From 862e506516eebd9da72971b379721f50dde311a4 Mon Sep 17 00:00:00 2001
From: Timm Fitschen <t.fitschen@indiscale.com>
Date: Wed, 8 Dec 2021 11:12:04 +0100
Subject: [PATCH] WIP: Entity ACL GRPC

---
 .../transaction/ListUsersTransaction.java       | 17 ++++++++++++++++-
 .../caosdb/server/transaction/RetrieveACL.java  |  6 ++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
index cfbd68d3..8a9f4ed4 100644
--- a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
@@ -1,6 +1,11 @@
 package org.caosdb.server.transaction;
 
 import java.util.List;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.caosdb.server.accessControl.ACMPermissions;
 import org.caosdb.server.database.backend.transaction.ListUsers;
 import org.caosdb.server.database.proto.ProtoUser;
 
@@ -10,7 +15,17 @@ public class ListUsersTransaction extends AccessControlTransaction {
 
   @Override
   protected void transaction() throws Exception {
-    users = execute(new ListUsers(), getAccess()).getUsers();
+    Subject currentUser = SecurityUtils.getSubject();
+    users = execute(new ListUsers(), getAccess()).getUsers().stream().filter(user -> currentUser.isPermitted(ACMPermissions.PERMISSION_RETRIEVE_USER_INFO(user.realm, user.name))
+        ).collect(Collectors.toList());
+    
+    // remove roles
+    for(ProtoUser user : users) {
+      if(!currentUser.isPermitted(ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
+        user.roles = null;
+      }
+    }
+
   }
 
   public List<ProtoUser> getUsers() {
diff --git a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
index f23a29a4..05ba7a42 100644
--- a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
+++ b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
@@ -1,5 +1,6 @@
 package org.caosdb.server.transaction;
 
+import com.google.protobuf.ProtocolStringList;
 import java.util.UUID;
 import org.apache.shiro.SecurityUtils;
 import org.caosdb.server.database.backend.transaction.RetrieveEntityACLTransaction;
@@ -8,12 +9,13 @@ import org.caosdb.server.entity.EntityInterface;
 import org.caosdb.server.entity.container.TransactionContainer;
 import org.caosdb.server.permissions.EntityACL;
 import org.caosdb.server.permissions.EntityPermission;
-import com.google.protobuf.ProtocolStringList;
 
 public class RetrieveACL extends Transaction<TransactionContainer> {
 
   public RetrieveACL(ProtocolStringList idList) {
-    super(new TransactionContainer(SecurityUtils.getSubject(), System.currentTimeMillis(), UUID.randomUUID().toString()));
+    super(
+        new TransactionContainer(
+            SecurityUtils.getSubject(), System.currentTimeMillis(), UUID.randomUUID().toString()));
     for (String strId : idList) {
       getContainer().add(new Entity(Integer.parseInt(strId)));
     }
-- 
GitLab