Merge pull request #427 from Onlineberatung/fix-room-info-for-anonymo…

…us-askers Fix: room info for anonymous askers
Onlineberatung · Jun 28, 2022 · a77c7a8 · a77c7a8
2 parents 8cc967c + 12950c3
commit a77c7a8
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 6 deletions.
diff --git a/src/main/java/de/caritas/cob/userservice/api/config/auth/SecurityConfig.java b/src/main/java/de/caritas/cob/userservice/api/config/auth/SecurityConfig.java
@@ -111,9 +111,9 @@ protected void configure(HttpSecurity http) throws Exception {
             "/users/sessions/{sessionId:[0-9]+}/data")
         .hasAuthority(USER_DEFAULT)
         .regexMatchers(HttpMethod.GET, "/users/sessions/room\\?rcGroupIds=[\\dA-Za-z-,]+")
-        .hasAnyAuthority(USER_DEFAULT, CONSULTANT_DEFAULT)
+        .hasAnyAuthority(ANONYMOUS_DEFAULT, USER_DEFAULT, CONSULTANT_DEFAULT)
         .antMatchers(HttpMethod.GET, "/users/sessions/room/{sessionId:[0-9]+}")
-        .hasAnyAuthority(USER_DEFAULT, CONSULTANT_DEFAULT)
+        .hasAnyAuthority(ANONYMOUS_DEFAULT, USER_DEFAULT, CONSULTANT_DEFAULT)
         .antMatchers(HttpMethod.GET, "/users/chat/room/{chatId:[0-9]+}")
         .hasAnyAuthority(USER_DEFAULT, CONSULTANT_DEFAULT)
         .antMatchers("/users/sessions/open", "/users/sessions/consultants/new",

diff --git a/src/main/java/de/caritas/cob/userservice/api/service/session/SessionService.java b/src/main/java/de/caritas/cob/userservice/api/service/session/SessionService.java
@@ -348,9 +348,9 @@ public void deleteSession(Session session) {
    */
   public List<UserSessionResponseDTO> getSessionsByUserAndGroupOrFeedbackGroupIds(String userId,
       Set<String> rcGroupIds, Set<String> roles) {
-    checkForUserOrConsultantRole(roles);
+    checkForAskerRoles(roles);
     var sessions = sessionRepository.findByGroupOrFeedbackGroupIds(rcGroupIds);
-    sessions.forEach(session -> checkIfUserAndNotOwnerOfSession(session, userId, roles));
+    sessions.forEach(session -> checkAskerPermissionForSession(session, userId, roles));
     List<AgencyDTO> agencies = fetchAgencies(sessions);
     return convertToUserSessionResponseDTO(sessions, agencies);
   }
@@ -365,10 +365,10 @@ public List<UserSessionResponseDTO> getSessionsByUserAndGroupOrFeedbackGroupIds(
    */
   public List<UserSessionResponseDTO> getSessionsByUserAndSessionIds(String userId,
       Set<Long> sessionIds, Set<String> roles) {
-    checkForUserOrConsultantRole(roles);
+    checkForAskerRoles(roles);
     var sessions = StreamSupport.stream(sessionRepository.findAllById(sessionIds).spliterator(),
         false).collect(Collectors.toList());
-    sessions.forEach(session -> checkIfUserAndNotOwnerOfSession(session, userId, roles));
+    sessions.forEach(session -> checkAskerPermissionForSession(session, userId, roles));
     List<AgencyDTO> agencies = fetchAgencies(sessions);
     return convertToUserSessionResponseDTO(sessions, agencies);
   }
@@ -450,6 +450,25 @@ private void checkForUserOrConsultantRole(Set<String> roles) {
     }
   }
 
+  private void checkForAskerRoles(Set<String> roles) {
+    if (!roles.contains(UserRole.USER.getValue()) && !roles.contains(UserRole.ANONYMOUS.getValue())
+        && !roles.contains(UserRole.CONSULTANT.getValue())) {
+      throw new ForbiddenException("No user or consultant role to retrieve sessions",
+          LogService::logForbidden);
+    }
+  }
+
+  private void checkAskerPermissionForSession(Session session, String userId, Set<String> roles) {
+    if ((roles.contains(UserRole.USER.getValue())
+        || session.getRegistrationType() == RegistrationType.ANONYMOUS && roles.contains(
+        UserRole.ANONYMOUS.getValue())) && session.getUser().getUserId().equals(userId)) {
+      return;
+    }
+    throw new ForbiddenException(
+        String.format("Asker %s not allowed to access session with ID %s", userId, session.getId()),
+        LogService::logForbidden);
+  }
+
   private void checkIfUserAndNotOwnerOfSession(Session session, String userId, Set<String> roles) {
     if (roles.contains(UserRole.USER.getValue()) && !session.getUser().getUserId().equals(userId)) {
       throw new ForbiddenException(

diff --git a/src/test/java/de/caritas/cob/userservice/api/service/session/SessionServiceTest.java b/src/test/java/de/caritas/cob/userservice/api/service/session/SessionServiceTest.java
@@ -666,6 +666,77 @@ void getSessionsByConsultantAndGroupOrFeedbackGroupIds_should_find_new_anonymous
     assertEquals(1, sessionResponse.size());
   }
 
