#179 tightened condition for an editor to change the institution key …

…of a collection
gbif · Jun 16, 2020 · 0eb5f68 · 0eb5f68
1 parent 36851b7
commit 0eb5f68
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/...c/main/java/org/gbif/registry/security/grscicoll/GrSciCollEditorAuthorizationService.java b/...c/main/java/org/gbif/registry/security/grscicoll/GrSciCollEditorAuthorizationService.java
@@ -92,8 +92,10 @@ public boolean allowedToUpdateCollection(
     if (collectionInMessageBody != null
         && !persistedInstitutionKey.equals(collectionInMessageBody.getInstitutionKey())) {
       // check if the user has permissions in the new institution
-      return userRightsMapper.keyExistsForUser(
-          username, collectionInMessageBody.getInstitutionKey());
+      if (!userRightsMapper.keyExistsForUser(
+          username, collectionInMessageBody.getInstitutionKey())) {
+        return false;
+      }
     }
 
     // check permissions in the collection

diff --git a/...est/java/org/gbif/registry/security/grscicoll/GrSciCollEditorAuthorizationFilterTest.java b/...est/java/org/gbif/registry/security/grscicoll/GrSciCollEditorAuthorizationFilterTest.java
@@ -449,7 +449,7 @@ public void updateCollectionAsEditorWithNoRightsTest() {
   }
 
   @Test
-  public void changeInstitutionKeyInCollectionAsEditorTest() {
+  public void changeInstitutionKeyInCollectionAsEditorWithNoRightsTest() {
     // GIVEN
     when(mockAuthenticationFacade.getAuthentication()).thenReturn(mockAuthentication);
     when(mockRequest.getRequestURI()).thenReturn("/grscicoll/collection/" + COLL_KEY);
@@ -465,8 +465,38 @@ public void changeInstitutionKeyInCollectionAsEditorTest() {
 
     // we return the old institution key in the mapepr
     doReturn(INST_KEY).when(mockCollectionMapper).getInstitutionKey(COLL_KEY);
+    doReturn(true).when(mockUserRightsMapper).keyExistsForUser(USERNAME, anotherInstKey);
     doReturn(false).when(mockUserRightsMapper).keyExistsForUser(USERNAME, COLL_KEY);
+
+    // WHEN
+    WebApplicationException ex =
+        assertThrows(
+            WebApplicationException.class,
+            () -> filter.doFilter(mockRequest, mockResponse, mockFilterChain));
+
+    // THEN
+    assertEquals(HttpStatus.FORBIDDEN.value(), ex.getStatus());
+  }
+
+  @Test
+  public void changeInstitutionKeyInCollectionAsEditorWithRightsTest() {
+    // GIVEN
+    when(mockAuthenticationFacade.getAuthentication()).thenReturn(mockAuthentication);
+    when(mockRequest.getRequestURI()).thenReturn("/grscicoll/collection/" + COLL_KEY);
+    when(mockRequest.getMethod()).thenReturn("PUT");
+
+    // the institution key is changed in the update
+    UUID anotherInstKey = UUID.randomUUID();
+    when(mockRequest.getContent())
+        .thenReturn(
+            "{\"key\": \"" + COLL_KEY + "\", \"institutionKey\": \"" + anotherInstKey + "\"}");
+    when(mockAuthentication.getName()).thenReturn(USERNAME);
+    doReturn(ROLES_GRSCICOLL_EDITOR_ONLY).when(mockAuthentication).getAuthorities();
+
+    // we return the old institution key in the mapepr
+    doReturn(INST_KEY).when(mockCollectionMapper).getInstitutionKey(COLL_KEY);
     doReturn(true).when(mockUserRightsMapper).keyExistsForUser(USERNAME, anotherInstKey);
+    doReturn(true).when(mockUserRightsMapper).keyExistsForUser(USERNAME, COLL_KEY);
 
     // WHEN, THEN
     assertDoesNotThrow(() -> filter.doFilter(mockRequest, mockResponse, mockFilterChain));