diff --git a/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/Mapping.java b/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/Mapping.java index b88cd7053..21febfb3e 100644 --- a/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/Mapping.java +++ b/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/Mapping.java @@ -30,9 +30,8 @@ public final class Mapping { public static final String URL_VERSION = PRE + "version"; public static final String URL_TASKS = PRE + "tasks"; public static final String URL_TASKS_ID = URL_TASKS + "/{taskId}"; - public static final String URL_TASK_GET_POST_COMMENTS = URL_TASKS_ID + "/comments"; - public static final String URL_TASK_COMMENTS = URL_TASKS + "/comments"; - public static final String URL_TASK_COMMENT = URL_TASK_COMMENTS + "/{taskCommentId}"; + public static final String URL_TASK_COMMENTS = URL_TASKS_ID + "/comments"; + public static final String URL_TASK_COMMENT = URL_TASKS + "/comments/{taskCommentId}"; public static final String URL_TASKS_ID_CLAIM = URL_TASKS_ID + "/claim"; public static final String URL_TASKS_ID_SELECT_AND_CLAIM = URL_TASKS + "/select-and-claim"; public static final String URL_TASKS_ID_COMPLETE = URL_TASKS_ID + "/complete"; diff --git a/rest/taskana-rest-spring/src/main/java/pro/taskana/task/rest/TaskCommentController.java b/rest/taskana-rest-spring/src/main/java/pro/taskana/task/rest/TaskCommentController.java index 5a51d88bd..a77a7592f 100644 --- a/rest/taskana-rest-spring/src/main/java/pro/taskana/task/rest/TaskCommentController.java +++ b/rest/taskana-rest-spring/src/main/java/pro/taskana/task/rest/TaskCommentController.java @@ -80,7 +80,7 @@ public class TaskCommentController { return response; } - @GetMapping(path = Mapping.URL_TASK_GET_POST_COMMENTS) + @GetMapping(path = Mapping.URL_TASK_COMMENTS) @Transactional(readOnly = true, rollbackFor = Exception.class) public ResponseEntity> getTaskComments( @PathVariable String taskId, @@ -168,7 +168,7 @@ public class TaskCommentController { return result; } - @PostMapping(path = Mapping.URL_TASK_GET_POST_COMMENTS) + @PostMapping(path = Mapping.URL_TASK_COMMENTS) @Transactional(rollbackFor = Exception.class) public ResponseEntity createTaskComment( @PathVariable String taskId, diff --git a/rest/taskana-rest-spring/src/test/java/pro/taskana/classification/rest/ClassificationControllerIntTest.java b/rest/taskana-rest-spring/src/test/java/pro/taskana/classification/rest/ClassificationControllerIntTest.java index 3e9593b04..714651925 100644 --- a/rest/taskana-rest-spring/src/test/java/pro/taskana/classification/rest/ClassificationControllerIntTest.java +++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/classification/rest/ClassificationControllerIntTest.java @@ -153,6 +153,28 @@ class ClassificationControllerIntTest { assertThat(HttpStatus.CREATED).isEqualTo(responseEntity.getStatusCode()); } + @Test + @DirtiesContext + void should_ThrowNotAuthorized_WhenUserIsNotInRoleAdminOrBusinessAdmin_whileCreating() { + String newClassification = + "{\"classificationId\":\"\",\"category\":\"MANUAL\"," + + "\"domain\":\"DOMAIN_A\",\"key\":\"NEW_CLASS\"," + + "\"name\":\"new classification\",\"type\":\"TASK\"}"; + + ThrowingCallable httpCall = + () -> + template.exchange( + restHelper.toUrl(Mapping.URL_CLASSIFICATIONS), + HttpMethod.POST, + new HttpEntity<>(newClassification, restHelper.getHeadersUser_1_1()), + ParameterizedTypeReference.forType(ClassificationRepresentationModel.class)); + + assertThatThrownBy(httpCall) + .isInstanceOf(HttpClientErrorException.class) + .extracting(ex -> ((HttpClientErrorException) ex).getStatusCode()) + .isEqualTo(HttpStatus.FORBIDDEN); + } + @Test @DirtiesContext void testCreateClassificationWithParentId() { diff --git a/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/RestHelper.java b/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/RestHelper.java index c95cd9a93..0892b410b 100644 --- a/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/RestHelper.java +++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/RestHelper.java @@ -28,6 +28,8 @@ public class RestHelper { "Basic YnVzaW5lc3NhZG1pbjpidXNpbmVzc2FkbWlu"; public static final String AUTHORIZATION_USER_1_1 = "Basic dXNlci0xLTE6dXNlci0xLTE="; public static final String AUTHORIZATION_USER_1_2 = "Basic dXNlci0xLTI6dXNlci0xLTI="; + public static final String AUTHORIZATION_USER_2_1 = "Basic dXNlci0yLTE6dXNlci0yLTE="; + public static final String AUTHORIZATION_USER_B_1 = "Basic dXNlci1iLTE6dXNlci1iLTE="; public static final RestTemplate TEMPLATE = getRestTemplate(); @@ -87,6 +89,20 @@ public class RestHelper { return headers; } + public HttpHeaders getHeadersUser_2_1() { + HttpHeaders headers = new HttpHeaders(); + headers.add("Authorization", AUTHORIZATION_USER_2_1); + headers.add("Content-Type", "application/json"); + return headers; + } + + public HttpHeaders getHeadersUser_b_1() { + HttpHeaders headers = new HttpHeaders(); + headers.add("Authorization", AUTHORIZATION_USER_B_1); + headers.add("Content-Type", "application/json"); + return headers; + } + /** * Return a REST template which is capable of dealing with responses in HAL format. * diff --git a/rest/taskana-rest-spring/src/test/java/pro/taskana/doc/api/TaskCommentControllerRestDocumentation.java b/rest/taskana-rest-spring/src/test/java/pro/taskana/doc/api/TaskCommentControllerRestDocumentation.java index 47b242433..a9d22fd0a 100644 --- a/rest/taskana-rest-spring/src/test/java/pro/taskana/doc/api/TaskCommentControllerRestDocumentation.java +++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/doc/api/TaskCommentControllerRestDocumentation.java @@ -95,7 +95,7 @@ class TaskCommentControllerRestDocumentation extends BaseRestDocumentation { .perform( RestDocumentationRequestBuilders.get( restHelper.toUrl( - Mapping.URL_TASK_GET_POST_COMMENTS, + Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000")) .accept(MediaTypes.HAL_JSON) .header("Authorization", ADMIN_CREDENTIALS)) @@ -172,7 +172,7 @@ class TaskCommentControllerRestDocumentation extends BaseRestDocumentation { .perform( RestDocumentationRequestBuilders.post( restHelper.toUrl( - Mapping.URL_TASK_GET_POST_COMMENTS, + Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000")) .contentType(MediaTypes.HAL_JSON) .content(createTaskCommentContent) diff --git a/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskCommentControllerIntTest.java b/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskCommentControllerIntTest.java index 1563cc7de..24bf8f50f 100644 --- a/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskCommentControllerIntTest.java +++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskCommentControllerIntTest.java @@ -7,7 +7,6 @@ import java.time.Instant; import java.util.Comparator; import org.assertj.core.api.ThrowableAssert.ThrowingCallable; import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; @@ -64,7 +63,6 @@ class TaskCommentControllerIntTest { .isEqualTo(HttpStatus.NOT_FOUND); } - @Disabled("Disabled until Authorization check is up!") @Test void should_FailToReturnTaskComments_When_TaskIstNotVisible() { @@ -88,8 +86,7 @@ class TaskCommentControllerIntTest { void should_ReturnSortedAndOrederedTaskCommentsSortedByModified_When_UsingSortAndOrderParams() { String url = - restHelper.toUrl( - Mapping.URL_TASK_GET_POST_COMMENTS, "TKI:000000000000000000000000000000000000"); + restHelper.toUrl(Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000"); ResponseEntity> getTaskCommentsSortedByModifiedOrderedByDescendingResponse = @@ -148,8 +145,7 @@ class TaskCommentControllerIntTest { void should_ThrowException_When_UsingInvalidSortParam() { String url = - restHelper.toUrl( - Mapping.URL_TASK_GET_POST_COMMENTS, "TKI:000000000000000000000000000000000000"); + restHelper.toUrl(Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000"); ThrowingCallable httpCall = () -> { @@ -164,7 +160,6 @@ class