Skip to content

Commit

Permalink
Recognize API calls authenticated by System API Key as ADMIN
Browse files Browse the repository at this point in the history
  • Loading branch information
@cbellone
cbellone committed Apr 22, 2023
1 parent 774ed9e commit f4a504c
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion src/main/java/alfio/manager/user/UserManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
*/
package alfio.manager.user;

import alfio.config.authentication.support.APITokenAuthentication;
import alfio.model.modification.OrganizationModification;
import alfio.model.result.ValidationResult;
import alfio.model.user.*;
Expand Down Expand Up @@ -46,6 +47,7 @@
import java.util.stream.Collectors;
import java.util.stream.Stream;

import static alfio.config.authentication.support.AuthenticationConstants.SYSTEM_API_CLIENT;
import static java.util.Objects.requireNonNull;
import static java.util.stream.Collectors.toList;

Expand Down Expand Up @@ -200,7 +202,7 @@ public int createOrganization(OrganizationModification om, Principal principal)

public void updateOrganization(OrganizationModification om, Principal principal) {
//
var orgId = requireNonNull(om.getId());
int orgId = requireNonNull(om.getId());
checkAccessToOrganizationId(principal, orgId);
//
boolean isAdmin = RequestUtils.isAdmin(principal) || RequestUtils.isSystemApiKey(principal);
Expand Down Expand Up @@ -399,6 +401,10 @@ private void checkIsAdmin(Principal principal) {
if (principal == null) {
return;
}
if (isSystemApiUser(principal)) {
log.trace("Allowing call for System API Key");
return;
}
if (isAdmin(findUserByUsername(principal.getName()))) {
return;
}
Expand Down Expand Up @@ -435,10 +441,20 @@ private void checkAccessToOrganizationId(Principal principal, int organizationId
if (principal == null) {
return;
}
if (isSystemApiUser(principal)) {
log.trace("Allowing access to Organization " + organizationId + " to System API Key");
return;
}
if (isOwnerOfOrganization(principal.getName(), organizationId)) {
return;
}
log.warn("User {} don't have access to organizationId {}", principal.getName(), organizationId);
throw new IllegalArgumentException("User " + principal.getName() + " don't have access to organizationId " + organizationId);
}

private boolean isSystemApiUser(Principal principal) {
return principal instanceof APITokenAuthentication
&& ((APITokenAuthentication)principal).getAuthorities().stream()
.allMatch(authority -> authority.getAuthority().equals("ROLE_" + SYSTEM_API_CLIENT));
}
}

0 comments on commit f4a504c

Please sign in to comment.