[NAE-2407] Improve Permission Validation in GetData

src/main/java/com/netgrif/application/engine/workflow/service/TaskAuthorizationService.java

@@ -141,6 +141,13 @@ public boolean canCallSaveData(LoggedUser loggedUser, String taskId) {
         return loggedUser.getSelfOrImpersonated().isAdmin() || isAssignee(loggedUser, taskId);
     }
 
+    @Override
+    public boolean canCallGetData(LoggedUser loggedUser, String taskId) {
+        Boolean rolePerm = userHasAtLeastOneRolePermission(loggedUser, taskId, RolePermission.VIEW);
+        Boolean userPerm = userHasUserListPermission(loggedUser, taskId, RolePermission.VIEW);
+        return loggedUser.getSelfOrImpersonated().isAdmin() || (userPerm == null ? (rolePerm != null && rolePerm) : userPerm);
+    }
+
     @Override
     public boolean canCallSaveFile(LoggedUser loggedUser, String taskId) {
         return loggedUser.getSelfOrImpersonated().isAdmin() || isAssignee(loggedUser, taskId);

src/main/java/com/netgrif/application/engine/workflow/service/interfaces/ITaskAuthorizationService.java

@@ -31,6 +31,8 @@ public interface ITaskAuthorizationService {
 
     boolean canCallSaveData(LoggedUser loggedUser, String taskId);
 
+    boolean canCallGetData(LoggedUser loggedUser, String taskId);
+
     boolean canCallSaveFile(LoggedUser loggedUser, String taskId);
 
 }

src/main/java/com/netgrif/application/engine/workflow/web/PublicTaskController.java

@@ -110,7 +110,7 @@ public EntityModel<EventOutcomeWithMessage> cancel(@PathVariable("id") String ta
         return super.cancel(loggedUser, taskId, locale);
     }
 
-    @Override
+    @PreAuthorize("@taskAuthorizationService.canCallGetData(@userService.getAnonymousLogged(), #taskId)")
     @GetMapping(value = "/{id}/data", produces = MediaTypes.HAL_JSON_VALUE)
     @Operation(summary = "Get all task data")
     public EntityModel<EventOutcomeWithMessage> getData(@PathVariable("id") String taskId, Locale locale) {

src/main/java/com/netgrif/application/engine/workflow/web/TaskController.java

@@ -176,10 +176,10 @@ public CountResponse count(@RequestBody SingleElasticTaskSearchRequestAsList que
         return super.count(query, operation, auth, locale);
     }
 
-    @Override
+    @PreAuthorize("@taskAuthorizationService.canCallGetData(#auth.getPrincipal(), #taskId)")
     @Operation(summary = "Get all task data", security = {@SecurityRequirement(name = "BasicAuth")})
     @GetMapping(value = "/{id}/data", produces = MediaTypes.HAL_JSON_VALUE)
-    public EntityModel<EventOutcomeWithMessage> getData(@PathVariable("id") String taskId, Locale locale) {
+    public EntityModel<EventOutcomeWithMessage> getData(@PathVariable("id") String taskId, Authentication auth, Locale locale) {
         return super.getData(taskId, locale);
     }
 

src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/DataGroupsResource.java

@@ -18,11 +18,16 @@ public DataGroupsResource(Collection<com.netgrif.application.engine.petrinet.dom
                     return dataGroup;
                 })
                 .collect(Collectors.toList()));
-        buildLinks();
+        String taskId = content.stream()
+                .map(com.netgrif.application.engine.petrinet.domain.DataGroup::getParentTaskId)
+                .filter(id -> id != null && !id.isBlank())
+                .findFirst()
+                .orElse(null);
+        buildLinks(taskId);
     }
 
-    private void buildLinks() {
+    private void buildLinks(String taskId) {
         add(WebMvcLinkBuilder.linkTo(WebMvcLinkBuilder.methodOn(TaskController.class)
-                .getData("", null)).withSelfRel());
+                .getData(taskId, null, null)).withSelfRel());
     }
 }

src/main/java/com/netgrif/application/engine/workflow/web/responsebodies/LocalisedTaskResource.java

@@ -34,7 +34,7 @@ private void buildLinks() {
         add(WebMvcLinkBuilder.linkTo(WebMvcLinkBuilder.methodOn(TaskController.class)
                 .cancel((Authentication) null, task.getStringId(), null)).withRel("cancel"));
         add(WebMvcLinkBuilder.linkTo(WebMvcLinkBuilder.methodOn(TaskController.class)
-                .getData(task.getStringId(), null)).withRel("data"));
+                .getData(task.getStringId(), null, null)).withRel("data"));
         add(WebMvcLinkBuilder.linkTo(WebMvcLinkBuilder.methodOn(TaskController.class)
                 .setData(task.getStringId(), null, null)).withRel("data-edit"));
         try {

src/test/groovy/com/netgrif/application/engine/auth/TaskAuthorizationServiceTest.groovy

