Commit cf4b867c authored by Daniel Gerhardt's avatar Daniel Gerhardt

Improve permission evaluation

Directly use Authentication instead of UserDetails instance.
Authentication has everything we need and works with tests.
parent 34624a45
......@@ -4,7 +4,6 @@ import java.io.Serializable;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
public class RepoPermissionEvaluator implements PermissionEvaluator {
@Override
......@@ -27,20 +26,18 @@ public class RepoPermissionEvaluator implements PermissionEvaluator {
final String targetType,
final Object permission
) {
if (authentication.getPrincipal() instanceof String) {
if (authentication == null || targetId == null || targetType == null || !(permission instanceof String)) {
return false;
}
final UserDetails ud = (UserDetails) authentication.getPrincipal();
if (isAdmin(ud)) {
if (isAdmin(authentication)) {
return true;
}
switch (targetType) {
case "membership":
case "courses":
if ("read".equals(permission) && ud.getUsername().equals(targetId)) {
if ("read".equals(permission) && authentication.getName().equals(targetId)) {
return true;
}
break;
......@@ -49,7 +46,7 @@ public class RepoPermissionEvaluator implements PermissionEvaluator {
return false;
}
private boolean isAdmin(final UserDetails user) {
return user.getAuthorities().stream().anyMatch(ga -> ga.getAuthority().equals("ADMIN"));
private boolean isAdmin(final Authentication authentication) {
return authentication.getAuthorities().stream().anyMatch(ga -> ga.getAuthority().equals("ADMIN"));
}
}
......@@ -20,9 +20,9 @@ public class SecurityTestConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin")
.password("secret").authorities("ADMIN")
.and().withUser("user").password("secret").authorities("USER");
auth.inMemoryAuthentication()
.withUser("admin").password("{noop}secret").authorities("ADMIN")
.and().withUser("user").password("{noop}secret").authorities("USER");
}
@Bean
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment