From 5a12dc760152488b3419ff7ba8860775559ecdc7 Mon Sep 17 00:00:00 2001
From: Charitha Goonetilleke <charitha@entgra.io>
Date: Wed, 21 Aug 2024 03:09:48 +0000
Subject: [PATCH 1/2] Fix logic issue with user authorization validation for
 groups Co-authored-by: Charitha Goonetilleke <charitha@entgra.io>
 Co-committed-by: Charitha Goonetilleke <charitha@entgra.io>

---
 .../GroupAccessAuthorizationServiceImpl.java      | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java
index acceb466c1..2f796f929f 100644
--- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java
+++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java
@@ -73,21 +73,24 @@ public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthoriza
                 UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService()
                         .getTenantUserRealm(getTenantId());
                 String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username);
-                boolean isAuthorized = true;
+                boolean isAuthorized;
                 for (String groupPermission : groupPermissions) {
+                    isAuthorized = false;
                     for (String role : userRoles) {
-                        if (!userRealm.getAuthorizationManager().
+                        if (userRealm.getAuthorizationManager().
                                 isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) {
-                            isAuthorized = false;
+                            isAuthorized = true;
                             break;
                         }
                     }
+                    if (!isAuthorized) {
+                        return false;
+                    }
                 }
-                return isAuthorized;
+                return true;
             } catch (UserStoreException e) {
                 throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " +
-                        groupId + " for the user : " +
-                        username, e);
+                        groupId + " for the user : " + username, e);
             }
         }
     }
-- 
2.36.3


From 1e20b3d15c55ada13052eae30d655488dfa7437a Mon Sep 17 00:00:00 2001
From: Rajitha Kumara <rajithakumaraprog@gmail.com>
Date: Wed, 21 Aug 2024 09:40:42 +0530
Subject: [PATCH 2/2] Fix permission updating issue

---
 .../webapp/publisher/APIPublisherStartupHandler.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java
index d218238dc1..e15c38ff13 100644
--- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java
+++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java
@@ -32,6 +32,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import io.entgra.device.mgt.core.apimgt.webapp.publisher.exception.APIManagerPublisherException;
 import io.entgra.device.mgt.core.apimgt.webapp.publisher.internal.APIPublisherDataHolder;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.core.ServerStartupObserver;
 
 import java.util.HashMap;
@@ -57,6 +58,7 @@ public class APIPublisherStartupHandler implements ServerStartupObserver {
 
     @Override
     public void completedServerStartup() {
+        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
         APIPublisherDataHolder.getInstance().setServerStarted(true);
         currentAPIsStack = APIPublisherDataHolder.getInstance().getUnpublishedApis();
         Thread t = new Thread(new Runnable() {
@@ -104,7 +106,13 @@ public class APIPublisherStartupHandler implements ServerStartupObserver {
                     log.error("failed to update scope role mapping.", e);
                 }
 
-                updateScopeMetadataEntryWithDefaultScopes();
+                try {
+                    PrivilegedCarbonContext.startTenantFlow();
+                    PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
+                    updateScopeMetadataEntryWithDefaultScopes();
+                } finally {
+                    PrivilegedCarbonContext.endTenantFlow();
+                }
 
                 // execute after api publishing
                 for (PostApiPublishingObsever observer : APIPublisherDataHolder.getInstance().getPostApiPublishingObseverList()) {
-- 
2.36.3