From ae1df15c33484e6bebe7525b77166e351bba0757 Mon Sep 17 00:00:00 2001
From: Bill Smith <wsmith@unicon.net>
Date: Fri, 25 Jan 2019 12:40:07 -0700
Subject: [PATCH] [SHIBUI-1062]

Added permissions check to getUsersWitHRole
---
 .../admin/ui/security/controller/UsersController.java           | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java
index b339227f8..5c16153b0 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java
@@ -10,6 +10,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.crypto.bcrypt.BCrypt;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -60,6 +61,7 @@ public ResponseEntity<?> getOne(@PathVariable String username) {
         return ResponseEntity.ok(findUserOrThrowHttp404(username));
     }
 
+    @Secured("ROLE_ADMIN")
     @Transactional
     @GetMapping("/role/{rolename}")
     public ResponseEntity<?> getUsersWithRole(@PathVariable String rolename) {