[NAE-2407] Improve Permission Validation in GetData

[renczesstefan]

Description

Implements NAE-2407

Dependencies

No new dependencies were introduced

Third party dependencies

• No new dependencies were introduced

Blocking Pull requests

There are no dependencies on other PR

How Has Been This Tested?

This was tested manually and with unit tests.

Test Configuration

Name	Tested on
OS	macOS Tahoe 26.3
Runtime	Java 21
Dependency Manager	Maven 3.9.9n
Framework version	Spring Boot 3.4.4
Run parameters
Other configuration

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• My changes have been checked, personally or remotely, with @machacjozef
• I have commented my code, particularly in hard-to-understand areas
• I have resolved all conflicts with the target branch of the PR
• I have updated and synced my code with the target branch
• I have added tests that prove my fix is effective or that my feature works
• New and existing tests pass locally with my changes:
  • Lint test
  • Unit tests
  • Integration tests
• I have checked my contribution with code analysis tools:
  • SonarCloud
  • Snyk
• I have made corresponding changes to the documentation:
  • Developer documentation
  • User Guides
  • Migration Guides

Summary by CodeRabbit

• New Features

  • Added authorization checks for task data retrieval endpoints, enforcing access control based on role-level and user-list permissions.

• Bug Fixes

  • Implemented permission validation for public and authenticated task data requests to ensure users can only access authorized task information.

[coderabbitai]

Warning

Rate limit exceeded

@renczesstefan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 30 minutes and 52 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 30 minutes and 52 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4c590b91-1fae-4a93-a603-590f8b85ac5d

📥 Commits

Reviewing files that changed from the base of the PR and between 2849623 and 81ba942.

📒 Files selected for processing (2)

• src/test/groovy/com/netgrif/application/engine/auth/TaskAuthorizationServiceTest.groovy
• src/test/resources/task_authorization_service_test_with_userRefs.xml

Walkthrough

Added authorization checking to task data retrieval endpoints by introducing canCallGetData method in TaskAuthorizationService and applying @PreAuthorize guards to getData methods in TaskController and PublicTaskController, with corresponding method signature and HATEOAS link generation updates.

Changes

Cohort / File(s)	Summary
Authorization Service src/main/java/com/netgrif/application/engine/workflow/service/interfaces/ITaskAuthorizationService.java, src/main/java/com/netgrif/application/engine/workflow/service/TaskAuthorizationService.java	Added canCallGetData(LoggedUser loggedUser, String taskId) method that evaluates access based on role-level and user-list permissions from RolePermission.VIEW, granting access to admins or when appropriate permission combinations are met.
Controller Authorization Guards src/main/java/com/netgrif/application/engine/workflow/web/TaskController.java, src/main/java/com/netgrif/application/engine/workflow/web/PublicTaskController.java	Applied @PreAuthorize annotation with canCallGetData authorization checks to getData endpoints; TaskController now accepts additional Authentication parameter; removed @Override annotation from PublicTaskController.
HATEOAS Link Generation src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java, src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/LocalisedTaskResource.java	Updated self-link and data-link construction to accommodate new method signatures by passing additional parameters (taskId and null values) when invoking TaskController.getData.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• netgrif/application-engine#420: Both PRs modify TaskAuthorizationService permission-evaluation logic; this PR adds a new authorization method while the related PR refactors how underlying permission checks are centralized and evaluated.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding permission validation to the GetData method across the task authorization service and controllers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@src/main/java/com/netgrif/application/engine/workflow/web/PublicTaskController.java`:
- Around line 114-118: The `@PreAuthorize` on getData currently passes the runtime
Authentication principal (`#auth.getPrincipal`()) to
taskAuthorizationService.canCallGetData; change it to use the anonymous user
helper consistent with other public endpoints by invoking
userService.getAnonymousLogged() as the principal argument (i.e., call
taskAuthorizationService.canCallGetData(`@userService.getAnonymousLogged`(),
`#taskId`) in the `@PreAuthorize` expression on the getData method).

In
`@src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java`:
- Around line 25-26: The self link call in DataGroupsResource currently invokes
TaskController.getData with an empty taskId (getData("", null, null)) which
produces an invalid URI; update that invocation to pass the actual taskId from
the surrounding context (for example the method parameter or the represented
object's id) into methodOn(TaskController.class).getData(taskId, null, null) so
the generated self link correctly points to the task resource, and if no taskId
is available in scope then remove/skip creating the self link instead of using
an empty string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 33698010-1ca7-4fae-b7d4-cd69ec46dcd4

📥 Commits

Reviewing files that changed from the base of the PR and between c4f79bd and 72dcae8.

📒 Files selected for processing (7)

• src/main/java/com/netgrif/application/engine/workflow/service/TaskAuthorizationService.java
• src/main/java/com/netgrif/application/engine/workflow/service/interfaces/ITaskAuthorizationService.java
• src/main/java/com/netgrif/application/engine/workflow/web/AbstractTaskController.java
• src/main/java/com/netgrif/application/engine/workflow/web/PublicTaskController.java
• src/main/java/com/netgrif/application/engine/workflow/web/TaskController.java
• src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java
• src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/LocalisedTaskResource.java

[coderabbitai]

♻️ Duplicate comments (1)

src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java (1)

21-26: ⚠️ Potential issue | 🟠 Major

Guard self-link creation when taskId is missing.

taskId can be null (Line 25), but buildLinks always emits the self link (Line 31). This can produce an invalid getData URI when no parent task is present in content.

Suggested fix

     private void buildLinks(String taskId) {
+        if (taskId == null || taskId.isBlank()) {
+            return;
+        }
         add(WebMvcLinkBuilder.linkTo(WebMvcLinkBuilder.methodOn(TaskController.class)
                 .getData(taskId, null, null)).withSelfRel());
     }

Also applies to: 29-31

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java`
around lines 21 - 26, The code calls buildLinks(taskId) even when taskId is null
which causes an invalid self-link/getData URI; update DataGroupsResource so that
either buildLinks only emits the self link when the passed taskId is
non-null/non-blank or call buildLinks conditionally (e.g., if (taskId != null &&
!taskId.isBlank()) buildLinks(taskId)); ensure the check is applied for both
call sites shown and that buildLinks and any self-link construction use the
validated taskId.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In
`@src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java`:
- Around line 21-26: The code calls buildLinks(taskId) even when taskId is null
which causes an invalid self-link/getData URI; update DataGroupsResource so that
either buildLinks only emits the self link when the passed taskId is
non-null/non-blank or call buildLinks conditionally (e.g., if (taskId != null &&
!taskId.isBlank()) buildLinks(taskId)); ensure the check is applied for both
call sites shown and that buildLinks and any self-link construction use the
validated taskId.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a0906935-2e82-4bbc-87fe-0f6b228d0eda

📥 Commits

Reviewing files that changed from the base of the PR and between 72dcae8 and 2849623.

📒 Files selected for processing (3)

• src/main/java/com/netgrif/application/engine/workflow/web/PublicTaskController.java
• src/main/java/com/netgrif/application/engine/workflow/web/TaskController.java
• src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java