diff --git a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/SecurityDAO.java b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/SecurityDAO.java index 3f1e6e0e..81f3dac4 100644 --- a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/SecurityDAO.java +++ b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/SecurityDAO.java @@ -41,22 +41,18 @@ public interface SecurityDAO extends RestrictedGenericDAO { * @param resourceId * @return List */ - public List findUserSecurityRule(String userName, long resourceId); + List findUserSecurityRule(String userName, long resourceId); /** * @param groupNames * @param resourceId * @return */ - public List findGroupSecurityRule(List groupNames, long resourceId); + List findGroupSecurityRule(List groupNames, long resourceId); /** * @param resourceId * @return List */ - public List findResourceSecurityRules(long resourceId); - - List findUserSecurityRules(long userId); - - List findUserGroupSecurityRules(long userGroupId); + List findResourceSecurityRules(long resourceId); } diff --git a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/UserDAO.java b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/UserDAO.java index 0da6a1ca..aedc83a7 100644 --- a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/UserDAO.java +++ b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/UserDAO.java @@ -20,10 +20,15 @@ package it.geosolutions.geostore.core.dao; import it.geosolutions.geostore.core.model.User; +import java.util.List; /** * Interface UserDAO. * * @author Tobia di Pisa (tobia.dipisa at geo-solutions.it) */ -public interface UserDAO extends RestrictedGenericDAO {} +public interface UserDAO extends RestrictedGenericDAO { + default List findFavoritedBy(Long resourceId) { + return null; + } +} diff --git a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/SecurityDAOImpl.java b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/SecurityDAOImpl.java index 1a257920..2de1bdcc 100644 --- a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/SecurityDAOImpl.java +++ b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/SecurityDAOImpl.java @@ -246,39 +246,6 @@ public List findResourceSecurityRules(long resourceId) { return super.search(searchCriteria); } - /** - * @param userId - * @return List - */ - @Override - public List findUserSecurityRules(long userId) { - Search searchCriteria = new Search(SecurityRule.class); - - Filter securityFilter = Filter.equal("user.id", userId); - - searchCriteria.addFilter(securityFilter); - - return super.search(searchCriteria); - } - - /** - * @param userGroupId - * @return List - */ - @Override - public List findUserGroupSecurityRules(long userGroupId) { - Search searchCriteria = new Search(SecurityRule.class); - - Filter securityFilter = Filter.equal("group.id", userGroupId); - - searchCriteria.addFilter(securityFilter); - - return super.search(searchCriteria); - } - - /* (non-Javadoc) - * @see it.geosolutions.geostore.core.dao.ResourceDAO#findGroupSecurityRule(java.lang.String, long) - */ @Override public List findGroupSecurityRule(List groupNames, long resourceId) { List rules = findResourceSecurityRules(resourceId); diff --git a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/UserDAOImpl.java b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/UserDAOImpl.java index 0aed5e90..8d787e4e 100644 --- a/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/UserDAOImpl.java +++ b/src/core/persistence/src/main/java/it/geosolutions/geostore/core/dao/impl/UserDAOImpl.java @@ -19,7 +19,9 @@ */ package it.geosolutions.geostore.core.dao.impl; +import com.googlecode.genericdao.search.Filter; import com.googlecode.genericdao.search.ISearch; +import com.googlecode.genericdao.search.Search; import it.geosolutions.geostore.core.dao.UserDAO; import it.geosolutions.geostore.core.model.User; import it.geosolutions.geostore.core.model.UserAttribute; @@ -167,4 +169,14 @@ public User[] save(User... entities) { return super.save(entities); } + + @Override + public List findFavoritedBy(Long resourceId) { + + Search searchCriteria = new Search(User.class); + + searchCriteria.addFilter(Filter.some("favorites", Filter.equal("id", resourceId))); + + return