hiding proposer email for users without rights to edit

gbif · May 27, 2021 · f3794af · f3794af
1 parent 4d786c3
commit f3794af
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 13 deletions.
diff --git a/...rg/gbif/registry/ws/it/collections/service/suggestions/BaseChangeSuggestionServiceIT.java b/...rg/gbif/registry/ws/it/collections/service/suggestions/BaseChangeSuggestionServiceIT.java
@@ -30,6 +30,7 @@
 import org.gbif.api.model.registry.LenientEquals;
 import org.gbif.api.service.collections.CrudService;
 import org.gbif.api.vocabulary.Country;
+import org.gbif.api.vocabulary.UserRole;
 import org.gbif.registry.database.TestCaseDatabaseInitializer;
 import org.gbif.registry.ws.it.collections.service.BaseServiceIT;
 import org.gbif.ws.client.filter.SimplePrincipalProvider;
@@ -126,7 +127,7 @@ public void newEntitySuggestionTest() {
   }
 
   @Test
-  public void changeInstitutionSuggestionTest() {
+  public void updateEntityChangeSuggestionTest() {
     // State
     T entity = createEntity();
 
@@ -179,9 +180,6 @@ public void changeInstitutionSuggestionTest() {
     assertEquals(Status.APPLIED, suggestion.getStatus());
     assertNotNull(suggestion.getApplied());
     assertNotNull(suggestion.getAppliedBy());
-
-    T appliedEntity = crudService.get(entityKey);
-    assertTrue(appliedEntity.lenientEquals(suggestion.getSuggestedEntity()));
   }
 
   @Test
@@ -334,6 +332,12 @@ public void listTest() {
     // Then
     assertEquals(0, results.getResults().size());
     assertEquals(0, results.getCount());
+
+    // When - user with no rights can't see the proposer email
+    resetSecurityContext("user", UserRole.USER);
+    results = changeSuggestionService.list(null, null, null, null, entity2Key, DEFAULT_PAGE);
+    // Then
+    assertTrue(results.getResults().stream().allMatch(v -> v.getProposerEmail() == null));
   }
 
   @Test

diff --git a/...c/main/java/org/gbif/registry/security/grscicoll/GrSciCollEditorAuthorizationService.java b/...c/main/java/org/gbif/registry/security/grscicoll/GrSciCollEditorAuthorizationService.java
@@ -17,9 +17,7 @@
 
 import org.gbif.api.model.collections.Collection;
 import org.gbif.api.model.collections.suggestions.Type;
-import org.gbif.api.model.registry.Identifier;
 import org.gbif.api.model.registry.MachineTag;
-import org.gbif.api.vocabulary.IdentifierType;
 import org.gbif.registry.domain.collections.Constants;
 import org.gbif.registry.persistence.mapper.UserRightsMapper;
 import org.gbif.registry.persistence.mapper.collections.ChangeSuggestionMapper;
@@ -177,7 +175,8 @@ public boolean allowedToUpdateChangeSuggestion(int key, String entityType, Strin
     } else if (changeSuggestion.getType() == Type.UPDATE
         || changeSuggestion.getType() == Type.DELETE) {
       Collection entity = null;
-      if (COLLECTION.equalsIgnoreCase(entityType)) {
+      if (COLLECTION.equalsIgnoreCase(entityType)
+          && changeSuggestion.getSuggestedEntity() != null) {
         try {
           entity = objectMapper.readValue(changeSuggestion.getSuggestedEntity(), Collection.class);
         } catch (JsonProcessingException e) {

diff --git a/...n/java/org/gbif/registry/service/collections/suggestions/BaseChangeSuggestionService.java b/...n/java/org/gbif/registry/service/collections/suggestions/BaseChangeSuggestionService.java
@@ -30,6 +30,8 @@
 import org.gbif.registry.persistence.mapper.collections.ChangeSuggestionMapper;
 import org.gbif.registry.persistence.mapper.collections.dto.ChangeDto;
 import org.gbif.registry.persistence.mapper.collections.dto.ChangeSuggestionDto;
+import org.gbif.registry.security.SecurityContextCheck;
+import org.gbif.registry.security.grscicoll.GrSciCollEditorAuthorizationService;
 import org.gbif.registry.service.collections.merge.MergeService;
 
 import java.lang.reflect.Field;
@@ -93,6 +95,7 @@ public abstract class BaseChangeSuggestionService<
   private final EmailSender emailSender;
   private final CollectionsEmailManager emailManager;
   private final EventManager eventManager;
+  private final GrSciCollEditorAuthorizationService grSciCollEditorAuthorizationService;
   private CollectionEntityType collectionEntityType;
 
