From b18c0e205f9f9e5bc1aad8f7c88374f9226072a1 Mon Sep 17 00:00:00 2001 From: Charitha Date: Tue, 20 Aug 2024 14:38:05 +0530 Subject: [PATCH] Fix logic issue with user authorization validation for groups --- .../GroupAccessAuthorizationServiceImpl.java | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java index acceb466c1..2f796f929f 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java @@ -73,21 +73,24 @@ public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthoriza UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService() .getTenantUserRealm(getTenantId()); String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username); - boolean isAuthorized = true; + boolean isAuthorized; for (String groupPermission : groupPermissions) { + isAuthorized = false; for (String role : userRoles) { - if (!userRealm.getAuthorizationManager(). + if (userRealm.getAuthorizationManager(). isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) { - isAuthorized = false; + isAuthorized = true; break; } } + if (!isAuthorized) { + return false; + } } - return isAuthorized; + return true; } catch (UserStoreException e) { throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " + - groupId + " for the user : " + - username, e); + groupId + " for the user : " + username, e); } } }