super.search(searchCriteria); + } } diff --git a/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourcePermissionService.java b/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourcePermissionService.java index cae1ba73..2c4cfc6d 100644 --- a/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourcePermissionService.java +++ b/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourcePermissionService.java @@ -6,48 +6,35 @@ public interface ResourcePermissionService { /** - * Verifies whether the user or any of their groups is the owner of the resource and has read + * Verifies whether the user or any of its groups is the owner of the resource and has read * permissions on it. * - *

Be aware to fetch the user security rules prior to call this method. + *

Be aware to fetch the resource security rules prior to call this method. * + * @param resource * @param user - * @param resourceId - * @return true if the user can read the resource, false otherwise - * @throws IllegalArgumentException if the user security rules have not been initialized + * @return true if the resource can be read by the user, false + * otherwise + * @throws IllegalArgumentException if the resource security rules have not been initialized * properly */ - boolean canUserReadResource(User user, Long resourceId); + boolean canResourceBeReadByUser(Resource resource, User user); /** - * Verifies whether the user or any of their groups is the owner of the resource and has write + * Verifies whether the user or any of its groups is the owner of the resource and has write * permissions on it. * *

GUEST users can not access to the delete and edit (resource, data blob is editable) * services, so only admins and authenticated users with write permissions can. * - *

Be aware to fetch the user security rules prior to call this method. + *

Be aware to fetch the resource security rules prior to call this method. * - * @param user * @param resource - * @return true if the user can write the resource, false otherwise - * @throws IllegalArgumentException if the user security rules have not been initialized - * properly - */ - boolean canUserWriteResource(User user, Resource resource); - - /** - * Verifies whether the user or any of their groups is the owner of the resource and has both - * read and write permissions on it. - * - *

Be aware to fetch the user security rules prior to call this method. - * * @param user - * @param resource - * @return true if the user can read and write the resource, false + * @return true if the resource can be written by the user, false * otherwise - * @throws IllegalArgumentException if the user security rules have not been initialized + * @throws IllegalArgumentException if the resource security rules have not been initialized * properly */ - boolean canUserReadAndWriteResource(User user, Resource resource); + boolean canResourceBeWrittenByUser(Resource resource, User user); } diff --git a/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourceService.java b/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourceService.java index 32e4a8ca..b8e45886 100644 --- a/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourceService.java +++ b/src/core/services-api/src/main/java/it/geosolutions/geostore/services/ResourceService.java @@ -253,4 +253,23 @@ long count(SearchFilter filter, User user, boolean favoritesOnly) long insertAttribute(long id, String name, String value, DataType type) throws InternalErrorServiceEx; + + /** + * Update the resource entity by fetching its security rules from the database. + * + * @param resource + */ + default void fetchSecurityRules(Resource resource) { + /* no-op */ + } + + /** + * Update the resource entity by fetching from the database the users who marked it as a + * favorite. + * + * @param resource + */ + default void fetchFavoritedBy(Resource resource) { + /* no-op */ + } } diff --git a/src/core/services-api/src/main/java/it/geosolutions/geostore/services/UserService.java b/src/core/services-api/src/main/java/it/geosolutions/geostore/services/UserService.java index 45f2eda0..1c2b2fae 100644 --- a/src/core/services-api/src/main/java/it/geosolutions/geostore/services/UserService.java +++ b/src/core/services-api/src/main/java/it/geosolutions/geostore/services/UserService.java @@ -129,16 +129,6 @@ List getAll(Integer page, Integer entries, String nameLike, boolean includ Collection getByGroup(UserGroup group); - /** - * Update the user entity by fetching its security rules and group security rules from the - * database. - * - * @param user - */ - default void fetchSecurityRules(User user) { - /* no-op */ - } - /** * Update the user entity by fetching its favorites resources from the database. * diff --git a/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourcePermissionServiceImpl.java b/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourcePermissionServiceImpl.java index dc48b7fe..5c792790 100644 --- a/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourcePermissionServiceImpl.java +++ b/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourcePermissionServiceImpl.java @@ -3,47 +3,65 @@ import it.geosolutions.geostore.core.model.Resource; import it.geosolutions.geostore.core.model.SecurityRule; import it.geosolutions.geostore.core.model.User; +import it.geosolutions.geostore.core.model.UserGroup; import it.geosolutions.geostore.core.model.enums.Role; import java.util.List; import java.util.function.BiFunction; public class ResourcePermissionServiceImpl implements ResourcePermissionService { - private final BiFunction resourceOwnership = - (rule, resource) -> resource.getId().equals(rule.getResource().getId()); - private final BiFunction resourceOwnershipWithReadPermission = - (rule, resource) -> resourceOwnership.apply(rule, resource) && rule.isCanRead(); - private final BiFunction resourceOwnershipWithWritePermission = - (rule, resource) -> resourceOwnership.apply(rule, resource) && rule.isCanWrite(); - private final BiFunction - resourceOwnershipWithReadAndWritePermission = - (rule, resource) -> - resourceOwnershipWithWritePermission.apply(rule, resource) - && resourceOwnershipWithReadPermission.apply(rule, resource); + private final BiFunction resourceUserOwnership = + (rule, user) -> user.getId().equals(rule.getUser().getId()); + + private final BiFunction resourceGroupOwnership = + (rule, group) -> group.getId().equals(rule.getGroup().getId()); + + private final BiFunction resourceUserOwnershipWithReadPermission = + (rule, user) -> + rule.getUser() != null + && resourceUserOwnership.apply(rule, user) + && rule.isCanRead(); + + private final BiFunction + resourceGroupOwnershipWithReadPermission = + (rule, group) -> + rule.getGroup() != null + && resourceGroupOwnership.apply(rule, group) + && rule.isCanRead(); + + private final BiFunction resourceUserOwnershipWithWritePermission = + (rule, user) -> + rule.getUser() != null + && resourceUserOwnership.apply(rule, user) + && rule.isCanWrite(); + + private final BiFunction + resourceGroupOwnershipWithWritePermission = + (rule, group) -> + rule.getGroup() != null + && resourceGroupOwnership.apply(rule, group) + && rule.isCanWrite(); @Override - public boolean canUserReadResource(User user, Long resourceId) { - Resource resource = new Resource(); - resource.setId(resourceId); - + public boolean canResourceBeReadByUser(Resource resource, User user) { return user.getRole().equals(Role.ADMIN) || isUserOwnerWithReadPermission(user, resource) || haveUserGroupsOwnershipWithReadPermission(user, resource); } private boolean isUserOwnerWithReadPermission(User user, Resource resource) { - checkUserSecurityRules(user); - return checkSecurityRulesAgainstResource( - user.getSecurity(), resource, resourceOwnershipWithReadPermission); + checkResourceSecurityRules(resource); + return checkSecurityRulesAgainstUser( + resource.getSecurity(), user, resourceUserOwnershipWithReadPermission); } private boolean haveUserGroupsOwnershipWithReadPermission(User user, Resource resource) { - return checkUserGroupsSecurityRulesAgainstResource( - user, resource, resourceOwnershipWithReadPermission); + return checkResourceSecurityRulesAgainstUserGroup( + user, resource, resourceGroupOwnershipWithReadPermission); } @Override - public