Check min role on every service

cjmalloy · Sep 25, 2023 · 9645fb7 · 9645fb7
1 parent cce9a75
commit 9645fb7
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 13 deletions.
diff --git a/src/main/java/jasper/security/Auth.java b/src/main/java/jasper/security/Auth.java
@@ -240,7 +240,7 @@ public boolean canReadRef(HasTags ref) {
 		// In single tenant mods and above can read anything
 		if (hasRole(MOD) && originSelector(getMultiTenantOrigin()).captures(originSelector(ref.getOrigin()))) return true;
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		// No tags, only mods can read
 		if (ref.getTags() == null) return false;
 		// Add the ref's origin to its tag list
@@ -286,7 +286,7 @@ public boolean canWriteRef(String url, String origin) {
 		// Minimum role for writing Refs is USER
 		if (!hasRole(USER)) return false;
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		var maybeExisting = refRepository.findOneByUrlAndOrigin(url, origin);
 		// If we're creating, simply having the role USER is enough
 		if (maybeExisting.isEmpty()) return true;
@@ -310,7 +310,7 @@ public boolean canWriteRef(String url, String origin) {
 	 */
 	public boolean canSubscribeTo(String destination) {
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		if (destination == null) return false;
 		if (destination.startsWith("/topic/tag/")) {
 			var tag = destination.substring("/topic/tag/".length()).replace('>', '_').replace('<', '+');
@@ -332,7 +332,7 @@ public boolean canSubscribeTo(String destination) {
 	 */
 	public boolean canAddTag(String tag) {
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		if (hasRole(MOD)) return true;
 		if (!hasRole(USER)) return false;
 		if (isPublicTag(tag)) return true;
@@ -346,7 +346,7 @@ public boolean canAddTag(String tag) {
 	 */
 	public boolean canAddTags(List<String> tags) {
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		if (hasRole(MOD)) return true;
 		if (!hasRole(USER)) return false;
 		return tags.stream().allMatch(this::canAddTag);
@@ -359,7 +359,7 @@ public boolean canTagAll(List<String> tags, String url, String origin) {
 		// Only writing to the local origin ever permitted
 		if (!local(origin)) return false;
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		if (hasRole(MOD)) return true;
 		if (!hasRole(USER)) return false;
 		for (var tag : tags) {
@@ -379,7 +379,7 @@ public boolean canTag(String tag, String url, String origin) {
 		// Only writing to the local origin ever permitted
 		if (!local(origin)) return false;
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		if (hasRole(MOD)) return true;
 		// Editor has special access to add public tags to Refs they can read
 		if (hasRole(EDITOR) &&
@@ -427,7 +427,7 @@ public static boolean isProtectedTag(String tag) {
 	public boolean canReadTag(String qualifiedTag) {
 		if (hasRole(SA)) return true;
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		var qt = qt(qualifiedTag);
 		// In single tenant mode, non private tags are all readable
 		// In multi tenant mode, local non private tags are all readable
@@ -449,7 +449,7 @@ public boolean canWriteTag(String qualifiedTag) {
 		// Only writing to the local origin ever permitted
 		if (!local(qt.origin)) return false;
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		// Mods can write anything in their origin
 		if (hasRole(MOD)) return true;
 		// Editors have special access to edit public tag Exts
@@ -483,7 +483,7 @@ public boolean owns(List<QualifiedTag> qt) {
 	 */
 	public boolean canReadQuery(Query filter) {
 		// Min Role
-		if (!hasRole(props.getMinRole())) return false;
+		if (!minRole()) return false;
 		// Anyone can read the empty query (retrieve all Refs)
 		if (filter.getQuery() == null) return true;
 		// Mod
@@ -499,15 +499,22 @@ public boolean canReadQuery(Query filter) {
 	}
 
 	/**
-	 * Is the user Sysadmin role in multi tenant, Admin in single tenant
+	 * Has the minimum role.
+	 */
+	public boolean minRole() {
+		return hasAnyRole(props.getMinRole());
+	}
+
+	/**
+	 * Is the user Sysadmin role in multi tenant, Admin in single tenant.
 	 */
 	public boolean sysAdmin() {
 		if (props.isMultiTenant()) return hasRole(SA);
 		return hasRole(ADMIN);
 	}
 
 	/**
-	 * Is the user Sysadmin role in multi tenant, Mod in single tenant
+	 * Is the user Sysadmin role in multi tenant, Mod in single tenant.
 	 */
 	public boolean sysMod() {
 		if (props.isMultiTenant()) return hasRole(SA);
@@ -814,7 +821,7 @@ public boolean hasAnyAuthority(String... authorities) {
 	}
 
 	public boolean hasRole(String role) {
-		return hasAnyRole(role);
+		return minRole() && hasAnyRole(role);
 	}
 
 	public boolean hasAnyRole(String... roles) {

diff --git a/src/main/java/jasper/service/ExtService.java b/src/main/java/jasper/service/ExtService.java
@@ -97,6 +97,7 @@ public Instant cursor(String origin) {
 	}
 
 	@Transactional(readOnly = true)
+	@PreAuthorize("@auth.canReadQuery(#filter)")
 	@Timed(value = "jasper.service", extraTags = {"service", "ext"}, histogram = true)
 	public Page<ExtDto> page(TagFilter filter, Pageable pageable) {
 		return extRepository
@@ -108,6 +109,7 @@ public Page<ExtDto> page(TagFilter filter, Pageable pageable) {
 	}
 
 	@Transactional(readOnly = true)
+	@PreAuthorize("@auth.canReadQuery(#filter)")
 	@Timed(value = "jasper.service", extraTags = {"service", "ext"}, histogram = true)
 	public long count(TagFilter filter) {
 		return extRepository

diff --git a/src/main/java/jasper/service/PluginService.java b/src/main/java/jasper/service/PluginService.java
@@ -81,6 +81,7 @@ public Instant cursor(String origin) {
 	}
 
 	@Transactional(readOnly = true)
+	@PreAuthorize("@auth.canReadQuery(#filter)")
 	@Timed(value = "jasper.service", extraTags = {"service", "plugin"}, histogram = true)
 	public Page<PluginDto> page(TagFilter filter, Pageable pageable) {
 		return pluginRepository

diff --git a/src/main/java/jasper/service/SmtpService.java b/src/main/java/jasper/service/SmtpService.java
@@ -14,6 +14,7 @@
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Sort;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 
 import java.time.ZonedDateTime;
@@ -46,6 +47,7 @@ public class SmtpService {
 	@Autowired
 	RefRepository refRepository;
 
+	@PreAuthorize("@auth.hasRole('USER')")
 	@Timed(value = "jasper.service", extraTags = {"service", "smtp"}, histogram = true)
 	public void create(SmtpWebhookDto email, String origin) {
 		var ref = smtpToDomain(email);