TaskCommentControllerIntTest { .isEqualTo(HttpStatus.BAD_REQUEST); } - @Disabled("Disabled until Authorization check is up!") @Test void should_FailToReturnTaskComment_When_TaskIstNotVisible() { @@ -184,7 +179,6 @@ class TaskCommentControllerIntTest { .isEqualTo(HttpStatus.FORBIDDEN); } - @Disabled("Disabled until Authorization check is up!") @Test void should_FailToCreateTaskComment_When_TaskIsNotVisible() { @@ -197,10 +191,10 @@ class TaskCommentControllerIntTest { () -> { template.exchange( restHelper.toUrl( - Mapping.URL_TASK_GET_POST_COMMENTS, "TKI:000000000000000000000000000000000000"), + Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000"), HttpMethod.POST, new HttpEntity<>( - taskCommentRepresentationModelToCreate, restHelper.getHeadersUser_1_1()), + taskCommentRepresentationModelToCreate, restHelper.getHeadersUser_b_1()), ParameterizedTypeReference.forType(TaskCommentRepresentationModel.class)); }; assertThatThrownBy(httpCall) @@ -219,7 +213,7 @@ class TaskCommentControllerIntTest { ThrowingCallable httpCall = () -> { template.exchange( - restHelper.toUrl(Mapping.URL_TASK_GET_POST_COMMENTS, "DefinatelyNotExistingId"), + restHelper.toUrl(Mapping.URL_TASK_COMMENTS, "DefinatelyNotExistingId"), HttpMethod.POST, new HttpEntity<>( taskCommentRepresentationModelToCreate, restHelper.getHeadersAdmin()), @@ -262,7 +256,6 @@ class TaskCommentControllerIntTest { .isEqualTo(HttpStatus.CONFLICT); } - @Disabled("Disabled until Authorization check is up!") @Test void should_FailToUpdateTaskComment_When_UserHasNoAuthorization() { String url = @@ -329,19 +322,18 @@ class TaskCommentControllerIntTest { .isEqualTo(HttpStatus.BAD_REQUEST); } - @Disabled("Disabled until Authorization check is up!") @Test void should_FailToDeleteTaskComment_When_UserHasNoAuthorization() { ResponseEntity> - getTaskCommentsBeforeDeleteionResponse = + getTaskCommentsBeforeDeletionResponse = template.exchange( restHelper.toUrl( Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000001"), HttpMethod.GET, - new HttpEntity(restHelper.getHeadersAdmin()), + new HttpEntity(restHelper.getHeadersUser_1_2()), TASK_COMMENT_PAGE_MODEL_TYPE); - assertThat(getTaskCommentsBeforeDeleteionResponse.getBody().getContent()).hasSize(2); + assertThat(getTaskCommentsBeforeDeletionResponse.getBody().getContent()).hasSize(2); String url = restHelper.toUrl(Mapping.URL_TASK_COMMENT, "TCI:000000000000000000000000000000000004"); @@ -355,6 +347,8 @@ class TaskCommentControllerIntTest { ParameterizedTypeReference.forType(TaskCommentRepresentationModel.class)); }; assertThatThrownBy(httpCall) + .isInstanceOf(HttpClientErrorException.class) + .hasMessageContaining("TaskComment creator and current user must match.") .extracting(ex -> ((HttpClientErrorException) ex).getStatusCode()) .isEqualTo(HttpStatus.FORBIDDEN); } diff --git a/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskControllerIntTest.java b/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskControllerIntTest.java index 74bdc51d9..73c326b81 100644 --- a/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskControllerIntTest.java +++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskControllerIntTest.java @@ -795,6 +795,23 @@ class TaskControllerIntTest { .hasMessageContaining("409"); } + @Test + void should_ThrowNotAuthorized_When_UserHasNoAuthorizationOnTask() { + String url = restHelper.toUrl(Mapping.URL_TASKS_ID, "TKI:000000000000000000000000000000000000"); + + ThrowingCallable httpCall = + () -> + template.exchange( + url, + HttpMethod.GET, + new HttpEntity(restHelper.getHeadersUser_b_1()), + ParameterizedTypeReference.forType(TaskRepresentationModel.class)); + + assertThatThrownBy(httpCall) + .extracting(ex -> ((HttpClientErrorException) ex).getStatusCode()) + .isEqualTo(HttpStatus.FORBIDDEN); + } + private TaskRepresentationModel getTaskResourceSample() { ClassificationSummaryRepresentationModel classificationResource = new ClassificationSummaryRepresentationModel();