From aa0032edf43b69dd7c48f4ec7cb62a085d30dcfb Mon Sep 17 00:00:00 2001
From: Timm Fitschen <t.fitschen@indiscale.com>
Date: Wed, 8 Dec 2021 21:17:36 +0100
Subject: [PATCH] WIP: acm grpc

---
 .../transaction/ListRolesTransaction.java     | 31 ++++++++++++++++++-
 .../transaction/ListUsersTransaction.java     |  9 +++---
 .../transaction/RetrieveRoleTransaction.java  | 18 +++++++++++
 3 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/caosdb/server/transaction/ListRolesTransaction.java b/src/main/java/org/caosdb/server/transaction/ListRolesTransaction.java
index b8f5943c..d8c962a0 100644
--- a/src/main/java/org/caosdb/server/transaction/ListRolesTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/ListRolesTransaction.java
@@ -21,9 +21,15 @@
 
 package org.caosdb.server.transaction;
 
+import java.util.Iterator;
 import java.util.List;
+import java.util.stream.Collectors;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.caosdb.server.accessControl.ACMPermissions;
 import org.caosdb.server.accessControl.Role;
 import org.caosdb.server.database.backend.transaction.ListRoles;
+import org.caosdb.server.database.proto.ProtoUser;
 
 public class ListRolesTransaction extends AccessControlTransaction {
 
@@ -31,7 +37,30 @@ public class ListRolesTransaction extends AccessControlTransaction {
 
   @Override
   protected void transaction() throws Exception {
-    roles = execute(new ListRoles(), getAccess()).getRoles();
+    Subject currentUser = SecurityUtils.getSubject();
+    roles =
+        execute(new ListRoles(), getAccess())
+            .getRoles()
+            .stream()
+            .filter(
+                role ->
+                    currentUser.isPermitted(
+                        ACMPermissions.PERMISSION_RETRIEVE_ROLE_DESCRIPTION(role.name)))
+            .collect(Collectors.toList());
+
+    // remove known users
+    for (Role role : roles) {
+      if (role.users != null) {
+        Iterator<ProtoUser> iterator = role.users.iterator();
+        while (iterator.hasNext()) {
+          ProtoUser user = iterator.next();
+          if (!currentUser.isPermitted(
+              ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
+            iterator.remove();
+          }
+        }
+      }
+    }
   }
 
   public List<Role> getRoles() {
diff --git a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
index b0c4af35..439f3b3a 100644
--- a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
@@ -48,10 +48,11 @@ public class ListUsersTransaction extends AccessControlTransaction {
 
     // remove roles
     for (ProtoUser user : users) {
-      if (!currentUser.isPermitted(
-          ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
-        user.roles = null;
-      }
+      if (user.roles != null)
+        if (!currentUser.isPermitted(
+            ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
+          user.roles = null;
+        }
     }
   }
 
diff --git a/src/main/java/org/caosdb/server/transaction/RetrieveRoleTransaction.java b/src/main/java/org/caosdb/server/transaction/RetrieveRoleTransaction.java
index c7c251ba..ff71d984 100644
--- a/src/main/java/org/caosdb/server/transaction/RetrieveRoleTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/RetrieveRoleTransaction.java
@@ -22,8 +22,14 @@
  */
 package org.caosdb.server.transaction;
 
+import java.util.Iterator;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.subject.Subject;
+import org.caosdb.server.accessControl.ACMPermissions;
 import org.caosdb.server.accessControl.Role;
 import org.caosdb.server.database.backend.transaction.RetrieveRole;
+import org.caosdb.server.database.proto.ProtoUser;
 import org.caosdb.server.utils.ServerMessages;
 
 public class RetrieveRoleTransaction extends AccessControlTransaction {
@@ -37,10 +43,22 @@ public class RetrieveRoleTransaction extends AccessControlTransaction {
 
   @Override
   protected void transaction() throws Exception {
+    Subject currentUser = SecurityUtils.getSubject();
+    if (!currentUser.isPermitted(ACMPermissions.PERMISSION_RETRIEVE_ROLE_DESCRIPTION(this.name))) {
+      throw new AuthorizationException("You are not permitted to retrieve this role");
+    }
     this.role = execute(new RetrieveRole(this.name), getAccess()).getRole();
     if (this.role == null) {
       throw ServerMessages.ROLE_DOES_NOT_EXIST;
     }
+    Iterator<ProtoUser> iterator = this.role.users.iterator();
+    while (iterator.hasNext()) {
+      ProtoUser user = iterator.next();
+      if (!currentUser.isPermitted(
+          ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
+        iterator.remove();
+      }
+    }
   }
 
   public Role getRole() {
-- 
GitLab