Skip to content

Commit

Permalink
Remove permission check
Browse files Browse the repository at this point in the history
  • Loading branch information
JanisSaldabols committed Nov 23, 2023
1 parent ed23f44 commit a724934
Show file tree
Hide file tree
Showing 5 changed files with 6 additions and 95 deletions.
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.folio</groupId>
<artifactId>mod-batch-print</artifactId>
<version>1.1.0-SNAPSHOT</version>
<version>1.0.0-SNAPSHOT</version>
<packaging>jar</packaging>

<name>mod-batch-print</name>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@ public Future<Router> createRouter(Vertx vertx) {

private void process(RoutingContext ctx, Vertx vertx) {
String tenant = ctx.request().getHeader(XOkapiHeaders.TENANT);
JsonArray permissions = new JsonArray(ctx.request().getHeader(XOkapiHeaders.PERMISSIONS));
PrintStorage printStorage = new PrintStorage(vertx, tenant, permissions);
LOGGER.debug("process:: tenant " + tenant);
PrintStorage printStorage = new PrintStorage(vertx, tenant);
LocalDateTime localDateTime = LocalDateTime.now().with(LocalTime.MIDNIGHT);

printStorage.getEntriesByQuery("type=\"SINGLE\" and created > " + localDateTime
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -118,12 +118,8 @@ private void handlers(RouterBuilder routerBuilder) {
static PrintStorage createFromParams(Vertx vertx, RequestParameters params) {
// get tenant
RequestParameter tenantParameter = params.headerParameter(XOkapiHeaders.TENANT);
String tenant = tenantParameter.getString();

// get permissions which is required in OpenAPI spec
RequestParameter okapiPermissions = params.headerParameter(XOkapiHeaders.PERMISSIONS);
JsonArray permissions = new JsonArray(okapiPermissions.getString());
return new PrintStorage(vertx, tenant, permissions);
return new PrintStorage(vertx, tenantParameter.getString());
}

public static PrintStorage create(RoutingContext ctx) {
Expand Down Expand Up @@ -220,7 +216,7 @@ public Future<Void> postInit(Vertx vertx, String tenant, JsonObject tenantAttrib
if (!tenantAttributes.containsKey("module_to")) {
return Future.succeededFuture(); // doing nothing for disable
}
PrintStorage storage = new PrintStorage(vertx, tenant, null);
PrintStorage storage = new PrintStorage(vertx, tenant);
return storage.init();
}

Expand Down
35 changes: 1 addition & 34 deletions src/main/java/org/folio/print/server/storage/PrintStorage.java
Original file line number Diff line number Diff line change
Expand Up @@ -48,19 +48,15 @@ public class PrintStorage {

private final String printTable;

private final JsonArray permissions;


/**
* Construct storage request for a user with given okapi permissions.
*
* @param vertx Vert.x handle
* @param tenant tenant
* @param permissions permissions as it comes from X-Okapi-Permissions
*/
public PrintStorage(Vertx vertx, String tenant, JsonArray permissions) {
public PrintStorage(Vertx vertx, String tenant) {
this.pool = TenantPgPool.pool(vertx, tenant);
this.permissions = permissions;
this.printTable = pool.getSchema() + ".printing";
}

Expand All @@ -81,17 +77,6 @@ public Future<Void> init() {
));
}

/**
* Checks if access is allowed.
*
* @param type read/write value
* @param permissions permissions given at runtime
* @return true if access is OK; false otherwise (forbidden)
*/
static boolean checkDesiredPermissions(String type, JsonArray permissions) {
return permissions.contains(PERM_PREFIX + "." + PERM_PRINT + "." + type);
}

