From c16aeed96dac6ccbc70a92569a60f93b6d609781 Mon Sep 17 00:00:00 2001
From: Rene Pfeuffer <rene.pfeuffer@cloudogu.com>
Date: Wed, 3 Jul 2019 16:23:27 +0200
Subject: [PATCH] Check permissions to read permissions

---
 .../sonia/scm/api/v2/resources/GroupPermissionResource.java     | 2 ++
 .../java/sonia/scm/api/v2/resources/UserPermissionResource.java | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupPermissionResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupPermissionResource.java
index 11934abcb0..dfce12e778 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupPermissionResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupPermissionResource.java
@@ -5,6 +5,7 @@ import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
 import sonia.scm.security.PermissionAssigner;
 import sonia.scm.security.PermissionDescriptor;
+import sonia.scm.security.PermissionPermissions;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -47,6 +48,7 @@ public class GroupPermissionResource {
     @ResponseCode(code = 500, condition = "internal server error")
   })
   public Response getPermissions(@PathParam("id") String id) {
+    PermissionPermissions.read().check();
     Collection<PermissionDescriptor> permissions = permissionAssigner.readPermissionsForGroup(id);
     return Response.ok(permissionCollectionToDtoMapper.mapForGroup(permissions, id)).build();
   }
diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
index a961dfaa0e..fd54da503d 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
@@ -5,6 +5,7 @@ import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
 import sonia.scm.security.PermissionAssigner;
 import sonia.scm.security.PermissionDescriptor;
+import sonia.scm.security.PermissionPermissions;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -48,6 +49,7 @@ public class UserPermissionResource {
     @ResponseCode(code = 500, condition = "internal server error")
   })
   public Response getPermissions(@PathParam("id") String id) {
+    PermissionPermissions.read().check();
     Collection<PermissionDescriptor> permissions = permissionAssigner.readPermissionsForUser(id);
     return Response.ok(permissionCollectionToDtoMapper.mapForUser(permissions, id)).build();
   }