diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java index 338c7063..7456d5e6 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ReadonlyEntityController.java @@ -13,9 +13,16 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.validation.Valid; -import org.mybatis.dynamic.sql.SqlTable; +import org.springframework.http.MediaType; +import org.springframework.security.access.AccessDeniedException; import org.springframework.util.MultiValueMap; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestBody; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import ch.ethz.seb.sebserver.gbl.api.API; import ch.ethz.seb.sebserver.gbl.api.POSTMapper; import ch.ethz.seb.sebserver.gbl.api.authorization.PrivilegeType; import ch.ethz.seb.sebserver.gbl.model.Entity; @@ -24,6 +31,7 @@ import ch.ethz.seb.sebserver.gbl.util.Result; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.PermissionDeniedException; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService; import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.EntityDAO; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO; @@ -51,43 +59,62 @@ public abstract class ReadonlyEntityController allRequestParams, final Long institutionId, + @RequestMapping( + method = RequestMethod.POST, + consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, + produces = MediaType.APPLICATION_JSON_VALUE) + public T create( + @RequestParam final MultiValueMap allRequestParams, + @RequestParam( + name = API.PARAM_INSTITUTION_ID, + required = true, + defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId, final HttpServletRequest request) { - throw new UnsupportedOperationException(ONLY_READ_ACCESS); + + throw new AccessDeniedException(ONLY_READ_ACCESS); } @Override + @RequestMapping( + path = API.MODEL_ID_VAR_PATH_SEGMENT, + method = RequestMethod.DELETE, + produces = MediaType.APPLICATION_JSON_VALUE) public EntityProcessingReport hardDelete( - final String modelId, - final boolean addIncludes, - final List includes) { - throw new UnsupportedOperationException(ONLY_READ_ACCESS); + @PathVariable final String modelId, + @RequestParam(name = API.PARAM_BULK_ACTION_ADD_INCLUDES, defaultValue = "false") final boolean addIncludes, + @RequestParam(name = API.PARAM_BULK_ACTION_INCLUDES, required = false) final List includes) { + throw new AccessDeniedException(ONLY_READ_ACCESS); } @Override + @RequestMapping( + method = RequestMethod.DELETE, + consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, + produces = MediaType.APPLICATION_JSON_VALUE) public EntityProcessingReport hardDeleteAll( - final List ids, - final boolean addIncludes, - final List includes, - final Long institutionId) { + @RequestParam(name = API.PARAM_MODEL_ID_LIST) final List ids, + @RequestParam(name = API.PARAM_BULK_ACTION_ADD_INCLUDES, defaultValue = "false") final boolean addIncludes, + @RequestParam(name = API.PARAM_BULK_ACTION_INCLUDES, required = false) final List includes, + @RequestParam( + name = API.PARAM_INSTITUTION_ID, + required = true, + defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId) { - throw new UnsupportedOperationException(ONLY_READ_ACCESS); - } - - @Override - protected SqlTable getSQLTableOfEntity() { - // TODO Auto-generated method stub - return null; + throw new AccessDeniedException(ONLY_READ_ACCESS); } @Override protected M createNew(final POSTMapper postParams) { - throw new UnsupportedOperationException(ONLY_READ_ACCESS); + throw new AccessDeniedException(ONLY_READ_ACCESS); } @Override diff --git a/src/test/java/ch/ethz/seb/sebserver/webservice/integration/api/admin/UserActivityLogAPITest.java b/src/test/java/ch/ethz/seb/sebserver/webservice/integration/api/admin/UserActivityLogAPITest.java index ebda56b6..418ebfe0 100644 --- a/src/test/java/ch/ethz/seb/sebserver/webservice/integration/api/admin/UserActivityLogAPITest.java +++ b/src/test/java/ch/ethz/seb/sebserver/webservice/integration/api/admin/UserActivityLogAPITest.java @@ -9,7 +9,7 @@ package ch.ethz.seb.sebserver.webservice.integration.api.admin; import static org.junit.Assert.*; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import org.joda.time.DateTime; @@ -17,6 +17,8 @@ import org.junit.Test; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; import org.springframework.test.context.jdbc.Sql; +import org.springframework.util.LinkedMultiValueMap; +import org.springframework.util.MultiValueMap; import com.fasterxml.jackson.core.type.TypeReference; @@ -307,4 +309,39 @@ public class UserActivityLogAPITest extends AdministrationAPIIntegrationTester { assertTrue(logs.content.isEmpty()); } + @Test + public void testReadonly() throws Exception { + final String token = getSebAdminAccess(); + this.mockMvc + .perform(put(this.endpoint + API.USER_ACTIVITY_LOG_ENDPOINT) + .header("Authorization", "Bearer " + token) + .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE) + .content("{" + + " \"id\" : 3," + + " \"userUuid\" : \"userUUID\"," + + " \"username\" : \"username\"," + + " \"timestamp\" : 123," + + " \"activityType\" : \"EXPORT\"," + + " \"entityType\" : \"USER\"," + + " \"entityId\" : \"5\"," + + " \"message\" : \"message\"" + + "}")) + .andExpect(status().isForbidden()); + + final MultiValueMap multiValueMap = new LinkedMultiValueMap<>(); + multiValueMap.add("institutionId", "1"); + this.mockMvc + .perform(post(this.endpoint + API.USER_ACTIVITY_LOG_ENDPOINT) + .header("Authorization", "Bearer " + token) + .contentType(MediaType.APPLICATION_FORM_URLENCODED) + .params(multiValueMap)) + .andExpect(status().isForbidden()); + + this.mockMvc + .perform(delete(this.endpoint + API.USER_ACTIVITY_LOG_ENDPOINT + "/12") + .header("Authorization", "Bearer " + token)) + .andExpect(status().isForbidden()); + + } + }