Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kustvakt / ad7de72fe6092587fc171fe547a8581e7e34f534^! / .
commitad7de72fe6092587fc171fe547a8581e7e34f534[log] [tgz]
authormargaretha <margaretha@ids-mannheim.de>Tue Mar 01 09:23:14 2022 +0100
committermargaretha <margaretha@ids-mannheim.de>Tue Mar 01 09:23:14 2022 +0100
treea3b044c1269cd2f86112e4aa41ee9a0d765a9903
parentd94516cadb3359141f22512c9949d1d4484d6767 [diff]
Restricts the field retrieval web-service to admin only.

Change-Id: I2a623b5cc070f846cc900a511bf7688b4c9fb323

diff --git a/full/Changes b/full/Changes
index 5099dbb..bce8bd0 100644
--- a/full/Changes
+++ b/full/Changes

@@ -1,5 +1,7 @@
 # version 0.65.1
 
+2022-03-01
+ - Restricts the field retrieval web-service to admin only.
 
 # version 0.65
 

diff --git a/full/src/main/java/de/ids_mannheim/korap/service/QueryService.java b/full/src/main/java/de/ids_mannheim/korap/service/QueryService.java
index 7e042f1..3bda7f3 100644
--- a/full/src/main/java/de/ids_mannheim/korap/service/QueryService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/service/QueryService.java

@@ -626,6 +626,12 @@
     public JsonNode retrieveFieldValues (String username, String queryName,
             String createdBy, QueryType queryType, String fieldName)
             throws KustvaktException {
+        
+        if (!adminDao.isAdmin(username)) {
+            throw new KustvaktException(StatusCodes.AUTHORIZATION_FAILED,
+                    "Unauthorized operation for user: " + username, username);
+        }
+        
         if (fieldName.equals("tokens") || fieldName.equals("base")) {
             throw new KustvaktException(StatusCodes.NOT_ALLOWED,
                     "Retrieving values of field "+fieldName+" is not allowed.");

diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
index 31a2c19..bc3c06f 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/VirtualCorpusController.java

@@ -184,7 +184,7 @@
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
-            scopeService.verifyScope(context, OAuth2Scope.VC_INFO);
+            scopeService.verifyScope(context, OAuth2Scope.ADMIN);
             return service.retrieveFieldValues(context.getUsername(), vcName,
                     createdBy, QueryType.VIRTUAL_CORPUS, fieldName);
         }

diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusFieldTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusFieldTest.java
index 583629b..81f63a3 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusFieldTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusFieldTest.java

@@ -40,7 +40,7 @@
                 .path("field").path("~" + username).path(vcName)
                 .queryParam("fieldName", field)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
-                        .createBasicAuthorizationHeaderValue("dory", "pass"))
+                        .createBasicAuthorizationHeaderValue("admin", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
                 .get(ClientResponse.class);
 
@@ -57,7 +57,7 @@
                 .path("field").path("~" + username).path(vcName)
                 .queryParam("fieldName", field)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
-                        .createBasicAuthorizationHeaderValue("dory", "pass"))
+                        .createBasicAuthorizationHeaderValue("admin", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
                 .get(ClientResponse.class);
 
@@ -132,4 +132,27 @@
         VirtualCorpusCache.delete("named-vc3");
         deleteVcFromDB("named-vc3");
     }
+    
+    @Test
+    public void testRetrieveFieldUnauthorized () throws KustvaktException, IOException, QueryException {
+        vcLoader.loadVCToCache("named-vc3", "/vc/named-vc3.jsonld");
+        
+        ClientResponse response = resource().path(API_VERSION).path("vc")
+                .path("field").path("~system").path("named-vc3")
+                .queryParam("fieldName", "textSigle")
+                .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
+                        .createBasicAuthorizationHeaderValue("dory", "pass"))
+                .header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON)
+                .get(ClientResponse.class);
+
+        assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
+        String entity = response.getEntity(String.class);
+        JsonNode node = JsonUtils.readTree(entity);
+        assertEquals(StatusCodes.AUTHORIZATION_FAILED, node.at("/errors/0/0").asInt());
+        assertEquals("Unauthorized operation for user: dory", node.at("/errors/0/1").asText());
+        
+        
+        VirtualCorpusCache.delete("named-vc3");
+        deleteVcFromDB("named-vc3");
+    }
 }