fix(authz): incorrect handling of multi-types in get subject access r…

…ights (#1140)
stellio-hub · Apr 22, 2024 · 05a83b1 · 05a83b1
1 parent 474ce52
commit 05a83b1
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/...service/src/main/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsService.kt b/...service/src/main/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsService.kt
@@ -176,7 +176,7 @@ class EntityAccessRightsService(
                 LEFT JOIN entity_payload ep ON ear.entity_id = ep.entity_id
                 WHERE ${if (isStellioAdmin) "1 = 1" else "subject_id IN (:subject_uuids)" }
                 ${if (accessRights.isNotEmpty()) " AND access_right IN (:access_rights)" else ""}
-                ${if (!type.isNullOrEmpty()) " AND ${buildTypeQuery(type)}" else ""}
+                ${if (!type.isNullOrEmpty()) " AND (${buildTypeQuery(type)})" else ""}
                 ${if (!ids.isNullOrEmpty()) " AND ear.entity_id IN (:entities_ids)" else ""}
                 ORDER BY entity_id
                 LIMIT :limit
@@ -232,7 +232,7 @@ class EntityAccessRightsService(
                 LEFT JOIN entity_payload ep ON ear.entity_id = ep.entity_id
                 WHERE ${if (isStellioAdmin) "1 = 1" else "subject_id IN (:subject_uuids)" }
                 ${if (accessRights.isNotEmpty()) " AND access_right IN (:access_rights)" else ""}
-                ${if (!type.isNullOrEmpty()) " AND ${buildTypeQuery(type)}" else ""}
+                ${if (!type.isNullOrEmpty()) " AND (${buildTypeQuery(type)})" else ""}
                 ${if (!ids.isNullOrEmpty()) " AND ear.entity_id IN (:entities_ids)" else ""}
                 """.trimIndent()
             )

diff --git a/...ce/src/test/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsServiceTests.kt b/...ce/src/test/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsServiceTests.kt
@@ -435,6 +435,36 @@ class EntityAccessRightsServiceTests : WithTimescaleContainer {
         }
     }
 
+    @Test
+    fun `it should get all entities an user has access to wrt access rights and types`() = runTest {
+        val entityId03 = "urn:ngsi-ld:Entity:03".toUri()
+
+        createEntityPayload(entityId01, setOf(BEEHIVE_TYPE), AUTH_READ)
+        createEntityPayload(entityId02, setOf(BEEHIVE_TYPE))
+        createEntityPayload(entityId03, setOf(APIARY_TYPE))
+        entityAccessRightsService.setRoleOnEntity(subjectUuid, entityId01, AccessRight.R_CAN_READ).shouldSucceed()
+        entityAccessRightsService.setRoleOnEntity(subjectUuid, entityId02, AccessRight.R_CAN_WRITE).shouldSucceed()
+        entityAccessRightsService.setRoleOnEntity(subjectUuid, entityId03, AccessRight.R_CAN_READ).shouldSucceed()
+
+        entityAccessRightsService.getSubjectAccessRights(
+            Some(subjectUuid),
+            listOf(AccessRight.R_CAN_WRITE),
+            "$BEEHIVE_TYPE,$APIARY_TYPE",
+            paginationQuery = PaginationQuery(limit = 100, offset = 0)
+        ).shouldSucceedWith {
+            assertEquals(1, it.size)
+            val entityAccessControl = it[0]
+            assertEquals(entityId02, entityAccessControl.id)
+        }
+
+        entityAccessRightsService.getSubjectAccessRightsCount(
+            Some(subjectUuid),
+            listOf(AccessRight.R_CAN_WRITE)
+        ).shouldSucceedWith {
+            assertEquals(1, it)
+        }
+    }
+
     @Test
     fun `it should return only one entity with higher right if user has access through different paths`() = runTest {
         createEntityPayload(entityId01, setOf(BEEHIVE_TYPE))