From c8adb0b51ef97e1b37c01600868bf82d8a23477a Mon Sep 17 00:00:00 2001 From: Othello Maurer Date: Tue, 6 Feb 2024 16:20:50 +0100 Subject: [PATCH] Add permission check for displaying content pack uninstall details (#18177) --- changelog/unreleased/pr-18177.toml | 4 +++ .../contentpacks/ContentPackResource.java | 33 +++++++++---------- 2 files changed, 20 insertions(+), 17 deletions(-) create mode 100644 changelog/unreleased/pr-18177.toml diff --git a/changelog/unreleased/pr-18177.toml b/changelog/unreleased/pr-18177.toml new file mode 100644 index 000000000000..24b41a6e57e0 --- /dev/null +++ b/changelog/unreleased/pr-18177.toml @@ -0,0 +1,4 @@ +type = "fixed" +message = "Add permission check for displaying content pack uninstall details." + +pulls = ["18177"] diff --git a/graylog2-server/src/main/java/org/graylog2/rest/resources/system/contentpacks/ContentPackResource.java b/graylog2-server/src/main/java/org/graylog2/rest/resources/system/contentpacks/ContentPackResource.java index 000b9cabd762..1dde712fe0cb 100644 --- a/graylog2-server/src/main/java/org/graylog2/rest/resources/system/contentpacks/ContentPackResource.java +++ b/graylog2-server/src/main/java/org/graylog2/rest/resources/system/contentpacks/ContentPackResource.java @@ -24,6 +24,20 @@ import io.swagger.annotations.ApiParam; import io.swagger.annotations.ApiResponse; import io.swagger.annotations.ApiResponses; +import jakarta.inject.Inject; +import jakarta.validation.Valid; +import jakarta.validation.constraints.NotNull; +import jakarta.ws.rs.BadRequestException; +import jakarta.ws.rs.Consumes; +import jakarta.ws.rs.DELETE; +import jakarta.ws.rs.GET; +import jakarta.ws.rs.NotFoundException; +import jakarta.ws.rs.POST; +import jakarta.ws.rs.Path; +import jakarta.ws.rs.PathParam; +import jakarta.ws.rs.Produces; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.Response; import org.apache.shiro.authz.annotation.RequiresAuthentication; import org.bson.types.ObjectId; import org.graylog2.audit.AuditEventTypes; @@ -51,23 +65,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import jakarta.inject.Inject; - -import jakarta.validation.Valid; -import jakarta.validation.constraints.NotNull; - -import jakarta.ws.rs.BadRequestException; -import jakarta.ws.rs.Consumes; -import jakarta.ws.rs.DELETE; -import jakarta.ws.rs.GET; -import jakarta.ws.rs.NotFoundException; -import jakarta.ws.rs.POST; -import jakarta.ws.rs.Path; -import jakarta.ws.rs.PathParam; -import jakarta.ws.rs.Produces; -import jakarta.ws.rs.core.MediaType; -import jakarta.ws.rs.core.Response; - import java.net.URI; import java.util.Map; import java.util.Set; @@ -334,6 +331,8 @@ public ContentPackUninstallDetails uninstallDetails( @PathParam("contentPackId") ModelId id, @ApiParam(name = "installationId", value = "Installation ID", required = true) @PathParam("installationId") String installationId) { + checkPermission(RestPermissions.CONTENT_PACK_READ, id.toString()); + final ContentPackInstallation installation = contentPackInstallationPersistenceService.findById(new ObjectId(installationId)) .orElseThrow(() -> new NotFoundException("Couldn't find installation " + installationId));