From f832e3f5e0b8f4a0d10134dee5427e0e8a2611c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Henrik=20tom=20W=C3=B6rden?= <h.tomwoerden@indiscale.com>
Date: Sat, 2 Dec 2023 11:31:05 +0100
Subject: [PATCH] wip

---
 .../transaction/RetrieveFullEntityTransaction.java       | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java b/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java
index 92f5aa84..f5b897ad 100644
--- a/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java
+++ b/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java
@@ -26,6 +26,7 @@ package org.caosdb.server.database.backend.transaction;
 
 import java.util.LinkedList;
 import java.util.List;
+import org.apache.shiro.SecurityUtils;
 import org.caosdb.server.database.BackendTransaction;
 import org.caosdb.server.database.exceptions.EntityDoesNotExistException;
 import org.caosdb.server.datatype.CollectionValue;
@@ -38,6 +39,8 @@ import org.caosdb.server.entity.RetrieveEntity;
 import org.caosdb.server.entity.Role;
 import org.caosdb.server.entity.container.Container;
 import org.caosdb.server.entity.wrapper.Property;
+import org.caosdb.server.permissions.EntityACL;
+import org.caosdb.server.permissions.EntityPermission;
 import org.caosdb.server.query.Query;
 import org.caosdb.server.query.Query.Selection;
 import org.caosdb.server.utils.EntityStatus;
@@ -220,6 +223,12 @@ public class RetrieveFullEntityTransaction extends BackendTransaction {
   private void resolveReferenceValue(
       final ReferenceValue value, final List<Selection> selections, final String propertyName) {
     final RetrieveEntity ref = new RetrieveEntity(value.getId());
+
+    // check whether the referenced entity may be retrieved
+    final EntityACL entityACL = ref.getEntityACL();
+    if (!entityACL.isPermitted(SecurityUtils.getSubject(), EntityPermission.RETRIEVE_ENTITY)) {
+      return;
+    }
     // recursion! (Only for the matching selections)
     retrieveFullEntity(ref, getSubSelects(selections, propertyName));
     value.setEntity(ref, true);
-- 
GitLab