diff --git a/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java b/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java index 247ba698d2..1bf585ddf9 100644 --- a/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java +++ b/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java @@ -142,6 +142,36 @@ public class SecurityUtil return user; } + /** + * Method description + * + * + * @param contextProvider + * + * @return + */ + public static boolean isAdmin( + Provider contextProvider) + { + return isAdmin(contextProvider.get()); + } + + /** + * Method description + * + * + * @param contextProvider + * + * @return + */ + public static boolean isAdmin(SecurityContext contextProvider) + { + AssertUtil.assertIsNotNull(contextProvider); + + return (contextProvider.getUser() != null) + && contextProvider.getUser().isAdmin(); + } + /** * Method description * diff --git a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java index 13c3e49b1d..0ea3d02151 100644 --- a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java +++ b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java @@ -36,11 +36,14 @@ package sonia.scm.api.rest.resources; //~--- non-JDK imports -------------------------------------------------------- import com.google.inject.Inject; +import com.google.inject.Provider; import com.google.inject.Singleton; import sonia.scm.group.Group; import sonia.scm.group.GroupException; import sonia.scm.group.GroupManager; +import sonia.scm.util.SecurityUtil; +import sonia.scm.web.security.WebSecurityContext; //~--- JDK imports ------------------------------------------------------------ @@ -48,6 +51,8 @@ import java.util.Collection; import javax.ws.rs.Path; import javax.ws.rs.core.GenericEntity; +import javax.ws.rs.core.Request; +import javax.ws.rs.core.Response; /** * @@ -68,12 +73,44 @@ public class GroupResource * Constructs ... * * + * + * @param securityContextProvider * @param groupManager */ @Inject - public GroupResource(GroupManager groupManager) + public GroupResource(Provider securityContextProvider, + GroupManager groupManager) { super(groupManager); + this.securityContextProvider = securityContextProvider; + } + + //~--- get methods ---------------------------------------------------------- + + /** + * Method description + * + * + * @param request + * @param id + * + * @return + */ + @Override + public Response get(Request request, String id) + { + Response response = null; + + if (SecurityUtil.isAdmin(securityContextProvider)) + { + response = super.get(request, id); + } + else + { + response = Response.status(Response.Status.FORBIDDEN).build(); + } + + return response; } //~--- methods -------------------------------------------------------------- @@ -121,4 +158,9 @@ public class GroupResource { return PATH_PART; } + + //~--- fields --------------------------------------------------------------- + + /** Field description */ + private Provider securityContextProvider; } diff --git a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java index e7d842613e..00051f21e5 100644 --- a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java +++ b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java @@ -106,9 +106,18 @@ public class UserResource extends AbstractManagerResource @Override public Response get(Request request, String id) { - SecurityUtil.assertIsAdmin(securityContextProvider); + Response response = null; - return super.get(request, id); + if (SecurityUtil.isAdmin(securityContextProvider)) + { + response = super.get(request, id); + } + else + { + response = Response.status(Response.Status.FORBIDDEN).build(); + } + + return response; } //~--- methods --------------------------------------------------------------