mirror of
https://github.com/pcvolkmer/onkostar-plugin-dnpm.git
synced 2025-07-02 01:02:55 +00:00
Erlaube keinen Protokollauszug, wenn keine Berechtigung auf Zielformular
Dies verhindert Zugriff auf den Protokollauszug beliebiger MTB-Formulare durch "Erraten" von IDs. Liegt keine Berechtigung für das Therapieplan-Formular (mit gegebener ID) vor, können auch keine referenzierten MTB-Formulare abgerufen und deren Inhalt für den Protokollauszug verwendet werden.
This commit is contained in:
@ -1,5 +1,7 @@
|
||||
package DNPM.analyzer;
|
||||
|
||||
import DNPM.security.DelegatingDataBasedPermissionEvaluator;
|
||||
import DNPM.security.PermissionType;
|
||||
import DNPM.services.Studie;
|
||||
import DNPM.services.StudienService;
|
||||
import DNPM.services.TherapieplanServiceFactory;
|
||||
@ -10,6 +12,7 @@ import de.itc.onkostar.api.analysis.AnalyseTriggerEvent;
|
||||
import de.itc.onkostar.api.analysis.AnalyzerRequirement;
|
||||
import de.itc.onkostar.api.analysis.IProcedureAnalyzer;
|
||||
import de.itc.onkostar.api.analysis.OnkostarPluginType;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
import java.util.List;
|
||||
@ -30,14 +33,18 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
|
||||
|
||||
private final MtbService mtbService;
|
||||
|
||||
private final DelegatingDataBasedPermissionEvaluator permissionEvaluator;
|
||||
|
||||
public TherapieplanAnalyzer(
|
||||
final StudienService studienService,
|
||||
final TherapieplanServiceFactory therapieplanServiceFactory,
|
||||
final MtbService mtbService
|
||||
final MtbService mtbService,
|
||||
final DelegatingDataBasedPermissionEvaluator permissionEvaluator
|
||||
) {
|
||||
this.studienService = studienService;
|
||||
this.therapieplanServiceFactory = therapieplanServiceFactory;
|
||||
this.mtbService = mtbService;
|
||||
this.permissionEvaluator = permissionEvaluator;
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -152,11 +159,22 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
|
||||
return "";
|
||||
}
|
||||
|
||||
return mtbService.getProtocol(
|
||||
therapieplanServiceFactory
|
||||
.currentUsableInstance()
|
||||
.findReferencedMtbs(procedureId.get())
|
||||
);
|
||||
if (
|
||||
permissionEvaluator.hasPermission(
|
||||
SecurityContextHolder.getContext().getAuthentication(),
|
||||
procedureId.get(),
|
||||
Procedure.class.getSimpleName(),
|
||||
PermissionType.READ
|
||||
)
|
||||
) {
|
||||
return mtbService.getProtocol(
|
||||
therapieplanServiceFactory
|
||||
.currentUsableInstance()
|
||||
.findReferencedMtbs(procedureId.get())
|
||||
);
|
||||
}
|
||||
|
||||
return "";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -1,5 +1,7 @@
|
||||
package DNPM.analyzer;
|
||||
|
||||
import DNPM.security.DelegatingDataBasedPermissionEvaluator;
|
||||
import DNPM.security.PermissionType;
|
||||
import DNPM.services.*;
|
||||
import DNPM.services.mtb.MtbService;
|
||||
import de.itc.onkostar.api.IOnkostarApi;
|
||||
@ -40,11 +42,14 @@ class TherapieplanAnalyzerTest {
|
||||
@Mock
|
||||
private MtbService mtbService;
|
||||
|
||||
@Mock
|
||||
private DelegatingDataBasedPermissionEvaluator permissionEvaluator;
|
||||
|
||||
private TherapieplanAnalyzer therapieplanAnalyzer;
|
||||
|
||||
@BeforeEach
|
||||
void setUp() {
|
||||
this.therapieplanAnalyzer = new TherapieplanAnalyzer(studienService, therapieplanServiceFactory, mtbService);
|
||||
this.therapieplanAnalyzer = new TherapieplanAnalyzer(studienService, therapieplanServiceFactory, mtbService, permissionEvaluator);
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -94,6 +99,8 @@ class TherapieplanAnalyzerTest {
|
||||
when(this.therapieplanServiceFactory.currentUsableInstance())
|
||||
.thenReturn(therapieplanService);
|
||||
|
||||
when(this.permissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
|
||||
|
||||
var input = Map.of("id", (Object) 1234);
|
||||
this.therapieplanAnalyzer.getProtokollauszug(input);
|
||||
|
||||
@ -102,4 +109,15 @@ class TherapieplanAnalyzerTest {
|
||||
assertThat(captor.getValue()).hasSize(1);
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldNotRequestProtokollauszugDueToNoPermission() {
|
||||
when(this.permissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class)))
|
||||
.thenReturn(false);
|
||||
|
||||
var input = Map.of("id", (Object) 1234);
|
||||
this.therapieplanAnalyzer.getProtokollauszug(input);
|
||||
|
||||
verify(mtbService, times(0)).getProtocol(anyList());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user