+  @Test
+  void getSessionsByIds_should_find_new_anonymous_enquiry_if_consultant_may_advise_consulting_type() {
+    Session anonymousEnquiry = createAnonymousNewEnquiryWithConsultingType(
+        AGENCY_DTO_SUCHT.getConsultingType());
+    when(sessionRepository.findAllById(singleton(anonymousEnquiry.getId()))).thenReturn(
+        singletonList(anonymousEnquiry));
+    when(agencyService.getAgencies(singletonList(4711L))).thenReturn(AGENCY_DTO_LIST);
+    ConsultantAgency agency = new ConsultantAgency();
+    agency.setAgencyId(4711L);
+    var consultant = createConsultantWithAgencies(agency);
+
+    var sessionResponse = sessionService.getSessionsByIds(
+        consultant, singleton(anonymousEnquiry.getId()), singleton(UserRole.CONSULTANT.getValue()));
+
+    assertEquals(1, sessionResponse.size());
+  }
+
+  @Test
+  void getSessionsByUserAndGroupOrFeedbackGroupIds_should_find_session_for_anonymous_user_of_session() {
+    Session anonymousEnquiry = createAnonymousNewEnquiryWithConsultingType(
+        AGENCY_DTO_SUCHT.getConsultingType());
+    anonymousEnquiry.setUser(USER);
+    when(sessionRepository.findByGroupOrFeedbackGroupIds(singleton("rcGroupId"))).thenReturn(
+        singletonList(anonymousEnquiry));
+
+    var sessionResponse = sessionService.getSessionsByUserAndGroupOrFeedbackGroupIds(
+        USER_ID, singleton("rcGroupId"), singleton(UserRole.ANONYMOUS.getValue()));
+
+    assertEquals(1, sessionResponse.size());
+  }
+
+  @Test
+  void getSessionsByUserAndGroupOrFeedbackGroupIds_should_fail_if_user_is_not_owner_of_session() {
+    Session anonymousEnquiry = createAnonymousNewEnquiryWithConsultingType(
+        AGENCY_DTO_SUCHT.getConsultingType());
+    anonymousEnquiry.setUser(USER);
+    when(sessionRepository.findByGroupOrFeedbackGroupIds(singleton("rcGroupId"))).thenReturn(
+        singletonList(anonymousEnquiry));
+
+    assertThrows(ForbiddenException.class,
+        () -> sessionService.getSessionsByUserAndGroupOrFeedbackGroupIds(
+            "someOtherId", singleton("rcGroupId"), singleton(UserRole.ANONYMOUS.getValue())));
+  }
+
+  @Test
+  void getSessionsByUserAndSessionIds_should_find_session_for_anonymous_user_of_session() {
+    Session anonymousEnquiry = createAnonymousNewEnquiryWithConsultingType(
+        AGENCY_DTO_SUCHT.getConsultingType());
+    anonymousEnquiry.setUser(USER);
+    when(sessionRepository.findAllById(singleton(anonymousEnquiry.getId()))).thenReturn(
+        singletonList(anonymousEnquiry));
+
+    var sessionResponse = sessionService.getSessionsByUserAndSessionIds(USER_ID,
+        singleton(anonymousEnquiry.getId()), singleton(UserRole.ANONYMOUS.getValue()));
+
+    assertEquals(1, sessionResponse.size());
+  }
+
+  @Test
+  void getSessionsByUserAndSessionIds_should_fail_if_user_is_not_owner_of_session() {
+    Session anonymousEnquiry = createAnonymousNewEnquiryWithConsultingType(
+        AGENCY_DTO_SUCHT.getConsultingType());
+    anonymousEnquiry.setUser(USER);
+    when(sessionRepository.findAllById(singleton(anonymousEnquiry.getId()))).thenReturn(
+        singletonList(anonymousEnquiry));
+
+    assertThrows(ForbiddenException.class,
+        () -> sessionService.getSessionsByUserAndSessionIds("someUserId",
+            singleton(anonymousEnquiry.getId()), singleton(UserRole.ANONYMOUS.getValue())));
+  }
+
   private Session createAnonymousNewEnquiryWithConsultingType(int consultingTypeId) {
     var session = easyRandom.nextObject(Session.class);
     session.setAgencyId(null);