PrintEntry fromRow(Row row) {
PrintEntry entry = new PrintEntry();
entry.setId(row.getUUID("id"));
Expand All @@ -109,9 +94,6 @@ PrintEntry fromRow(Row row) {
* @return async result with success if created; failed otherwise
*/
public Future<Void> createEntry(PrintEntry entry) {
if (!checkDesiredPermissions(PERM_WRITE, permissions)) {
return Future.failedFuture(new ForbiddenException());
}
return pool.preparedQuery(
"INSERT INTO " + printTable
+ " (id, created, type, sorting_field, content)"
Expand Down Expand Up @@ -144,9 +126,6 @@ public Future<PrintEntry> getEntry(UUID id) {
if (entry == null) {
throw new NotFoundException();
}
if (!checkDesiredPermissions(PERM_READ, permissions)) {
throw new ForbiddenException();
}
return entry;
});
}
Expand Down Expand Up @@ -175,9 +154,6 @@ public Future<Void> deleteEntry(UUID id) {
if (entry == null) {
return Future.failedFuture(new NotFoundException());
}
if (!checkDesiredPermissions(PERM_WRITE, permissions)) {
return Future.failedFuture(new ForbiddenException());
}
return pool.preparedQuery(
"DELETE FROM " + printTable + " WHERE id = $1")
.execute(Tuple.of(id))
Expand All @@ -197,9 +173,6 @@ public Future<Void> deleteEntry(UUID id) {
* @return async result with success if created; failed otherwise
*/
public Future<Void> updateEntry(PrintEntry entry) {
if (!checkDesiredPermissions(PERM_WRITE, permissions)) {
return Future.failedFuture(new ForbiddenException());
}
return pool.preparedQuery(
"UPDATE " + printTable
+ " SET created = $2, type = $3, sorting_field = $4, content = $5"
Expand Down Expand Up @@ -235,9 +208,6 @@ public Future<Void> updateEntry(PrintEntry entry) {
*/
public Future<Void> getEntries(HttpServerResponse response, String cqlQuery,
int offset, int limit) {
if (!checkDesiredPermissions(PERM_READ, permissions)) {
return Future.failedFuture(new ForbiddenException());
}

Pair<String, String> sqlQuery = createSqlQuery(cqlQuery, offset, limit);
String countQuery = "SELECT COUNT(*) FROM " + sqlQuery.getRight();
Expand Down Expand Up @@ -317,9 +287,6 @@ void resultFooter(HttpServerResponse response, RowSet<Row> rowSet, String diagno
* @return Result list
*/
public Future<List<PrintEntry>> getEntriesByQuery(String cqlQuery, int offset, int limit) {
if (!checkDesiredPermissions(PERM_READ, permissions)) {
return Future.failedFuture(new ForbiddenException());
}

Pair<String, String> sqlQuery = createSqlQuery(cqlQuery, offset, limit);

Expand Down
52 changes: 0 additions & 52 deletions src/test/java/org/folio/print/server/main/MainVerticleTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -188,58 +188,6 @@ public void testPostBodyTooBig() {
.body(is("Request Entity Too Large"));
}

@Test
public void testMissingPermissions() {
PrintEntry entry = new PrintEntry();
entry.setContent("AA");
entry.setCreated(ZonedDateTime.now().withZoneSameInstant(ZoneOffset.UTC));
entry.setId(UUID.randomUUID());
entry.setType(PrintEntryType.SINGLE);

JsonObject en = JsonObject.mapFrom(entry);

RestAssured.given()
.header(XOkapiHeaders.TENANT, TENANT_1)
.header(XOkapiHeaders.PERMISSIONS, permRead.encode())
.contentType(ContentType.JSON)
.body(en.encode())
.post("/print/entries")
.then()
.statusCode(403);

RestAssured.given()
.header(XOkapiHeaders.TENANT, TENANT_1)
.header(XOkapiHeaders.PERMISSIONS, permRead.encode())
.contentType(ContentType.JSON)
.body(en.encode())
.put("/print/entries/" + en.getString("id"))
.then()
.statusCode(403);

RestAssured.given()
.header(XOkapiHeaders.TENANT, TENANT_1)
.header(XOkapiHeaders.PERMISSIONS, permWrite.encode())
.contentType(ContentType.JSON)
.body(en.encode())
.post("/print/entries")
.then()
.statusCode(204);

RestAssured.given()
.header(XOkapiHeaders.TENANT, TENANT_1)
.header(XOkapiHeaders.PERMISSIONS, permWrite.encode())
.get("/print/entries/" + en.getString("id"))
.then()
.statusCode(403);

RestAssured.given()
.header(XOkapiHeaders.TENANT, TENANT_1)
.header(XOkapiHeaders.PERMISSIONS, permRead.encode())
.delete("/print/entries/" + en.getString("id"))
.then()
.statusCode(403);
}

@Test
public void testNotFound() {
PrintEntry entry = new PrintEntry();
Expand Down

0 comments on commit a724934

Please sign in to comment.