From 9c56d4988347a8e1acc7c274e05fbe312cc2fc44 Mon Sep 17 00:00:00 2001
From: Daniil Palagin <daniilpalaginjob@gmail.com>
Date: Wed, 11 Dec 2024 10:17:33 +0100
Subject: [PATCH] [kbss-cvut/record-manager-ui#202] Fix the access control to
 allow ROLE_USER access to institution retrieval

---
 src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
index 85d05b2..f863fa8 100644
--- a/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
+++ b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
@@ -57,7 +57,7 @@ public User getByUsername(@PathVariable("username") String username) {
 
     @PreAuthorize(
             "hasAuthority('" + SecurityConstants.ROLE_ADMIN + "') " +
-                    "or hasAuthority('" + SecurityConstants.ROLE_ADMIN + "') and @securityUtils.isMemberOfInstitution(#institutionKey)")
+                    "or hasAuthority('" + SecurityConstants.ROLE_USER + "') and @securityUtils.isMemberOfInstitution(#institutionKey)")
     @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
     public List<User> getUsers(@RequestParam(value = "institution", required = false) String institutionKey) {
         return institutionKey != null ? getByInstitution(institutionKey) : userService.findAll();