SHIBUI-1991

finished removing user ownership checks - auth should be by group (or ADMIN) only
TIER · Jul 4, 2021 · 0cac292 · 0cac292
1 parent 0721b0a
commit 0cac292
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
@@ -50,13 +50,14 @@ public UserAccess getCurrentUserAccess() {
         return UserAccess.NONE;
     }
 
-    public boolean isAuthorizedFor(String objectCreatedBy, Group objectGroup) {        
+    public boolean isAuthorizedFor(Group objectGroup) {        
         String groupId = objectGroup == null ? "" : objectGroup.getResourceId();      
-        return isAuthorizedFor(objectCreatedBy, groupId);
+        return isAuthorizedFor(groupId);
     }
 
 
-    public boolean isAuthorizedFor(String objectCreatedBy, String objectGroupResourceId) {
+    public boolean isAuthorizedFor(String objectGroupResourceId) {
+        // Shouldn't be null, but for safety...
         String groupId = objectGroupResourceId == null ? "" : objectGroupResourceId;
 
         switch (getCurrentUserAccess()) { // no user returns NONE

diff --git a/...n/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/...n/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
@@ -461,7 +461,7 @@ public EntityDescriptor getEntityDescriptorByResourceId(String resourceId) throw
         if (ed == null) {
             throw new EntityNotFoundException(String.format("The entity descriptor with entity id [%s] was not found.", resourceId));
         }
-        if (!userService.isAuthorizedFor(ed.getCreatedBy(), ed.getGroup())) {
+        if (!userService.isAuthorizedFor(ed.getGroup())) {
             throw new ForbiddenException("You are not authorized to perform the requested operation.");
         }     
         return ed;
@@ -757,7 +757,7 @@ public EntityDescriptorRepresentation update(EntityDescriptorRepresentation edRe
         if (edRep.isServiceEnabled() && !userService.currentUserIsAdmin()) {
             throw new ForbiddenException("You do not have the permissions necessary to enable this service.");
         }
-        if (!userService.isAuthorizedFor(existingEd.getCreatedBy(), existingEd.getGroup())) {
+        if (!userService.isAuthorizedFor(existingEd.getGroup())) {
             throw new ForbiddenException("You are not authorized to perform the requested operation.");
         }        
         // Verify we're the only one attempting to update the EntityDescriptor