Fixed permissions control on delete attachment

socialappslab · Oct 19, 2017 · 53aa87c · 53aa87c
1 parent fcb99f7
commit 53aa87c
Showing 1 changed file with 6 additions and 7 deletions.
diff --git a/app/controllers/Spaces.java b/app/controllers/Spaces.java
@@ -64,6 +64,7 @@
 import play.mvc.With;
 import play.twirl.api.Content;
 import security.SecurityModelConstants;
+import service.PlayAuthenticateLocal;
 import utils.GlobalData;
 import utils.LogActions;
 import be.objectify.deadbolt.java.actions.Dynamic;
@@ -2423,19 +2424,14 @@ public static Result deleteSpaceTheme(@ApiParam(name = "sid", value = "Space ID"
     @ApiResponses(value = { @ApiResponse(code = 404, message = "No Resource found", response = TransferResponseStatus.class) })
     @ApiImplicitParams({
             @ApiImplicitParam(name = "SESSION_KEY", value = "User's session authentication key", dataType = "String", paramType = "header") })
+    @Dynamic(value = "CoordinatorOfSpace", meta = SecurityModelConstants.SPACE_RESOURCE_PATH)
     public static Result deleteSpaceResource(@ApiParam(name = "sid", value = "Space ID") Long sid,
                                           @ApiParam(name = "rid", value = "Resource ID") Long rid) {
         ResourceSpace resourceSpace = ResourceSpace.findByResource(sid, rid);
         if (resourceSpace == null) {
             return notFound(Json
                     .toJson(new TransferResponseStatus("No resource space found with id "+sid)));
         } else {
-            User author = User.findByAuthUserIdentity(PlayAuthenticate.getUser(session()));
-            if(!ResourceSpace.isCoordinatorResourceSpace(author,resourceSpace)){
-                return unauthorized(Json.toJson(new TransferResponseStatus(
-                        ResponseStatus.UNAUTHORIZED,
-                        "User unauthorized")));
-            }
             Resource resource = Resource.read(rid);
             if (resource == null) {
                 return notFound(Json
@@ -2445,7 +2441,10 @@ public static Result deleteSpaceResource(@ApiParam(name = "sid", value = "Space
             resourceSpace.update();
             resourceSpace.refresh();
             ResourceSpaceAssociationHistory.createAssociationHistory(resourceSpace,ResourceSpaceAssociationTypes.RESOURCE,resource.getResourceId());
-            return ok(Json.toJson(resourceSpace.getResources()));
+            TransferResponseStatus response = new TransferResponseStatus();
+            response.setResponseStatus(ResponseStatus.OK);
+            response.setStatusMessage("Resource deleted:" +rid);
+            return ok(Json.toJson(response));
         }
     }