mirror of
https://github.com/Stirling-Tools/Stirling-PDF.git
synced 2025-08-21 19:59:24 +00:00
preauth
This commit is contained in:
Anthony Stirling
parent
9e78057a3e
commit
e418e06ace
@ -48,7 +48,7 @@ import stirling.software.proprietary.security.config.EnterpriseEndpoint;
|
||||
@Slf4j
|
||||
@Controller
|
||||
@RequestMapping("/audit")
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
|
||||
@RequiredArgsConstructor
|
||||
@EnterpriseEndpoint
|
||||
public class AuditDashboardController {
|
||||
|
||||
@ -5,6 +5,7 @@ import java.util.Optional;
|
||||
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import io.swagger.v3.oas.annotations.tags.Tag;
|
||||
@ -29,6 +30,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ
|
||||
@Slf4j
|
||||
@RequiredArgsConstructor
|
||||
@PremiumEndpoint
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageOrgUsers() or @roleBasedAuthorizationService.canManageOrgTeams()")
|
||||
public class OrgAdminController {
|
||||
|
||||
private final TeamRepository teamRepository;
|
||||
@ -37,11 +39,8 @@ public class OrgAdminController {
|
||||
|
||||
/** Get all teams in the org admin's organization */
|
||||
@GetMapping("/teams")
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageOrgTeams()")
|
||||
public ResponseEntity<List<Team>> getOrganizationTeams() {
|
||||
if (!authorizationService.canManageOrgTeams()) {
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
|
||||
}
|
||||
|
||||
User currentUser = authorizationService.getCurrentUser();
|
||||
if (currentUser == null || currentUser.getOrganization() == null) {
|
||||
return ResponseEntity.badRequest().build();
|
||||
|
||||
@ -5,6 +5,7 @@ import java.util.Optional;
|
||||
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import lombok.RequiredArgsConstructor;
|
||||
@ -18,6 +19,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ
|
||||
@RestController
|
||||
@RequestMapping("/api/v1/organizations")
|
||||
@RequiredArgsConstructor
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageOrganizations()")
|
||||
public class OrganizationController {
|
||||
|
||||
private final OrganizationRepository organizationRepository;
|
||||
@ -26,15 +28,13 @@ public class OrganizationController {
|
||||
|
||||
@GetMapping
|
||||
public ResponseEntity<List<OrganizationWithTeamCountDTO>> getAllOrganizations() {
|
||||
if (!authorizationService.canManageOrganizations()) {
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
|
||||
}
|
||||
List<OrganizationWithTeamCountDTO> organizations =
|
||||
organizationRepository.findAllOrganizationsWithTeamCount();
|
||||
return ResponseEntity.ok(organizations);
|
||||
}
|
||||
|
||||
@GetMapping("/{id}")
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canViewOrganization(@organizationRepository.findById(#id).orElse(null))")
|
||||
public ResponseEntity<Organization> getOrganization(@PathVariable Long id) {
|
||||
Optional<Organization> organizationOpt = organizationRepository.findById(id);
|
||||
if (organizationOpt.isEmpty()) {
|
||||
@ -42,20 +42,11 @@ public class OrganizationController {
|
||||
}
|
||||
|
||||
Organization organization = organizationOpt.get();
|
||||
if (!authorizationService.canViewOrganization(organization)) {
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
|
||||
}
|
||||
|
||||
return ResponseEntity.ok(organization);
|
||||
}
|
||||
|
||||
@PostMapping
|
||||
public ResponseEntity<?> createOrganization(@RequestBody Organization organization) {
|
||||
if (!authorizationService.canManageOrganizations()) {
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN)
|
||||
.body("Not authorized to create organizations");
|
||||
}
|
||||
|
||||
if (organizationRepository.existsByNameIgnoreCase(organization.getName())) {
|
||||
return ResponseEntity.badRequest()
|
||||
.body("Organization with name '" + organization.getName() + "' already exists");
|
||||
@ -67,11 +58,6 @@ public class OrganizationController {
|
||||
@PutMapping("/{id}")
|
||||
public ResponseEntity<?> updateOrganization(
|
||||
@PathVariable Long id, @RequestBody Organization organization) {
|
||||
if (!authorizationService.canManageOrganizations()) {
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN)
|
||||
.body("Not authorized to update organizations");
|
||||
}
|
||||
|
||||
Optional<Organization> existingOrganization = organizationRepository.findById(id);
|
||||
if (existingOrganization.isEmpty()) {
|
||||
return ResponseEntity.notFound().build();
|
||||
@ -90,11 +76,6 @@ public class OrganizationController {
|
||||
|
||||
@DeleteMapping("/{id}")
|
||||
