2 files changed, 45 insertions, 4 deletions

diff --git a/src/main/java/DNPM/DNPMHelper.java b/src/main/java/DNPM/DNPMHelper.java
index 50b153e..838ca9a 100644
--- a/src/main/java/DNPM/DNPMHelper.java
+++ b/src/main/java/DNPM/DNPMHelper.java
@@ -1,6 +1,9 @@
 package DNPM;
 
 import DNPM.analyzer.AnalyzerUtils;
+import DNPM.security.IllegalSecuredObjectAccessException;
+import DNPM.security.PermissionType;
+import DNPM.security.PersonPoolBasedPermissionEvaluator;
 import DNPM.services.systemtherapie.SystemtherapieService;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -17,6 +20,7 @@ import org.hibernate.transform.Transformers;
 import org.hibernate.type.StandardBasicTypes;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -31,9 +35,16 @@ public class DNPMHelper implements IProcedureAnalyzer {
 
     private final SystemtherapieService systemtherapieService;
 
-    public DNPMHelper(final IOnkostarApi onkostarApi, final SystemtherapieService systemtherapieService) {
+    private final PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator;
+
+    public DNPMHelper(
+            final IOnkostarApi onkostarApi,
+            final SystemtherapieService systemtherapieService,
+            final PersonPoolBasedPermissionEvaluator permissionEvaluator
+            ) {
         this.onkostarApi = onkostarApi;
         this.systemtherapieService = systemtherapieService;
+        this.personPoolBasedPermissionEvaluator = permissionEvaluator;
     }
 
     @Override
@@ -264,6 +275,10 @@ public class DNPMHelper implements IProcedureAnalyzer {
             return List.of();
         }
 
-        return systemtherapieService.ecogSatus(patient);
+        if (personPoolBasedPermissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ)) {
+            return systemtherapieService.ecogSatus(patient);
+        }
+
+        throw new IllegalSecuredObjectAccessException("Kein Zugriff auf diesen Patienten");
     }
 }
\ No newline at end of file
diff --git a/src/test/java/DNPM/DNPMHelperTest.java b/src/test/java/DNPM/DNPMHelperTest.java
index cd0b81d..17e8901 100644
--- a/src/test/java/DNPM/DNPMHelperTest.java
+++ b/src/test/java/DNPM/DNPMHelperTest.java
@@ -1,5 +1,8 @@
 package DNPM;
 
+import DNPM.security.IllegalSecuredObjectAccessException;
+import DNPM.security.PermissionType;
+import DNPM.security.PersonPoolBasedPermissionEvaluator;
 import DNPM.services.systemtherapie.SystemtherapieService;
 import de.itc.onkostar.api.IOnkostarApi;
 import de.itc.onkostar.api.Item;
@@ -22,6 +25,7 @@ import java.util.List;
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.Mockito.*;
 
 @ExtendWith(MockitoExtension.class)
@@ -31,16 +35,20 @@ class DNPMHelperTest {
 
     private SystemtherapieService systemtherapieService;
 
+    private PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator;
+
     private DNPMHelper dnpmHelper;
 
     @BeforeEach
     void setup(
             @Mock IOnkostarApi onkostarApi,
-            @Mock SystemtherapieService systemtherapieService
+            @Mock SystemtherapieService systemtherapieService,
+            @Mock PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator
     ) {
         this.onkostarApi = onkostarApi;
         this.systemtherapieService = systemtherapieService;
-        this.dnpmHelper = new DNPMHelper(onkostarApi, systemtherapieService);
+        this.personPoolBasedPermissionEvaluator = personPoolBasedPermissionEvaluator;
+        this.dnpmHelper = new DNPMHelper(onkostarApi, systemtherapieService, personPoolBasedPermissionEvaluator);
     }
 
     @Test
@@ -248,6 +256,9 @@ class DNPMHelperTest {
 
         @Test
         void testShouldReturnEcogStatusList() {
+            when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+                    .thenReturn(true);
+
             doAnswer(invocationOnMock -> {
                 var id = invocationOnMock.getArgument(0, Integer.class);
                 var patient = new Patient(onkostarApi);
@@ -263,6 +274,21 @@ class DNPMHelperTest {
             assertThat(argumentCaptor.getValue().getId()).isEqualTo(42);
         }
 
+        @Test
+        void testShouldNotReturnEcogStatusListIfNoPermissionGranted() {
+            when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class)))
+                    .thenReturn(false);
+
+            doAnswer(invocationOnMock -> {
+                var id = invocationOnMock.getArgument(0, Integer.class);
+                var patient = new Patient(onkostarApi);
+                patient.setId(id);
+                return patient;
+            }).when(onkostarApi).getPatient(anyInt());
+
+            assertThrows(IllegalSecuredObjectAccessException.class, () -> dnpmHelper.getEcogStatus(Map.of("PatientId", 42)));
+        }
+
     }
 
 }