Allowed reading non-enabled tools by a user having 'tool:post && tool…

…:put && tool:*:delete' permissions
OHDSI · Dec 17, 2024 · a6d5274 · a6d5274
1 parent 5acc126
commit a6d5274
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/main/java/org/ohdsi/webapi/tool/ToolServiceImpl.java b/src/main/java/org/ohdsi/webapi/tool/ToolServiceImpl.java
@@ -2,6 +2,9 @@
 
 import java.util.List;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import org.apache.shiro.SecurityUtils;
 import org.ohdsi.webapi.service.AbstractDaoService;
 import org.ohdsi.webapi.shiro.Entities.UserEntity;
 import org.ohdsi.webapi.tool.converter.ToolConvertor;
@@ -20,7 +23,7 @@ public ToolServiceImpl(ToolRepository toolRepository, ToolConvertor toolConverto
 
     @Override
     public List<ToolDTO> getTools() {
-        List<Tool> tools = isAdmin() ? toolRepository.findAll() : toolRepository.findAllByIsEnabled(true);
+        List<Tool> tools = (isAdmin() || canManageTools()) ? toolRepository.findAll() : toolRepository.findAllByIsEnabled(true);
         return tools.stream()
                 .map(toolConvertor::toDTO).collect(Collectors.toList());
     }
@@ -49,4 +52,9 @@ public ToolDTO getById(Integer id) {
     public void delete(Integer id) {
         toolRepository.delete(id);
     }
+
+    private boolean canManageTools() {
+        return Stream.of("tool:put", "tool:post", "tool:*:delete")
+                .allMatch(permission -> SecurityUtils.getSubject().isPermitted(permission));
+    }
 }