public ResponseEntity<?> deleteOrganization(@PathVariable Long id) {
|
||||
if (!authorizationService.canManageOrganizations()) {
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN)
|
||||
.body("Not authorized to delete organizations");
|
||||
}
|
||||
|
||||
Optional<Organization> organization = organizationRepository.findById(id);
|
||||
if (organization.isEmpty()) {
|
||||
return ResponseEntity.notFound().build();
|
||||
|
||||
@ -2,6 +2,7 @@ package stirling.software.proprietary.security.controller.api;
|
||||
|
||||
import java.util.Optional;
|
||||
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.springframework.web.servlet.view.RedirectView;
|
||||
@ -31,6 +32,7 @@ import stirling.software.proprietary.security.service.TeamService;
|
||||
@Slf4j
|
||||
@RequiredArgsConstructor
|
||||
@PremiumEndpoint
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageOrgTeams()")
|
||||
public class TeamController {
|
||||
|
||||
private final TeamRepository teamRepository;
|
||||
@ -44,9 +46,6 @@ public class TeamController {
|
||||
public RedirectView createTeam(
|
||||
@RequestParam("name") String name,
|
||||
@RequestParam("organizationId") Long organizationId) {
|
||||
if (!authorizationService.canManageOrgTeams()) {
|
||||
return new RedirectView("/teams?messageType=accessDenied");
|
||||
}
|
||||
Organization organization = organizationService.getOrCreateDefaultOrganization();
|
||||
if (organizationId != null) {
|
||||
organization = organizationRepository.findById(organizationId).orElse(organization);
|
||||
@ -63,6 +62,7 @@ public class TeamController {
|
||||
}
|
||||
|
||||
@PostMapping("/rename")
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageTeam(@teamRepository.findById(#teamId).orElse(null))")
|
||||
public RedirectView renameTeam(
|
||||
@RequestParam("teamId") Long teamId, @RequestParam("newName") String newName) {
|
||||
Optional<Team> existing = teamRepository.findById(teamId);
|
||||
@ -71,10 +71,6 @@ public class TeamController {
|
||||
}
|
||||
Team team = existing.get();
|
||||
|
||||
if (!authorizationService.canManageTeam(team)) {
|
||||
return new RedirectView("/teams?messageType=accessDenied");
|
||||
}
|
||||
|
||||
if (teamRepository.existsByNameIgnoreCaseAndOrganizationId(
|
||||
newName, team.getOrganization().getId())) {
|
||||
return new RedirectView("/teams?messageType=teamNameExists");
|
||||
@ -92,6 +88,7 @@ public class TeamController {
|
||||
|
||||
@PostMapping("/delete")
|
||||
@Transactional
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageTeam(@teamRepository.findById(#teamId).orElse(null))")
|
||||
public RedirectView deleteTeam(@RequestParam("teamId") Long teamId) {
|
||||
Optional<Team> teamOpt = teamRepository.findById(teamId);
|
||||
if (teamOpt.isEmpty()) {
|
||||
@ -100,10 +97,6 @@ public class TeamController {
|
||||
|
||||
Team team = teamOpt.get();
|
||||
|
||||
if (!authorizationService.canManageTeam(team)) {
|
||||
return new RedirectView("/teams?messageType=accessDenied");
|
||||
}
|
||||
|
||||
// Prevent deleting the Internal team
|
||||
if (team.getName().equals(TeamService.INTERNAL_TEAM_NAME)) {
|
||||
return new RedirectView("/teams?messageType=internalTeamNotAccessible");
|
||||
@ -120,6 +113,7 @@ public class TeamController {
|
||||
|
||||
@PostMapping("/addUser")
|
||||
@Transactional
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canAddUserToTeam(#userId, @teamRepository.findById(#teamId).orElse(null))")
|
||||
public RedirectView addUserToTeam(
|
||||
@RequestParam("teamId") Long teamId, @RequestParam("userId") Long userId) {
|
||||
|
||||
@ -129,10 +123,6 @@ public class TeamController {
|
||||
.findById(teamId)
|
||||
.orElseThrow(() -> new RuntimeException("Team not found"));
|
||||
|
||||
if (!authorizationService.canAddUserToTeam(userId, team)) {
|
||||
return new RedirectView("/teams/" + teamId + "?error=accessDenied");
|
||||
}
|
||||
|
||||
// Prevent adding users to the Internal team
|
||||
if (team.getName().equals(TeamService.INTERNAL_TEAM_NAME)) {
|
||||
return new RedirectView("/teams?error=internalTeamNotAccessible");
|
||||
|
||||
@ -5,6 +5,7 @@ import java.util.Optional;
|
||||
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import io.swagger.v3.oas.annotations.tags.Tag;
|
||||
@ -28,6 +29,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ
|
||||
@Slf4j
|
||||
@RequiredArgsConstructor
|
||||
@PremiumEndpoint
|
||||
@PreAuthorize("@roleBasedAuthorizationService.canManageTeamUsers()")
|
||||
public class TeamLeadController {
|
||||
|
||||
private final TeamRepository teamRepository;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user