boolean canUserWriteResource(User user, Resource resource) { + public boolean canResourceBeWrittenByUser(Resource resource, User user) { return !user.getRole().equals(Role.GUEST) && (user.getRole().equals(Role.ADMIN) || isUserOwnerWithWritePermission(user, resource) @@ -51,54 +69,41 @@ public boolean canUserWriteResource(User user, Resource resource) { } private boolean isUserOwnerWithWritePermission(User user, Resource resource) { - checkUserSecurityRules(user); - return checkSecurityRulesAgainstResource( - user.getSecurity(), resource, resourceOwnershipWithWritePermission); - } - - private boolean haveUserGroupsOwnershipWithWritePermission(User user, Resource resource) { - return checkUserGroupsSecurityRulesAgainstResource( - user, resource, resourceOwnershipWithWritePermission); + checkResourceSecurityRules(resource); + return checkSecurityRulesAgainstUser( + resource.getSecurity(), user, resourceUserOwnershipWithWritePermission); } - @Override - public boolean canUserReadAndWriteResource(User user, Resource resource) { - return user.getRole().equals(Role.ADMIN) - || isUserOwnerWithReadAndWritePermission(user, resource) - || haveUserGroupOwnershipWithReadAndWritePermission(user, resource); - } - - private boolean isUserOwnerWithReadAndWritePermission(User user, Resource resource) { - checkUserSecurityRules(user); - return checkSecurityRulesAgainstResource( - user.getSecurity(), resource, resourceOwnershipWithReadAndWritePermission); - } - - private void checkUserSecurityRules(User user) { - if (user.getSecurity() == null) { + private void checkResourceSecurityRules(Resource resource) { + if (resource.getSecurity() == null) { throw new IllegalArgumentException( - "set user security rules prior checking for permissions"); + "set resource security rules prior checking for permissions"); } } - private boolean haveUserGroupOwnershipWithReadAndWritePermission(User user, Resource resource) { - return checkUserGroupsSecurityRulesAgainstResource( - user, resource, resourceOwnershipWithReadAndWritePermission); + private boolean haveUserGroupsOwnershipWithWritePermission(User user, Resource resource) { + return checkResourceSecurityRulesAgainstUserGroup( + user, resource, resourceGroupOwnershipWithWritePermission); } - private boolean checkUserGroupsSecurityRulesAgainstResource( - User user, Resource resource, BiFunction check) { + private boolean checkResourceSecurityRulesAgainstUserGroup( + User user, Resource resource, BiFunction check) { return user.getGroups().stream() .anyMatch( group -> - checkSecurityRulesAgainstResource( - group.getSecurity(), resource, check)); + checkSecurityRulesAgainstUserGroup( + resource.getSecurity(), group, check)); + } + + private boolean checkSecurityRulesAgainstUser( + List rules, User user, BiFunction check) { + return rules.stream().anyMatch(rule -> check.apply(rule, user)); } - private boolean checkSecurityRulesAgainstResource( + private boolean checkSecurityRulesAgainstUserGroup( List rules, - Resource resource, - BiFunction check) { - return rules.stream().anyMatch(rule -> check.apply(rule, resource)); + UserGroup group, + BiFunction check) { + return rules.stream().anyMatch(rule -> check.apply(rule, group)); } } diff --git a/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourceServiceImpl.java b/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourceServiceImpl.java index 1d820553..c54bef46 100644 --- a/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourceServiceImpl.java +++ b/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/ResourceServiceImpl.java @@ -35,6 +35,7 @@ import it.geosolutions.geostore.core.dao.ResourceDAO; import it.geosolutions.geostore.core.dao.SecurityDAO; import it.geosolutions.geostore.core.dao.StoredDataDAO; +import it.geosolutions.geostore.core.dao.UserDAO; import it.geosolutions.geostore.core.dao.UserGroupDAO; import it.geosolutions.geostore.core.model.Attribute; import it.geosolutions.geostore.core.model.Category; @@ -56,6 +57,7 @@ import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Date; +import java.util.HashSet; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -74,6 +76,8 @@ public class