Removed admin & owner restriction on client info access.
Removed registered_by and restrict registration_date to admin/owner-
only.
Change-Id: Ib909ec3b30d6f15294ee7ac58e4b33e445b434a9
diff --git a/Changes b/Changes
index ab9d68f..391066a 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,9 @@
+# version 0.74 hot-fix
+
+- Removed admin & owner restriction on client info access.
+- Removed registered_by and restrict registration_date to admin/owner-
+ only.
+
# version 0.74
- Remove corpusQuery param in the statistics web-service (close #758).
diff --git a/src/main/java/de/ids_mannheim/korap/oauth2/dto/OAuth2ClientInfoDto.java b/src/main/java/de/ids_mannheim/korap/oauth2/dto/OAuth2ClientInfoDto.java
index 6f45900..0fca60a 100644
--- a/src/main/java/de/ids_mannheim/korap/oauth2/dto/OAuth2ClientInfoDto.java
+++ b/src/main/java/de/ids_mannheim/korap/oauth2/dto/OAuth2ClientInfoDto.java
@@ -47,10 +47,6 @@
private boolean isPermitted;
private JsonNode source;
- public OAuth2ClientInfoDto (OAuth2Client client) throws KustvaktException {
- this(client,true);
- }
-
public OAuth2ClientInfoDto (OAuth2Client client, boolean showAllInfo) throws KustvaktException {
this.setClientId(client.getId());
this.setClientName(client.getName());
@@ -65,7 +61,7 @@
if (showAllInfo) {
this.setSuper(client.isSuper());
this.setRedirect_uri(client.getRedirectURI());
- this.setRegisteredBy(client.getRegisteredBy());
+// this.setRegisteredBy(client.getRegisteredBy());
ZonedDateTime registrationDate = client.getRegistrationDate();
if (registrationDate != null) {
this.setRegistrationDate(registrationDate.toString());
@@ -93,13 +89,13 @@
this.isSuper = isSuper;
}
- public String getRegisteredBy () {
- return registeredBy;
- }
-
- public void setRegisteredBy (String registeredBy) {
- this.registeredBy = registeredBy;
- }
+// public String getRegisteredBy () {
+// return registeredBy;
+// }
+//
+// public void setRegisteredBy (String registeredBy) {
+// this.registeredBy = registeredBy;
+// }
public String getClientId () {
return clientId;
diff --git a/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java b/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
index d6feae2..ed68d5d 100644
--- a/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
+++ b/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
@@ -341,22 +341,23 @@
return clientDao.retrieveClientById(clientId);
}
+ // client info is available for all users but only via super client
public OAuth2ClientInfoDto retrieveClientInfo (String clientId, String username)
throws KustvaktException {
OAuth2Client client = clientDao.retrieveClientById(clientId);
- // all client info is only available to the owner/admin
- if (adminDao.isAdmin(username)
- || username.equals(client.getRegisteredBy())) {
- return new OAuth2ClientInfoDto(client);
+ boolean showAllInfo = false;
+ if (isPlugin(client)) {
+ return new OAuth2ClientInfoDto(client, showAllInfo);
}
- // plugin info is available for all users inclusive guest
- else if (isPlugin(client)) {
- return new OAuth2ClientInfoDto(client, false);
- }
else {
- throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,
- "Unauthorized operation for user: " + username, username);
+ if (client.getRegisteredBy().equals(username) ||
+ adminDao.isAdmin(username)) {
+ showAllInfo = true;
+ }
+ return new OAuth2ClientInfoDto(client, showAllInfo);
+// throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,
+// "Unauthorized operation for user: " + username, username);
}
}
diff --git a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index 20179fb..9cc459f 100644
--- a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -67,7 +67,7 @@
assertNotNull(clientInfo.at("/client_description"));
assertNotNull(clientInfo.at("/client_url"));
assertEquals("PUBLIC", clientInfo.at("/client_type").asText());
- assertEquals("system", clientInfo.at("/registered_by").asText());
+// assertEquals("system", clientInfo.at("/registered_by").asText());
// confidential client
clientInfo = retrieveClientInfo(confidentialClientId, "system");
assertEquals(confidentialClientId,
@@ -295,8 +295,8 @@
node = listUserClients(username);
assertFalse(node.at("/0/client_redirect_uri").isMissingNode());
assertFalse(node.at("/0/registration_date").isMissingNode());
- assertEquals(username,
- node.at("/0/registered_by").asText());
+// assertEquals(username,
+// node.at("/0/registered_by").asText());
testRegisterClientUnauthorizedScope(clientId);
testResetPublicClientSecret(clientId);
diff --git a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
index 4ce03d1..ba7d57d 100644
--- a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
+++ b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
@@ -315,7 +315,7 @@
clientInfo.at("/client_name").asText());
assertEquals(OAuth2ClientType.CONFIDENTIAL.name(),
clientInfo.at("/client_type").asText());
- assertEquals(username, clientInfo.at("/registered_by").asText());
+// assertEquals(username, clientInfo.at("/registered_by").asText());
assertEquals(clientURL, clientInfo.at("/client_url").asText());
assertEquals(clientRedirectUri,
clientInfo.at("/client_redirect_uri").asText());
@@ -323,7 +323,7 @@
assertEquals(defaultRefreshTokenExpiry,
clientInfo.at("/refresh_token_expiry").asInt());
assertNotNull(clientInfo.at("/description"));
- assertNotNull(clientInfo.at("/registration_date"));
+// assertNotNull(clientInfo.at("/registration_date"));
assertTrue(clientInfo.at("/permitted").asBoolean());
assertTrue(clientInfo.at("/source").isMissingNode());