bug #9183
openNew Registration View: prevent user from continuing to Registration for which permissions are not sufficient
0%
Description
Users can select references in the new registration view even if permissions to edit them are not suficcient. Clicking on the "Continue" button routes to the RegistrationWorkingsetView and an error is raised without notifying on the lack of permissions properly:
... 88 more Caused by: eu.etaxonomy.cdm.database.PermissionDeniedException: Access to the workingset is denied for the current user. at eu.etaxonomy.cdm.api.service.registration.RegistrationWorkingSetService.checkPermissions(RegistrationWorkingSetService.java:298) at eu.etaxonomy.cdm.api.service.registration.RegistrationWorkingSetService.loadWorkingSetByReferenceUuid(RegistrationWorkingSetService.java:275) at sun.reflect.GeneratedMethodAccessor1710.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208) at com.sun.proxy.$Proxy233.loadWorkingSetByReferenceUuid(Unknown Source) at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorkingsetPresenter.loadWorkingSet(RegistrationWorkingsetPresenter.java:271) at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorkingsetPresenter.handleViewEntered(RegistrationWorkingsetPresenter.java:247) at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorksetViewBean.enter(RegistrationWorksetViewBean.java:169)
Solutions:
A. Filter out all references for which the user is not having enough permissions - preferred
B. Block the "Continue" button from being clicked - with caveats, see below
Option B. still allows to lookup references in the system even if the user has not the permissions to modify them. This could expose names mentioned in the reference title which should be undisclosed.
StartRegistrationPresenter.handleViewEntered() already implements a permission filter, but it seems not to be reliable in all cases:
// restrict by allowed reference uuids
Set<UUID> allowedUuids = referencePermissions.stream().filter(p -> p.getTargetUUID() != null).map(CdmAuthority::getTargetUUID).collect(Collectors.toSet());
Updated by Andreas Kohlbecker over 3 years ago
Filtering by restrictions seems to be the root of the problem:
Criterion uuidRestriction = Restrictions.in("uuid", allowedUuids);
criterion = Restrictions.and(criterion, Restrictions.or(pulishedOnly, uuidRestriction));
References are added to the list even if not in the allowedUuids!