pcvolkmer/onkostar-plugin-dnpm
1
0
Fork 0
mirror of https://github.com/pcvolkmer/onkostar-plugin-dnpm.git synced 2025-07-03 01:32:55 +00:00
Code Issues Activity

Erlaube keinen Protokollauszug, wenn keine Berechtigung auf Zielformular

Browse Source 
Dies verhindert Zugriff auf den Protokollauszug beliebiger MTB-Formulare durch
"Erraten" von IDs.

Liegt keine Berechtigung für das Therapieplan-Formular (mit gegebener ID) vor,
können auch keine referenzierten MTB-Formulare abgerufen und deren Inhalt für
den Protokollauszug verwendet werden.
This commit is contained in:
Paul-Christian Volkmer
2023-04-13 21:18:42 +02:00
parent 612da8e5b8
commit c4c03bfc66
2 changed files with 43 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/main/java/DNPM/analyzer/TherapieplanAnalyzer.java
View File

@ -1,5 +1,7 @@
package DNPM.analyzer; package DNPM.analyzer;
import DNPM.security.DelegatingDataBasedPermissionEvaluator;
import DNPM.security.PermissionType;
import DNPM.services.Studie; import DNPM.services.Studie;
import DNPM.services.StudienService; import DNPM.services.StudienService;
import DNPM.services.TherapieplanServiceFactory; import DNPM.services.TherapieplanServiceFactory;
@ -10,6 +12,7 @@ import de.itc.onkostar.api.analysis.AnalyseTriggerEvent;
import de.itc.onkostar.api.analysis.AnalyzerRequirement; import de.itc.onkostar.api.analysis.AnalyzerRequirement;
import de.itc.onkostar.api.analysis.IProcedureAnalyzer; import de.itc.onkostar.api.analysis.IProcedureAnalyzer;
import de.itc.onkostar.api.analysis.OnkostarPluginType; import de.itc.onkostar.api.analysis.OnkostarPluginType;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import java.util.List; import java.util.List;
@ -30,14 +33,18 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
private final MtbService mtbService; private final MtbService mtbService;
private final DelegatingDataBasedPermissionEvaluator permissionEvaluator;
public TherapieplanAnalyzer( public TherapieplanAnalyzer(
final StudienService studienService, final StudienService studienService,
final TherapieplanServiceFactory therapieplanServiceFactory, final TherapieplanServiceFactory therapieplanServiceFactory,
final MtbService mtbService final MtbService mtbService,
final DelegatingDataBasedPermissionEvaluator permissionEvaluator
) { ) {
this.studienService = studienService; this.studienService = studienService;
this.therapieplanServiceFactory = therapieplanServiceFactory; this.therapieplanServiceFactory = therapieplanServiceFactory;
this.mtbService = mtbService; this.mtbService = mtbService;
this.permissionEvaluator = permissionEvaluator;
} }
@Override @Override
@ -152,11 +159,22 @@ public class TherapieplanAnalyzer implements IProcedureAnalyzer {
return ""; return "";
} }
return mtbService.getProtocol( if (
therapieplanServiceFactory permissionEvaluator.hasPermission(
.currentUsableInstance() SecurityContextHolder.getContext().getAuthentication(),
.findReferencedMtbs(procedureId.get()) procedureId.get(),
); Procedure.class.getSimpleName(),
PermissionType.READ
)
) {
return mtbService.getProtocol(
therapieplanServiceFactory
.currentUsableInstance()
.findReferencedMtbs(procedureId.get())
);
}
return "";
} }
} }

20
src/test/java/DNPM/analyzer/TherapieplanAnalyzerTest.java
View File

@ -1,5 +1,7 @@
package DNPM.analyzer; package DNPM.analyzer;
import DNPM.security.DelegatingDataBasedPermissionEvaluator;
import DNPM.security.PermissionType;
import DNPM.services.*; import DNPM.services.*;
import DNPM.services.mtb.MtbService; import DNPM.services.mtb.MtbService;
import de.itc.onkostar.api.IOnkostarApi; import de.itc.onkostar.api.IOnkostarApi;
@ -40,11 +42,14 @@ class TherapieplanAnalyzerTest {
@Mock @Mock
private MtbService mtbService; private MtbService mtbService;
@Mock
private DelegatingDataBasedPermissionEvaluator permissionEvaluator;
private TherapieplanAnalyzer therapieplanAnalyzer; private TherapieplanAnalyzer therapieplanAnalyzer;
@BeforeEach @BeforeEach
void setUp() { void setUp() {
this.therapieplanAnalyzer = new TherapieplanAnalyzer(studienService, therapieplanServiceFactory, mtbService); this.therapieplanAnalyzer = new TherapieplanAnalyzer(studienService, therapieplanServiceFactory, mtbService, permissionEvaluator);
} }
@Test @Test
@ -94,6 +99,8 @@ class TherapieplanAnalyzerTest {
when(this.therapieplanServiceFactory.currentUsableInstance()) when(this.therapieplanServiceFactory.currentUsableInstance())
.thenReturn(therapieplanService); .thenReturn(therapieplanService);
when(this.permissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
var input = Map.of("id", (Object) 1234); var input = Map.of("id", (Object) 1234);
this.therapieplanAnalyzer.getProtokollauszug(input); this.therapieplanAnalyzer.getProtokollauszug(input);
@ -102,4 +109,15 @@ class TherapieplanAnalyzerTest {
assertThat(captor.getValue()).hasSize(1); assertThat(captor.getValue()).hasSize(1);
} }
@Test
void shouldNotRequestProtokollauszugDueToNoPermission() {
when(this.permissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class)))
.thenReturn(false);
var input = Map.of("id", (Object) 1234);
this.therapieplanAnalyzer.getProtokollauszug(input);
verify(mtbService, times(0)).getProtocol(anyList());
}
} }