From c4c03bfc66d0773544722060d02dc587da93bfbc Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <volkmer_p@ukw.de>
Date: Thu, 13 Apr 2023 21:18:42 +0200
Subject: [PATCH] Erlaube keinen Protokollauszug, wenn keine Berechtigung auf
 Zielformular
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dies verhindert Zugriff auf den Protokollauszug beliebiger MTB-Formulare durch
"Erraten" von IDs.

Liegt keine Berechtigung für das Therapieplan-Formular (mit gegebener ID) vor,
können auch keine referenzierten MTB-Formulare abgerufen und deren Inhalt für
den Protokollauszug verwendet werden.
---
 .../DNPM/analyzer/TherapieplanAnalyzer.java   | 30 +++++++++++++++----
 .../analyzer/TherapieplanAnalyzerTest.java    | 20 ++++++++++++-
 2 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java b/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java
index e645925..6ad18b0 100644
--- a/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java
+++ b/src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java
@@ -1,5 +1,7 @@
 package DNPM.analyzer;
 
+import DNPM.security.DelegatingDataBasedPermissionEvaluator;
+import DNPM.security.PermissionType;
 import DNPM.services.Studie;
 import DNPM.services.StudienService;
 import DNPM.services.TherapieplanServiceFactory;
@@ -10,6 +12,7 @@ import de.itc.onkostar.api.analysis.AnalyseTriggerEvent;
 import de.itc.onkostar.api.analysis.AnalyzerRequirement;
 import de.itc.onkostar.api.analysis.IProcedureAnalyzer;
 import de.itc.onkostar.api.analysis.OnkostarPluginType;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 
 import java.util.List;
@@ -30,14 +33,18 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
 
     private final MtbService mtbService;
 
+    private final DelegatingDataBasedPermissionEvaluator permissionEvaluator;
+
     public TherapieplanAnalyzer(
             final StudienService studienService,
             final TherapieplanServiceFactory therapieplanServiceFactory,
-            final MtbService mtbService
+            final MtbService mtbService,
+            final DelegatingDataBasedPermissionEvaluator permissionEvaluator
     ) {
         this.studienService = studienService;
         this.therapieplanServiceFactory = therapieplanServiceFactory;
         this.mtbService = mtbService;
+        this.permissionEvaluator = permissionEvaluator;
     }
 
     @Override
@@ -152,11 +159,22 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
             return "";
         }
 
-        return mtbService.getProtocol(
-                therapieplanServiceFactory
-                        .currentUsableInstance()
-                        .findReferencedMtbs(procedureId.get())
-        );
+        if (
+                permissionEvaluator.hasPermission(
+                        SecurityContextHolder.getContext().getAuthentication(),
+                        procedureId.get(),
+                        Procedure.class.getSimpleName(),
+                        PermissionType.READ
+                )
+        ) {
+            return mtbService.getProtocol(
+                    therapieplanServiceFactory
+                            .currentUsableInstance()
+                            .findReferencedMtbs(procedureId.get())
+            );
+        }
+
+        return "";
     }
 
 }
diff --git a/src/test/java/DNPM/analyzer/TherapieplanAnalyzerTest.java b/src/test/java/DNPM/analyzer/TherapieplanAnalyzerTest.java
index 2b10c5a..c2c17f1 100644
--- a/src/test/java/DNPM/analyzer/TherapieplanAnalyzerTest.java
+++ b/src/test/java/DNPM/analyzer/TherapieplanAnalyzerTest.java
@@ -1,5 +1,7 @@
 package DNPM.analyzer;
 
+import DNPM.security.DelegatingDataBasedPermissionEvaluator;
+import DNPM.security.PermissionType;
 import DNPM.services.*;
 import DNPM.services.mtb.MtbService;
 import de.itc.onkostar.api.IOnkostarApi;
@@ -40,11 +42,14 @@ class TherapieplanAnalyzerTest {
     @Mock
     private MtbService mtbService;
 
+    @Mock
+    private DelegatingDataBasedPermissionEvaluator permissionEvaluator;
+
     private TherapieplanAnalyzer therapieplanAnalyzer;
 
     @BeforeEach
     void setUp() {
-        this.therapieplanAnalyzer = new TherapieplanAnalyzer(studienService, therapieplanServiceFactory, mtbService);
+        this.therapieplanAnalyzer = new TherapieplanAnalyzer(studienService, therapieplanServiceFactory, mtbService, permissionEvaluator);
     }
 
     @Test
@@ -94,6 +99,8 @@ class TherapieplanAnalyzerTest {
         when(this.therapieplanServiceFactory.currentUsableInstance())
                 .thenReturn(therapieplanService);
 
+        when(this.permissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
+
         var input = Map.of("id", (Object) 1234);
         this.therapieplanAnalyzer.getProtokollauszug(input);
 
@@ -102,4 +109,15 @@ class TherapieplanAnalyzerTest {
         assertThat(captor.getValue()).hasSize(1);
     }
 
+    @Test
+    void shouldNotRequestProtokollauszugDueToNoPermission() {
+        when(this.permissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class)))
+                .thenReturn(false);
+
+        var input = Map.of("id", (Object) 1234);
+        this.therapieplanAnalyzer.getProtokollauszug(input);
+
+        verify(mtbService, times(0)).getProtocol(anyList());
+    }
+
 }