diff options
| author | Paul-Christian Volkmer | 2024-02-05 07:18:31 +0100 |
|---|---|---|
| committer | Paul-Christian Volkmer | 2024-02-05 07:18:31 +0100 |
| commit | 329be65d1a8e3daa1939087a359fd403d699c6ef (patch) | |
| tree | b7c10a74e58cab0be610e88abe36191774748ca1 | |
| parent | 91fe3d1c23d9367ac788837cadfd750dcb68afb2 (diff) | |
feat: forbid access to report if not logged in
| -rw-r--r-- | src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt | 2 | ||||
| -rw-r--r-- | src/main/resources/templates/index.html | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt index 750ccbc..6017aab 100644 --- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt +++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt @@ -82,6 +82,7 @@ class AppSecurityConfiguration( authorizeRequests { authorize("/configs/**", hasRole("ADMIN")) authorize("/mtbfile/**", hasAnyRole("MTBFILE")) + authorize("/report/**", fullyAuthenticated) authorize(anyRequest, permitAll) } httpBasic { @@ -105,6 +106,7 @@ class AppSecurityConfiguration( authorizeRequests { authorize("/configs/**", hasRole("ADMIN")) authorize("/mtbfile/**", hasAnyRole("MTBFILE")) + authorize("/report/**", hasRole("ADMIN")) authorize(anyRequest, permitAll) } httpBasic { diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html index c8b0ea5..3951f66 100644 --- a/src/main/resources/templates/index.html +++ b/src/main/resources/templates/index.html @@ -53,7 +53,8 @@ <td th:style="${request.type.value == 'delete'} ? 'color: red;'"><small>[[ ${request.type} ]]</small></td> <td th:if="not ${request.report}">[[ ${request.uuid} ]]</td> <td th:if="${request.report}"> - <a th:href="@{/report/{id}(id=${request.uuid})}">[[ ${request.uuid} ]]</a> + <th:block sec:authorize="not authenticated">[[ ${request.uuid} ]]</th:block> + <a th:href="@{/report/{id}(id=${request.uuid})}" sec:authorize="authenticated">[[ ${request.uuid} ]]</a> </td> <td><time th:datetime="${request.processedAt}">[[ ${request.processedAt} ]]</time></td> <td class="patient-id" th:if="${patientId != null}" sec:authorize="authenticated"> |