Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add option to exclude ALL auth from check #19521

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,11 @@
* Annotation that takes in any number of {@link Authorities}. This allows us to check if a {@link
* org.hisp.dhis.user.User} has any of the {@link Authorities} passed in.
*
* <p>{@link Authorities#ALL} is automatically added to the check, as having this Authority allows
* access to all methods by default. No need to pass {@link Authorities#ALL} in the arguments. See
* {@link AuthorityInterceptor}.
* <p>{@link Authorities#ALL} is automatically added to the check by default, as having this
* Authority allows access to all methods by default. No need to pass {@link Authorities#ALL} in the
* arguments. See {@link AuthorityInterceptor}. <br>
* {@link Authorities#ALL} will only be excluded from the check if explicitly requested, using the
* optional param `excludeAllAuth=true`.
*
* <p>Can be used at Class or Method level. Usage at the method level will always take precedence
* (matching how Spring works). Class level usage only applies if there is no usage at the method
Expand All @@ -50,4 +52,6 @@
@Retention(RetentionPolicy.RUNTIME)
public @interface RequiresAuthority {
Authorities[] anyOf();

boolean excludeAllAuth() default false;
}
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@
* the passed-in {@link org.hisp.dhis.security.Authorities}. The exception message includes the
* required {@link org.hisp.dhis.security.Authorities} for the endpoint.
*
* <p>{@link Authorities#ALL} is automatically added to the check, as having this Authority allows
* access to all methods by default.
* <p>{@link Authorities#ALL} is only excluded if explicitly requested. The default includes {@link
* Authorities#ALL} in the check, as this is how the system operates.
*/
@Component
public class AuthorityInterceptor implements HandlerInterceptor {
Expand Down Expand Up @@ -88,7 +88,7 @@ public boolean preHandle(
return checkForRequiredAuthority(requiresMethodAuthority);
}

// heck if RequiresAuthority is at method level
// heck if RequiresAuthority is at class level
if (handlerMethod.getBeanType().isAnnotationPresent(RequiresAuthority.class)) {
RequiresAuthority requiresClassAuthority =
handlerMethod.getBeanType().getAnnotation(RequiresAuthority.class);
Expand All @@ -98,8 +98,11 @@ public boolean preHandle(
}

private boolean checkForRequiredAuthority(RequiresAuthority requiresAuthority) {
// include 'ALL' authority in required authorities
List<Authorities> requiredAuthorities = new ArrayList<>(List.of(Authorities.ALL));
List<Authorities> requiredAuthorities = new ArrayList<>();

// include 'ALL' authority in required authorities if not excluded
if (!requiresAuthority.excludeAllAuth()) requiredAuthorities.add(Authorities.ALL);

requiredAuthorities.addAll(List.of(requiresAuthority.anyOf()));

// get user authorities
Expand Down
Loading