diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java index 796a31d9575..dcad2fa8465 100644 --- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java +++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java @@ -33,6 +33,7 @@ import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermis import io.entgra.device.mgt.core.device.mgt.core.config.permission.DefaultPermissions; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.core.ServerStartupObserver; import java.util.ArrayList; @@ -60,6 +61,7 @@ public class APIPublisherStartupHandler implements ServerStartupObserver { @Override public void completedServerStartup() { + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); APIPublisherDataHolder.getInstance().setServerStarted(true); currentAPIsStack = APIPublisherDataHolder.getInstance().getUnpublishedApis(); Thread t = new Thread(() -> { @@ -107,7 +109,14 @@ public class APIPublisherStartupHandler implements ServerStartupObserver { log.error("failed to update scope role mapping.", e); } - updateScopeMetadataEntryWithDefaultScopes(); + try { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true); + updateScopeMetadataEntryWithDefaultScopes(); + } finally { + PrivilegedCarbonContext.endTenantFlow(); + } + log.info("Successfully published : [" + publishedAPIs + "]. " + "and failed : [" + failedAPIsStack + "] " + "Total successful count : [" + publishedAPIs.size() + "]. " + @@ -126,7 +135,7 @@ public class APIPublisherStartupHandler implements ServerStartupObserver { log.info("Starting API publishing procedure"); } - /** +/** * Publish apis provided by the API stack, if failed while publishing, then failed API will be added to * the failed API stack * diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java index acceb466c19..2f796f929f3 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java @@ -73,21 +73,24 @@ public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthoriza UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService() .getTenantUserRealm(getTenantId()); String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username); - boolean isAuthorized = true; + boolean isAuthorized; for (String groupPermission : groupPermissions) { + isAuthorized = false; for (String role : userRoles) { - if (!userRealm.getAuthorizationManager(). + if (userRealm.getAuthorizationManager(). isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) { - isAuthorized = false; + isAuthorized = true; break; } } + if (!isAuthorized) { + return false; + } } - return isAuthorized; + return true; } catch (UserStoreException e) { throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " + - groupId + " for the user : " + - username, e); + groupId + " for the user : " + username, e); } } }