From 0cac2929e0c8e209e8d1280b5c9206fe843d132c Mon Sep 17 00:00:00 2001
From: chasegawa <chasegawa@unicon.net>
Date: Sun, 4 Jul 2021 13:11:41 -0700
Subject: [PATCH] SHIBUI-1991

finished removing user ownership checks - auth should be by group (or
ADMIN) only
---
 .../shibboleth/admin/ui/security/service/UserService.java  | 7 ++++---
 .../admin/ui/service/JPAEntityDescriptorServiceImpl.java   | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
index 3f7be7f42..f0bbea881 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
@@ -50,13 +50,14 @@ public UserAccess getCurrentUserAccess() {
         return UserAccess.NONE;
     }
 
-    public boolean isAuthorizedFor(String objectCreatedBy, Group objectGroup) {        
+    public boolean isAuthorizedFor(Group objectGroup) {        
         String groupId = objectGroup == null ? "" : objectGroup.getResourceId();      
-        return isAuthorizedFor(objectCreatedBy, groupId);
+        return isAuthorizedFor(groupId);
     }
     
     
-    public boolean isAuthorizedFor(String objectCreatedBy, String objectGroupResourceId) {
+    public boolean isAuthorizedFor(String objectGroupResourceId) {
+        // Shouldn't be null, but for safety...
         String groupId = objectGroupResourceId == null ? "" : objectGroupResourceId;
         
         switch (getCurrentUserAccess()) { // no user returns NONE
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
index 13e3dd0b9..fe5c52fdd 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
@@ -461,7 +461,7 @@ public EntityDescriptor getEntityDescriptorByResourceId(String resourceId) throw
         if (ed == null) {
             throw new EntityNotFoundException(String.format("The entity descriptor with entity id [%s] was not found.", resourceId));
         }
-        if (!userService.isAuthorizedFor(ed.getCreatedBy(), ed.getGroup())) {
+        if (!userService.isAuthorizedFor(ed.getGroup())) {
             throw new ForbiddenException("You are not authorized to perform the requested operation.");
         }     
         return ed;
@@ -757,7 +757,7 @@ public EntityDescriptorRepresentation update(EntityDescriptorRepresentation edRe
         if (edRep.isServiceEnabled() && !userService.currentUserIsAdmin()) {
             throw new ForbiddenException("You do not have the permissions necessary to enable this service.");
         }
-        if (!userService.isAuthorizedFor(existingEd.getCreatedBy(), existingEd.getGroup())) {
+        if (!userService.isAuthorizedFor(existingEd.getGroup())) {
             throw new ForbiddenException("You are not authorized to perform the requested operation.");
         }        
         // Verify we're the only one attempting to update the EntityDescriptor