Merge pull request DSpace#9941 from alexandrevryghem/w2p-119960_fixed…

…-UUIDLookupRestController-throwing-500-when-unautorized_contribute-main Fixed dso endpoint returning 500 for unauthorized users
MMilosz · Dec 2, 2024 · 60ff46c · 60ff46c
2 parents 72c7adf + 20a7bca
commit 60ff46c
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/UUIDLookupRestController.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/UUIDLookupRestController.java
@@ -24,9 +24,11 @@
 import org.dspace.app.rest.utils.ContextUtil;
 import org.dspace.app.rest.utils.DSpaceObjectUtils;
 import org.dspace.app.rest.utils.Utils;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.content.DSpaceObject;
+import org.dspace.core.Constants;
 import org.dspace.core.Context;
-import org.dspace.discovery.SearchServiceException;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.hateoas.Link;
@@ -65,6 +67,9 @@ public class UUIDLookupRestController implements InitializingBean {
     @Autowired
     private DiscoverableEndpointsService discoverableEndpointsService;
 
+    @Autowired
+    private AuthorizeService authorizeService;
+
     @Autowired
     private ConverterService converter;
 
@@ -85,13 +90,14 @@ public void afterPropertiesSet() throws Exception {
     public void getDSObyIdentifier(HttpServletRequest request,
                                    HttpServletResponse response,
                                    @RequestParam(PARAM) UUID uuid)
-            throws IOException, SQLException, SearchServiceException {
+        throws IOException, SQLException, AuthorizeException {
 
         Context context = null;
         try {
             context = ContextUtil.obtainContext(request);
             DSpaceObject dso = dspaceObjectUtil.findDSpaceObject(context, uuid);
             if (dso != null) {
+                authorizeService.authorizeAction(context, dso, Constants.READ);
                 DSpaceObjectRest dsor = converter.toRest(dso, utils.obtainProjection());
                 URI link = linkTo(dsor.getController(), dsor.getCategory(), dsor.getTypePlural()).slash(dsor.getId())
                         .toUri();

diff --git a/dspace-server-webapp/src/test/java/org/dspace/app/rest/UUIDLookupRestControllerIT.java b/dspace-server-webapp/src/test/java/org/dspace/app/rest/UUIDLookupRestControllerIT.java
@@ -17,6 +17,8 @@
 import org.apache.commons.codec.CharEncoding;
 import org.apache.commons.io.IOUtils;
 import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
+import org.dspace.authorize.ResourcePolicy;
+import org.dspace.authorize.service.ResourcePolicyService;
 import org.dspace.builder.BitstreamBuilder;
 import org.dspace.builder.CollectionBuilder;
 import org.dspace.builder.CommunityBuilder;
@@ -31,6 +33,7 @@
 import org.dspace.eperson.Group;
 import org.junit.Ignore;
 import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
 
 /**
  * Integration test for the UUIDLookup endpoint
@@ -39,6 +42,9 @@
  */
 public class UUIDLookupRestControllerIT extends AbstractControllerIntegrationTest {
 
+    @Autowired
+    ResourcePolicyService resourcePolicyService;
+
     @Test
     /**
      * Test the proper redirection of a site's uuid
@@ -307,4 +313,35 @@ public void testMissingIdentifierParameter() throws Exception {
                         .andExpect(status().isUnprocessableEntity());
     }
 
+    @Test
+    public void testUnauthorized() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Community community = CommunityBuilder.createCommunity(context)
+            .build();
+        for (ResourcePolicy rp : resourcePolicyService.find(context, community)) {
+            resourcePolicyService.delete(context, rp);
+        }
+        context.restoreAuthSystemState();
+
+        getClient().perform(get("/api/dso/find")
+                                .param("uuid", community.getID().toString()))
+            .andExpect(status().isUnauthorized());
+    }
+
+    @Test
+    public void testForbidden() throws Exception {
+        context.turnOffAuthorisationSystem();
+        Community community = CommunityBuilder.createCommunity(context)
+            .build();
+        for (ResourcePolicy rp : resourcePolicyService.find(context, community)) {
+            resourcePolicyService.delete(context, rp);
+        }
+        context.restoreAuthSystemState();
+
+        String authToken = getAuthToken(eperson.getEmail(), password);
+        getClient(authToken).perform(get("/api/dso/find")
+                                .param("uuid", community.getID().toString()))
+            .andExpect(status().isForbidden());
+    }
+
 }