From 329be65d1a8e3daa1939087a359fd403d699c6ef Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <volkmer_p@ukw.de>
Date: Mon, 5 Feb 2024 07:18:31 +0100
Subject: [PATCH] feat: forbid access to report if not logged in

---
 .../dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt  | 2 ++
 src/main/resources/templates/index.html                        | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
index 750ccbc..6017aab 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
@@ -82,6 +82,7 @@ class AppSecurityConfiguration(
             authorizeRequests {
                 authorize("/configs/**", hasRole("ADMIN"))
                 authorize("/mtbfile/**", hasAnyRole("MTBFILE"))
+                authorize("/report/**", fullyAuthenticated)
                 authorize(anyRequest, permitAll)
             }
             httpBasic {
@@ -105,6 +106,7 @@ class AppSecurityConfiguration(
             authorizeRequests {
                 authorize("/configs/**", hasRole("ADMIN"))
                 authorize("/mtbfile/**", hasAnyRole("MTBFILE"))
+                authorize("/report/**", hasRole("ADMIN"))
                 authorize(anyRequest, permitAll)
             }
             httpBasic {
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index c8b0ea5..3951f66 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -53,7 +53,8 @@
                         <td th:style="${request.type.value == 'delete'} ? 'color: red;'"><small>[[ ${request.type} ]]</small></td>
                         <td th:if="not ${request.report}">[[ ${request.uuid} ]]</td>
                         <td th:if="${request.report}">
-                            <a th:href="@{/report/{id}(id=${request.uuid})}">[[ ${request.uuid} ]]</a>
+                            <th:block sec:authorize="not authenticated">[[ ${request.uuid} ]]</th:block>
+                            <a th:href="@{/report/{id}(id=${request.uuid})}" sec:authorize="authenticated">[[ ${request.uuid} ]]</a>
                         </td>
                         <td><time th:datetime="${request.processedAt}">[[ ${request.processedAt} ]]</time></td>
                         <td class="patient-id" th:if="${patientId != null}" sec:authorize="authenticated">