diff options
| author | Paul-Christian Volkmer | 2023-04-13 21:18:42 +0200 |
|---|---|---|
| committer | Paul-Christian Volkmer | 2023-04-13 21:19:36 +0200 |
| commit | c4c03bfc66d0773544722060d02dc587da93bfbc (patch) | |
| tree | a47a59e14a8824c655fe7eb5026062a63e8dfa17 /src/main/java/DNPM/analyzer | |
| parent | 612da8e5b8a8539cd896596726fadd3eb68b63e9 (diff) | |
Erlaube keinen Protokollauszug, wenn keine Berechtigung auf Zielformular
Dies verhindert Zugriff auf den Protokollauszug beliebiger MTB-Formulare durch
"Erraten" von IDs.
Liegt keine Berechtigung für das Therapieplan-Formular (mit gegebener ID) vor,
können auch keine referenzierten MTB-Formulare abgerufen und deren Inhalt für
den Protokollauszug verwendet werden.
Diffstat (limited to 'src/main/java/DNPM/analyzer')
| -rw-r--r-- | src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java b/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java index e645925..6ad18b0 100644 --- a/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java +++ b/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java @@ -1,5 +1,7 @@ package DNPM.analyzer; +import DNPM.security.DelegatingDataBasedPermissionEvaluator; +import DNPM.security.PermissionType; import DNPM.services.Studie; import DNPM.services.StudienService; import DNPM.services.TherapieplanServiceFactory; @@ -10,6 +12,7 @@ import de.itc.onkostar.api.analysis.AnalyseTriggerEvent; import de.itc.onkostar.api.analysis.AnalyzerRequirement; import de.itc.onkostar.api.analysis.IProcedureAnalyzer; import de.itc.onkostar.api.analysis.OnkostarPluginType; +import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; import java.util.List; @@ -30,14 +33,18 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer { private final MtbService mtbService; + private final DelegatingDataBasedPermissionEvaluator permissionEvaluator; + public TherapieplanAnalyzer( final StudienService studienService, final TherapieplanServiceFactory therapieplanServiceFactory, - final MtbService mtbService + final MtbService mtbService, + final DelegatingDataBasedPermissionEvaluator permissionEvaluator ) { this.studienService = studienService; this.therapieplanServiceFactory = therapieplanServiceFactory; this.mtbService = mtbService; + this.permissionEvaluator = permissionEvaluator; } @Override @@ -152,11 +159,22 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer { return ""; } - return mtbService.getProtocol( - therapieplanServiceFactory - .currentUsableInstance() - .findReferencedMtbs(procedureId.get()) - ); + if ( + permissionEvaluator.hasPermission( + SecurityContextHolder.getContext().getAuthentication(), + procedureId.get(), + Procedure.class.getSimpleName(), + PermissionType.READ + ) + ) { + return mtbService.getProtocol( + therapieplanServiceFactory + .currentUsableInstance() + .findReferencedMtbs(procedureId.get()) + ); + } + + return ""; } } |