From 5a12dc760152488b3419ff7ba8860775559ecdc7 Mon Sep 17 00:00:00 2001 From: Charitha Goonetilleke Date: Wed, 21 Aug 2024 03:09:48 +0000 Subject: [PATCH] Fix logic issue with user authorization validation for groups Co-authored-by: Charitha Goonetilleke Co-committed-by: Charitha Goonetilleke --- .../GroupAccessAuthorizationServiceImpl.java | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java index acceb466c19..2f796f929f3 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java @@ -73,21 +73,24 @@ public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthoriza UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService() .getTenantUserRealm(getTenantId()); String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username); - boolean isAuthorized = true; + boolean isAuthorized; for (String groupPermission : groupPermissions) { + isAuthorized = false; for (String role : userRoles) { - if (!userRealm.getAuthorizationManager(). + if (userRealm.getAuthorizationManager(). isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) { - isAuthorized = false; + isAuthorized = true; break; } } + if (!isAuthorized) { + return false; + } } - return isAuthorized; + return true; } catch (UserStoreException e) { throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " + - groupId + " for the user : " + - username, e); + groupId + " for the user : " + username, e); } } }