDto>> getWidget(@PathVariable String widgetCode) {
         logger.trace("getWidget by code {}", widgetCode);
@@ -115,7 +115,7 @@ public ResponseEntity<SimpleRestResponse<WidgetDto>> updateWidget(@PathVariable
         return new ResponseEntity<>(new SimpleRestResponse<>(widgetDto), HttpStatus.OK);
     }
 
-    @RestAccessControl(permission = Permission.SUPERUSER)
+    @RestAccessControl(permission = Permission.MANAGE_PAGES)
     @RequestMapping(value = "/widgets", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE, name = "widget")
     public ResponseEntity<SimpleRestResponse<WidgetDto>> addWidget(@Valid @RequestBody WidgetRequest widgetRequest, BindingResult bindingResult) throws ApsSystemException {
         logger.trace("add widget. body {}: ", widgetRequest);

diff --git a/engine/src/test/java/org/entando/entando/web/category/CategoryControllerIntegrationTest.java b/engine/src/test/java/org/entando/entando/web/category/CategoryControllerIntegrationTest.java
@@ -61,7 +61,9 @@ public class CategoryControllerIntegrationTest extends AbstractControllerIntegra
 
     @Test
     public void testGetCategories() throws Exception {
-        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24").grantedToRoleAdmin().build();
+        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24")
+                .withAuthorization(Group.FREE_GROUP_NAME, "manageCategories", Permission.MANAGE_CATEGORIES)
+                .build();
         String accessToken = mockOAuthInterceptor(user);
         ResultActions result = mockMvc
                 .perform(get("/categories")
@@ -72,7 +74,9 @@ public void testGetCategories() throws Exception {
 
     @Test
     public void testGetValidCategoryTree() throws Exception {
-        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24").grantedToRoleAdmin().build();
+        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24")
+                .withAuthorization(Group.FREE_GROUP_NAME, "manageCategories", Permission.MANAGE_CATEGORIES)
+                .build();
         String accessToken = mockOAuthInterceptor(user);
         ResultActions result = mockMvc
                 .perform(get("/categories")
@@ -285,9 +289,9 @@ public void testGetPermissionsWithoutPermission() throws Exception {
     }
 
     @Test
-    public void testGetPermissionsWithEnterBackEndPermission() throws Exception {
+    public void testGetPermissionsManageCategoriesPermission() throws Exception {
         UserDetails user = new OAuth2TestUtils.UserBuilder("normal_user", "0x24")
-                .withAuthorization(Group.FREE_GROUP_NAME, "admin", Permission.ENTER_BACKEND).build();
+                .withAuthorization(Group.FREE_GROUP_NAME, "admin", Permission.MANAGE_CATEGORIES).build();
         String accessToken = mockOAuthInterceptor(user);
         this.executeGet("cat1", accessToken, status().isOk());
     }

diff --git a/engine/src/test/java/org/entando/entando/web/category/CategoryControllerTest.java b/engine/src/test/java/org/entando/entando/web/category/CategoryControllerTest.java
@@ -14,6 +14,8 @@
 package org.entando.entando.web.category;
 
 import com.agiletec.aps.system.services.category.CategoryManager;
+import com.agiletec.aps.system.services.group.Group;
+import com.agiletec.aps.system.services.role.Permission;
 import com.agiletec.aps.system.services.user.UserDetails;
 import org.entando.entando.aps.system.services.category.CategoryService;
 import org.entando.entando.web.AbstractControllerTest;
@@ -55,7 +57,9 @@ public void setUp() throws Exception {
 
     @Test
     public void testGetTreeOk() throws Exception {
-        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24").grantedToRoleAdmin().build();
+        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24")
+                .withAuthorization(Group.FREE_GROUP_NAME, "manageCategories", Permission.MANAGE_CATEGORIES)
+                .build();
         String accessToken = mockOAuthInterceptor(user);
         ResultActions result = mockMvc
                 .perform(get("/categories")
@@ -71,7 +75,9 @@ public void testGetTreeOk() throws Exception {
 
     @Test
     public void testGetCategory() throws Exception {
-        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24").grantedToRoleAdmin().build();
+        UserDetails user = new OAuth2TestUtils.UserBuilder("jack_bauer", "0x24")
+                .withAuthorization(Group.FREE_GROUP_NAME, "manageCategories", Permission.MANAGE_CATEGORIES)
+                .build();
         String accessToken = mockOAuthInterceptor(user);
         ResultActions result = mockMvc
                 .perform(get("/categories/{code}", "home")