From 5a12dc760152488b3419ff7ba8860775559ecdc7 Mon Sep 17 00:00:00 2001 From: Charitha Goonetilleke Date: Wed, 21 Aug 2024 03:09:48 +0000 Subject: [PATCH 1/2] Fix logic issue with user authorization validation for groups Co-authored-by: Charitha Goonetilleke Co-committed-by: Charitha Goonetilleke --- .../GroupAccessAuthorizationServiceImpl.java | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java index acceb466c1..2f796f929f 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/authorization/GroupAccessAuthorizationServiceImpl.java @@ -73,21 +73,24 @@ public class GroupAccessAuthorizationServiceImpl implements GroupAccessAuthoriza UserRealm userRealm = DeviceManagementDataHolder.getInstance().getRealmService() .getTenantUserRealm(getTenantId()); String[] userRoles = userRealm.getUserStoreManager().getRoleListOfUser(username); - boolean isAuthorized = true; + boolean isAuthorized; for (String groupPermission : groupPermissions) { + isAuthorized = false; for (String role : userRoles) { - if (!userRealm.getAuthorizationManager(). + if (userRealm.getAuthorizationManager(). isRoleAuthorized(role, groupPermission, CarbonConstants.UI_PERMISSION_ACTION)) { - isAuthorized = false; + isAuthorized = true; break; } } + if (!isAuthorized) { + return false; + } } - return isAuthorized; + return true; } catch (UserStoreException e) { throw new GroupAccessAuthorizationException("Unable to authorize the access to group : " + - groupId + " for the user : " + - username, e); + groupId + " for the user : " + username, e); } } } From 1e20b3d15c55ada13052eae30d655488dfa7437a Mon Sep 17 00:00:00 2001 From: Rajitha Kumara Date: Wed, 21 Aug 2024 09:40:42 +0530 Subject: [PATCH 2/2] Fix permission updating issue --- .../webapp/publisher/APIPublisherStartupHandler.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java index d218238dc1..e15c38ff13 100644 --- a/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java +++ b/components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.webapp.publisher/src/main/java/io/entgra/device/mgt/core/apimgt/webapp/publisher/APIPublisherStartupHandler.java @@ -32,6 +32,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import io.entgra.device.mgt.core.apimgt.webapp.publisher.exception.APIManagerPublisherException; import io.entgra.device.mgt.core.apimgt.webapp.publisher.internal.APIPublisherDataHolder; +import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.core.ServerStartupObserver; import java.util.HashMap; @@ -57,6 +58,7 @@ public class APIPublisherStartupHandler implements ServerStartupObserver { @Override public void completedServerStartup() { + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); APIPublisherDataHolder.getInstance().setServerStarted(true); currentAPIsStack = APIPublisherDataHolder.getInstance().getUnpublishedApis(); Thread t = new Thread(new Runnable() { @@ -104,7 +106,13 @@ public class APIPublisherStartupHandler implements ServerStartupObserver { log.error("failed to update scope role mapping.", e); } - updateScopeMetadataEntryWithDefaultScopes(); + try { + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true); + updateScopeMetadataEntryWithDefaultScopes(); + } finally { + PrivilegedCarbonContext.endTenantFlow(); + } // execute after api publishing for (PostApiPublishingObsever observer : APIPublisherDataHolder.getInstance().getPostApiPublishingObseverList()) {