   protected BaseChangeSuggestionService(
@@ -103,7 +106,8 @@ protected BaseChangeSuggestionService(
       ObjectMapper objectMapper,
       EmailSender emailSender,
       CollectionsEmailManager emailManager,
-      EventManager eventManager) {
+      EventManager eventManager,
+      GrSciCollEditorAuthorizationService grSciCollEditorAuthorizationService) {
     this.changeSuggestionMapper = changeSuggestionMapper;
     this.mergeService = mergeService;
     this.crudService = crudService;
@@ -112,6 +116,7 @@ protected BaseChangeSuggestionService(
     this.emailSender = emailSender;
     this.emailManager = emailManager;
     this.eventManager = eventManager;
+    this.grSciCollEditorAuthorizationService = grSciCollEditorAuthorizationService;
 
     if (clazz == Institution.class) {
       collectionEntityType = CollectionEntityType.INSTITUTION;
@@ -433,9 +438,13 @@ protected R dtoToChangeSuggestion(ChangeSuggestionDto dto) {
     suggestion.setModifiedBy(dto.getModifiedBy());
     suggestion.setProposed(dto.getProposed());
     suggestion.setProposedBy(dto.getProposedBy());
-    suggestion.setProposerEmail(dto.getProposerEmail());
     suggestion.setMergeTargetKey(dto.getMergeTargetKey());
 
+    // we only show the proposer email for users with the right permissions (data protection)
+    if (hasRightsToSeeProposerEmail(dto)) {
+      suggestion.setProposerEmail(dto.getProposerEmail());
+    }
+
     // changes conversion
     suggestion.setChanges(
         dto.getChanges().stream()
@@ -497,6 +506,13 @@ protected String toJson(T entity) {
     }
   }
 
+  protected boolean hasRightsToSeeProposerEmail(ChangeSuggestionDto dto) {
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+    return SecurityContextCheck.checkUserInRole(authentication, GRSCICOLL_ADMIN_ROLE)
+        || grSciCollEditorAuthorizationService.allowedToUpdateChangeSuggestion(
+            dto.getKey(), dto.getEntityType().name().toLowerCase(), getUsername());
+  }
+
   protected abstract R newEmptyChangeSuggestion();
 
   protected abstract ChangeSuggestionDto createConvertToCollectionSuggestionDto(R changeSuggestion);

diff --git a/.../org/gbif/registry/service/collections/suggestions/CollectionChangeSuggestionService.java b/.../org/gbif/registry/service/collections/suggestions/CollectionChangeSuggestionService.java
@@ -9,6 +9,7 @@
 import org.gbif.registry.mail.collections.CollectionsEmailManager;
 import org.gbif.registry.persistence.mapper.collections.ChangeSuggestionMapper;
 import org.gbif.registry.persistence.mapper.collections.dto.ChangeSuggestionDto;
+import org.gbif.registry.security.grscicoll.GrSciCollEditorAuthorizationService;
 import org.gbif.registry.service.collections.merge.CollectionMergeService;
 
 import java.util.UUID;
@@ -34,7 +35,8 @@ public CollectionChangeSuggestionService(
       ObjectMapper objectMapper,
       EmailSender emailSender,
       CollectionsEmailManager emailManager,
-      EventManager eventManager) {
+      EventManager eventManager,
+      GrSciCollEditorAuthorizationService grSciCollEditorAuthorizationService) {
     super(
         changeSuggestionMapper,
         collectionMergeService,
@@ -43,7 +45,8 @@ public CollectionChangeSuggestionService(
         objectMapper,
         emailSender,
         emailManager,
-        eventManager);
+        eventManager,
+        grSciCollEditorAuthorizationService);
     this.changeSuggestionMapper = changeSuggestionMapper;
   }
 

diff --git a/...org/gbif/registry/service/collections/suggestions/InstitutionChangeSuggestionService.java b/...org/gbif/registry/service/collections/suggestions/InstitutionChangeSuggestionService.java
@@ -10,6 +10,7 @@
 import org.gbif.registry.mail.collections.CollectionsEmailManager;
 import org.gbif.registry.persistence.mapper.collections.ChangeSuggestionMapper;
 import org.gbif.registry.persistence.mapper.collections.dto.ChangeSuggestionDto;
+import org.gbif.registry.security.grscicoll.GrSciCollEditorAuthorizationService;
 import org.gbif.registry.service.collections.merge.InstitutionMergeService;
 
 import java.util.UUID;
@@ -44,7 +45,8 @@ public InstitutionChangeSuggestionService(
       ObjectMapper objectMapper,
       EmailSender emailSender,
       CollectionsEmailManager emailManager,
-      EventManager eventManager) {
+      EventManager eventManager,
+      GrSciCollEditorAuthorizationService grSciCollEditorAuthorizationService) {
     super(
         changeSuggestionMapper,
         institutionMergeService,
@@ -53,7 +55,8 @@ public InstitutionChangeSuggestionService(
         objectMapper,
         emailSender,
         emailManager,
-        eventManager);
+        eventManager,
+        grSciCollEditorAuthorizationService);
     this.changeSuggestionMapper = changeSuggestionMapper;
     this.institutionService = institutionService;
     this.institutionMergeService = institutionMergeService;