Erlaube keinen Protokollauszug, wenn keine Berechtigung auf Zielformular

Dies verhindert Zugriff auf den Protokollauszug beliebiger MTB-Formulare durch "Erraten" von IDs. Liegt keine Berechtigung für das Therapieplan-Formular (mit gegebener ID) vor, können auch keine referenzierten MTB-Formulare abgerufen und deren Inhalt für den Protokollauszug verwendet werden.
author: Paul-Christian Volkmer 2023-04-13 21:18:42 +0200
committer: Paul-Christian Volkmer 2023-04-13 21:19:36 +0200
commit: c4c03bfc66d0773544722060d02dc587da93bfbc (patch)
tree: a47a59e14a8824c655fe7eb5026062a63e8dfa17 /src/main/java
parent: 612da8e5b8a8539cd896596726fadd3eb68b63e9 (diff)
1 files changed, 24 insertions, 6 deletions
diff --git a/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java b/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java
index e645925..6ad18b0 100644
--- a/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java
+++ b/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java
@@ -1,5 +1,7 @@
 package DNPM.analyzer;
 
+import DNPM.security.DelegatingDataBasedPermissionEvaluator;
+import DNPM.security.PermissionType;
 import DNPM.services.Studie;
 import DNPM.services.StudienService;
 import DNPM.services.TherapieplanServiceFactory;
@@ -10,6 +12,7 @@ import de.itc.onkostar.api.analysis.AnalyseTriggerEvent;
 import de.itc.onkostar.api.analysis.AnalyzerRequirement;
 import de.itc.onkostar.api.analysis.IProcedureAnalyzer;
 import de.itc.onkostar.api.analysis.OnkostarPluginType;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 
 import java.util.List;
@@ -30,14 +33,18 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
 
     private final MtbService mtbService;
 
+    private final DelegatingDataBasedPermissionEvaluator permissionEvaluator;
+
     public TherapieplanAnalyzer(
             final StudienService studienService,
             final TherapieplanServiceFactory therapieplanServiceFactory,
-            final MtbService mtbService
+            final MtbService mtbService,
+            final DelegatingDataBasedPermissionEvaluator permissionEvaluator
     ) {
         this.studienService = studienService;
         this.therapieplanServiceFactory = therapieplanServiceFactory;
         this.mtbService = mtbService;
+        this.permissionEvaluator = permissionEvaluator;
     }
 
     @Override
@@ -152,11 +159,22 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
             return "";
         }
 
-        return mtbService.getProtocol(
-                therapieplanServiceFactory
-                        .currentUsableInstance()
-                        .findReferencedMtbs(procedureId.get())
-        );
+        if (
+                permissionEvaluator.hasPermission(
+                        SecurityContextHolder.getContext().getAuthentication(),
+                        procedureId.get(),
+                        Procedure.class.getSimpleName(),
+                        PermissionType.READ
+                )
+        ) {
+            return mtbService.getProtocol(
+                    therapieplanServiceFactory
+                            .currentUsableInstance()
+                            .findReferencedMtbs(procedureId.get())
+            );
+        }
+
+        return "";
     }
 
 }
author	Paul-Christian Volkmer	2023-04-13 21:18:42 +0200
committer	Paul-Christian Volkmer	2023-04-13 21:19:36 +0200
commit	c4c03bfc66d0773544722060d02dc587da93bfbc (patch)
tree	a47a59e14a8824c655fe7eb5026062a63e8dfa17 /src/main/java
parent	612da8e5b8a8539cd896596726fadd3eb68b63e9 (diff)