ResourceServiceImpl implements ResourceService { private static final Logger LOGGER = LogManager.getLogger(ResourceServiceImpl.class); + private UserDAO userDAO; + private UserGroupDAO userGroupDAO; private ResourceDAO resourceDAO; @@ -86,36 +90,34 @@ public class ResourceServiceImpl implements ResourceService { private SecurityDAO securityDAO; - private UserService userService; - private ResourcePermissionService resourcePermissionService; - public void setSecurityDAO(SecurityDAO securityDAO) { - this.securityDAO = securityDAO; + public void setUserDAO(UserDAO userDAO) { + this.userDAO = userDAO; } - public void setStoredDataDAO(StoredDataDAO storedDataDAO) { - this.storedDataDAO = storedDataDAO; - } - - public void setResourceDAO(ResourceDAO resourceDAO) { - this.resourceDAO = resourceDAO; + public void setUserGroupDAO(UserGroupDAO userGroupDAO) { + this.userGroupDAO = userGroupDAO; } public void setAttributeDAO(AttributeDAO attributeDAO) { this.attributeDAO = attributeDAO; } + public void setStoredDataDAO(StoredDataDAO storedDataDAO) { + this.storedDataDAO = storedDataDAO; + } + public void setCategoryDAO(CategoryDAO categoryDAO) { this.categoryDAO = categoryDAO; } - public void setUserGroupDAO(UserGroupDAO userGroupDAO) { - this.userGroupDAO = userGroupDAO; + public void setSecurityDAO(SecurityDAO securityDAO) { + this.securityDAO = securityDAO; } - public void setUserService(UserService userService) { - this.userService = userService; + public void setResourceDAO(ResourceDAO resourceDAO) { + this.resourceDAO = resourceDAO; } public void setResourcePermissionService(ResourcePermissionService resourcePermissionService) { @@ -704,9 +706,6 @@ private List searchResources(ResourceSearchParameters parameters) * @return List */ private List convertToShortResourceList(List resources, User user) { - - userService.fetchSecurityRules(user); - return resources.stream() .map(r -> createShortResource(user, r)) .collect(Collectors.toList()); @@ -715,7 +714,7 @@ private List convertToShortResourceList(List resources, private ShortResource createShortResource(User user, Resource resource) { ShortResource shortResource = new ShortResource(resource); - if (user != null && resourcePermissionService.canUserWriteResource(user, resource)) { + if (user != null && resourcePermissionService.canResourceBeWrittenByUser(resource, user)) { shortResource.setCanEdit(true); shortResource.setCanDelete(true); } @@ -844,4 +843,22 @@ public long count(String nameLike, User user) { return resourceDAO.count(searchCriteria); } + + @Override + public void fetchSecurityRules(Resource resource) { + if (resource == null || resource.getId() == null) { + return; + } + + resource.setSecurity(securityDAO.findResourceSecurityRules(resource.getId())); + } + + @Override + public void fetchFavoritedBy(Resource resource) { + if (resource == null || resource.getId() == null) { + return; + } + + resource.setFavoritedBy(new HashSet<>(userDAO.findFavoritedBy(resource.getId()))); + } } diff --git a/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/UserServiceImpl.java b/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/UserServiceImpl.java index 7bcc2964..f61c02d4 100644 --- a/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/UserServiceImpl.java +++ b/src/core/services-impl/src/main/java/it/geosolutions/geostore/services/UserServiceImpl.java @@ -22,7 +22,6 @@ import com.googlecode.genericdao.search.Filter; import com.googlecode.genericdao.search.Search; import it.geosolutions.geostore.core.dao.ResourceDAO; -import it.geosolutions.geostore.core.dao.SecurityDAO; import it.geosolutions.geostore.core.dao.UserAttributeDAO; import it.geosolutions.geostore.core.dao.UserDAO; import it.geosolutions.geostore.core.dao.UserGroupDAO; @@ -59,8 +58,6 @@ public class UserServiceImpl implements UserService { private UserGroupDAO userGroupDAO; - private SecurityDAO securityDAO; - private ResourceDAO resourceDAO; public void setUserDAO(UserDAO userDAO) { @@ -75,10 +72,6 @@ public void setUserGroupDAO(UserGroupDAO userGroupDAO) { this.userGroupDAO = userGroupDAO; } - public void setSecurityDAO(SecurityDAO securityDAO) { - this.securityDAO = securityDAO; - } - public void setResourceDAO(ResourceDAO resourceDAO) { this.resourceDAO = resourceDAO; } @@ -471,21 +464,6 @@ public Collection getByGroup(UserGroup group) { return userDAO.search(searchByGroup); } - @Override - public void fetchSecurityRules(User user) { - if (user == null || user.getId() == null) { - return; - } - - user.getGroups() - .forEach( - userGroup -> - userGroup.setSecurity( - securityDAO.findUserGroupSecurityRules(userGroup.getId()))); - - user.setSecurity(securityDAO.findUserSecurityRules(user.getId())); - } - @Override public void fetchFavorites(User user) { if (user == null || user.getId() == null) { diff --git a/src/modules/rest/extjs/src/main/java/it/geosolutions/geostore/services/rest/impl/RESTExtJsServiceImpl.java b/src/modules/rest/extjs/src/main/java/it/geosolutions/geostore/services/rest/impl/RESTExtJsServiceImpl.java index ce821b7f..2237b9a2 100644 --- a/src/modules/rest/extjs/src/main/java/it/geosolutions/geostore/services/rest/impl/RESTExtJsServiceImpl.java +++ b/src/modules/rest/extjs/src/main/java/it/geosolutions/geostore/services/rest/impl/RESTExtJsServiceImpl.java @@ -397,10 +397,6 @@ public ExtResourceList getExtResourcesList( * @return */ private List convertToExtResources(List foundResources, User user) { - - userService.fetchSecurityRules(user); - userService.fetchFavorites(user); - return foundResources.stream() .map(r -> convertToExtResource(r, user)) .collect(Collectors.toList()); @@ -408,12 +404,15 @@ private List convertToExtResources(List foundResources, U private ExtResource convertToExtResource(Resource resource, User user) { + resourceService.fetchSecurityRules(resource); + resourceService.fetchFavoritedBy(resource); + ExtResource.Builder extResourceBuilder = ExtResource.builder(resource) /* setting copy permission as in ResourceEnvelop.isCanCopy */ .withCanCopy(user != null); - if (resourcePermissionService.canUserWriteResource(user, resource)) { + if (resourcePermissionService.canResourceBeWrittenByUser(resource, user)) { extResourceBuilder.withCanEdit(true).withCanDelete(true); } @@ -425,9 +424,9 @@ private ExtResource convertToExtResource(Resource resource, User user) { } private boolean isResourceUserFavorite(Resource resource, User user) { - return user.getFavorites().stream() - .map(Resource::getId) - .anyMatch(id -> id.equals(resource.getId())); + return resource.getFavoritedBy().stream() + .map(User::getId) + .anyMatch(id -> id.equals(user.getId())); } /** @@ -687,25 +686,30 @@ public ExtShortResource getExtResource( throw new NotFoundWebEx("Resource not found"); } - User authUser = extractAuthUser(sc); - userService.fetchSecurityRules(authUser); - userService.fetchFavorites(authUser); + User user = extractAuthUser(sc); + resourceService.fetchSecurityRules(resource); + resourceService.fetchFavoritedBy(resource); - if (!resourcePermissionService.canUserReadResource(authUser, id)) { + if (!resourcePermissionService.canResourceBeReadByUser(resource, user)) { throw new ForbiddenErrorWebEx("Resource is protected"); } ShortResource shortResource = new ShortResource(resource); - if (resourcePermissionService.canUserWriteResource(authUser, resource)) { + if (resourcePermissionService.canResourceBeWrittenByUser(resource, user)) { shortResource.setCanEdit(true); shortResource.setCanDelete(true); } + if (!includePermissions) { + /* clear fetched security rules */ + resource.setSecurity(null); + } + return ExtShortResource.builder(shortResource) .withAttributes(createShortAttributeList(resource.getAttribute())) .withSecurityRules(new SecurityRuleList(resource.getSecurity())) .withTagList(createTagList(resource.getTags())) - .withIsFavorite(isResourceUserFavorite(resource, authUser)) + .withIsFavorite(isResourceUserFavorite(resource, user)) .build(); } @@ -772,9 +776,10 @@ private void readSecurity() { return; } - userService.fetchSecurityRules(authUser); + resourceService.fetchSecurityRules(r); - if (authUser != null && resourcePermissionService.canUserWriteResource(authUser, r)) { + if (authUser != null + && resourcePermissionService.canResourceBeWrittenByUser(r, authUser)) { canEdit = true; canDelete = true; }