From 9d03a52ea0e17af184ba8b709286257ea0f576f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= <rene.pfeuffer@cloudogu.com>
Date: Mon, 25 Jun 2018 12:45:16 +0200
Subject: [PATCH] Fix documentation and permission check

---
 .../scm/api/v2/resources/GroupResource.java   | 22 +++++++++----------
 .../scm/api/v2/resources/UserResource.java    |  4 ++--
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupResource.java
index 4834af8869..f2ab67586e 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupResource.java
@@ -1,11 +1,12 @@
 package sonia.scm.api.v2.resources;
 
-import org.apache.shiro.SecurityUtils;
+import com.webcohesion.enunciate.metadata.rs.ResponseCode;
+import com.webcohesion.enunciate.metadata.rs.StatusCodes;
+import com.webcohesion.enunciate.metadata.rs.TypeHint;
 import sonia.scm.api.rest.resources.AbstractManagerResource;
 import sonia.scm.group.Group;
 import sonia.scm.group.GroupException;
 import sonia.scm.group.GroupManager;
-import sonia.scm.security.Role;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -35,20 +36,17 @@ public class GroupResource extends AbstractManagerResource<Group, GroupException
 
   @Path("")
   @GET
+  @TypeHint(GroupDto.class)
+  @StatusCodes({
+    @ResponseCode(code = 200, condition = "success"),
+    @ResponseCode(code = 403, condition = "forbidden, the current user has no privileges to read the group"),
+    @ResponseCode(code = 404, condition = "not found, no group with the specified id/name available"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
   public Response get(@Context Request request, @Context UriInfo uriInfo, @PathParam("id") String id) {
-    if (SecurityUtils.getSubject().hasRole(Role.ADMIN))
-    {
       Group group = manager.get(id);
-      if (group == null) {
-        return Response.status(Response.Status.NOT_FOUND).build();
-      }
       GroupDto groupDto = groupToGroupDtoMapper.map(group);
       return Response.ok(groupDto).build();
-    }
-    else
-    {
-      return Response.status(Response.Status.FORBIDDEN).build();
-    }
   }
 
   @Path("")
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java
index ed0b8cdc77..230353d6a6 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java
@@ -41,8 +41,8 @@ public class UserResource extends AbstractManagerResource<User, UserException> {
   @TypeHint(UserDto.class)
   @StatusCodes({
     @ResponseCode(code = 200, condition = "success"),
-    @ResponseCode(code = 403, condition = "forbidden, the current user has no admin privileges"),
-    @ResponseCode(code = 404, condition = "not found, no group with the specified id/name available"),
+    @ResponseCode(code = 403, condition = "forbidden, the current user has no privileges to read the user"),
+    @ResponseCode(code = 404, condition = "not found, no user with the specified id/name available"),
     @ResponseCode(code = 500, condition = "internal server error")
   })
   public Response get(@Context Request request, @Context UriInfo uriInfo, @PathParam("id") String id) {