4 files changed, 81 insertions, 2 deletions

diff --git a/src/main/java/DNPM/security/FormBasedSecurityAspects.java b/src/main/java/DNPM/security/FormBasedSecurityAspects.java
new file mode 100644
index 0000000..3dea944
--- /dev/null
+++ b/src/main/java/DNPM/security/FormBasedSecurityAspects.java
@@ -0,0 +1,51 @@
+package DNPM.security;
+
+import de.itc.onkostar.api.Procedure;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.AfterReturning;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+import java.util.Arrays;
+
+@Component
+@Aspect
+public class FormBasedSecurityAspects {
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    private final FormBasedPermissionEvaluator permissionEvaluator;
+
+    public FormBasedSecurityAspects(
+            final FormBasedPermissionEvaluator permissionEvaluator
+            ) {
+        this.permissionEvaluator = permissionEvaluator;
+    }
+
+    @AfterReturning(value = "@annotation(FormSecuredResult)", returning = "procedure")
+    public void afterProcedureFormBased(Procedure procedure) {
+        if (
+                null != procedure
+                        && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)
+        ) {
+            logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId());
+            throw new IllegalSecuredObjectAccessException();
+        }
+    }
+
+    @Before(value = "@annotation(FormSecured)")
+    public void beforeProcedureFormBased(JoinPoint jp) {
+        Arrays.stream(jp.getArgs())
+                .filter(arg -> arg instanceof Procedure)
+                .forEach(procedure -> {
+                    if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) {
+                        logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId());
+                        throw new IllegalSecuredObjectAccessException();
+                    }
+                });
+    }
+}
diff --git a/src/main/java/DNPM/security/FormSecured.java b/src/main/java/DNPM/security/FormSecured.java
new file mode 100644
index 0000000..2e12667
--- /dev/null
+++ b/src/main/java/DNPM/security/FormSecured.java
@@ -0,0 +1,14 @@
+package DNPM.security;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.METHOD)
+public @interface FormSecured {
+
+    PermissionType value() default PermissionType.READ_WRITE;
+
+}
diff --git a/src/main/java/DNPM/security/FormSecuredResult.java b/src/main/java/DNPM/security/FormSecuredResult.java
new file mode 100644
index 0000000..ccfbd24
--- /dev/null
+++ b/src/main/java/DNPM/security/FormSecuredResult.java
@@ -0,0 +1,14 @@
+package DNPM.security;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.METHOD)
+public @interface FormSecuredResult {
+
+    PermissionType value() default PermissionType.READ_WRITE;
+
+}
diff --git a/src/main/java/DNPM/security/SecurityAspects.java b/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java
index a1fcd3f..37c313f 100644
--- a/src/main/java/DNPM/security/SecurityAspects.java
+++ b/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java
@@ -15,13 +15,13 @@ import java.util.Arrays;
 
 @Component
 @Aspect
-public class SecurityAspects {
+public class PersonPoolBasedSecurityAspects {
 
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
     private final PersonPoolBasedPermissionEvaluator permissionEvaluator;
 
-    public SecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) {
+    public PersonPoolBasedSecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) {
         this.permissionEvaluator = permissionEvaluator;
     }