@@ -479,4 +479,53 @@ class TaskAuthorizationServiceTest {
         workflowService.deleteCase(case_.stringId)
     }
 
+    @Test
+    void testCanGetDataWithPosViewRole() {
+        ProcessRole positiveRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "view_pos_role")
+        userService.addRole(testUser, positiveRole.getStringId())
+        Case case_ = workflowService.createCase(netWithUserRefs.getStringId(), "Test get data", "", testUser.transformToLoggedUser()).getCase()
+        assert taskAuthorizationService.canCallGetData(testUser.transformToLoggedUser(), (new ArrayList<>(case_.getTasks())).get(0).task)
+        userService.removeRole(testUser, positiveRole.getStringId())
+        workflowService.deleteCase(case_.stringId)
+    }
+
+    @Test
+    void testCannotGetDataWithNegViewRole() {
+        ProcessRole negativeRole = this.netWithUserRefs.getRoles().values().find(v -> v.getImportId() == "view_neg_role")
+        userService.addRole(testUser, negativeRole.getStringId())
+        Case case_ = workflowService.createCase(netWithUserRefs.getStringId(), "Test get data", "", testUser.transformToLoggedUser()).getCase()
+        assert !taskAuthorizationService.canCallGetData(testUser.transformToLoggedUser(), (new ArrayList<>(case_.getTasks())).get(0).task)
+        userService.removeRole(testUser, negativeRole.getStringId())
+        workflowService.deleteCase(case_.stringId)
+    }
+
+    @Test
+    void testCanGetDataWithPosViewUserRef() {
+        Case case_ = workflowService.createCase(netWithUserRefs.getStringId(), "Test get data", "", testUser.transformToLoggedUser()).getCase()
+        String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
+        dataService.setData(taskId, ImportHelper.populateDataset([
+                "view_pos_ul": [
+                        "value": [testUser.stringId],
+                        "type": "userList"
+                ]
+        ] as Map)).getCase()
+
+        assert taskAuthorizationService.canCallGetData(testUser.transformToLoggedUser(), taskId)
+        workflowService.deleteCase(case_.stringId)
+    }
+
+    @Test
+    void testCannotGetDataWithNegViewUserRef() {
+        Case case_ = workflowService.createCase(netWithUserRefs.getStringId(), "Test get data", "", testUser.transformToLoggedUser()).getCase()
+        String taskId = (new ArrayList<>(case_.getTasks())).get(0).task
+        dataService.setData(taskId, ImportHelper.populateDataset([
+                "view_neg_ul": [
+                        "value": [testUser.stringId],
+                        "type": "userList"
+                ]
+        ] as Map)).getCase()
+
+        assert !taskAuthorizationService.canCallGetData(testUser.transformToLoggedUser(), taskId)
+        workflowService.deleteCase(case_.stringId)
+    }
 }

src/test/resources/task_authorization_service_test_with_userRefs.xml

@@ -4,6 +4,10 @@
     <id>wst_usersRef</id>
     <initials>WSU</initials>
     <title>WorkflowAuthorizationService test</title>
+    <role>
+        <id>view_pos_role</id>
+        <name>view pos role</name>
+    </role>
     <role>
         <id>assign_pos_role</id>
         <name>assign pos role</name>
@@ -12,6 +16,10 @@
         <id>finish_pos_role</id>
         <name>finish pos role</name>
     </role>
+    <role>
+        <id>view_neg_role</id>
+        <name>view neg role</name>
+    </role>
     <role>
         <id>assign_neg_role</id>
         <name>assign neg role</name>
@@ -20,6 +28,10 @@
         <id>finish_neg_role</id>
         <name>finish neg role</name>
     </role>
+    <data type="userList">
+        <id>view_pos_ul</id>
+        <title/>
+    </data>
     <data type="userList">
         <id>assign_pos_ul</id>
         <title/>
@@ -40,6 +52,10 @@
         <id>cancel_pos_ul</id>
         <title/>
     </data>
+    <data type="userList">
+        <id>view_neg_ul</id>
+        <title/>
+    </data>
     <data type="userList">
         <id>cancel_neg_ul</id>
         <title/>
@@ -66,6 +82,18 @@
         <x>1</x>
         <y>1</y>
         <label>Transition</label>
+        <roleRef>
+            <id>view_pos_role</id>
+            <logic>
+                <view>true</view>
+            </logic>
+        </roleRef>
+        <roleRef>
+            <id>view_neg_role</id>
+            <logic>
+                <view>false</view>
+            </logic>
+        </roleRef>
         <roleRef>
             <id>assign_pos_role</id>
             <logic>
@@ -90,6 +118,18 @@
                 <finish>false</finish>
             </logic>
         </roleRef>
+        <userRef>
+            <id>view_pos_ul</id>
+            <logic>
+                <view>true</view>
+            </logic>
+        </userRef>
+        <userRef>
+            <id>view_neg_ul</id>
+            <logic>
+                <view>false</view>
+            </logic>
+        </userRef>
         <userRef>
             <id>assign_pos_ul</id>
             <logic>