test: baby steps 😢

dhis2 · Jan 14, 2025 · 0100cb9 · 0100cb9
1 parent c045e2f
commit 0100cb9
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/...src/main/java/org/hisp/dhis/tracker/export/trackedentity/DefaultTrackedEntityService.java b/...src/main/java/org/hisp/dhis/tracker/export/trackedentity/DefaultTrackedEntityService.java
@@ -56,13 +56,15 @@
 import org.hisp.dhis.program.ProgramService;
 import org.hisp.dhis.relationship.Relationship;
 import org.hisp.dhis.relationship.RelationshipItem;
+import org.hisp.dhis.security.acl.AclService;
 import org.hisp.dhis.trackedentity.TrackedEntity;
 import org.hisp.dhis.trackedentity.TrackedEntityAttribute;
 import org.hisp.dhis.trackedentity.TrackedEntityAttributeService;
 import org.hisp.dhis.trackedentity.TrackedEntityAudit;
 import org.hisp.dhis.trackedentity.TrackedEntityProgramOwner;
 import org.hisp.dhis.trackedentity.TrackedEntityType;
 import org.hisp.dhis.trackedentity.TrackedEntityTypeService;
+import org.hisp.dhis.trackedentity.TrackedEntityTypeStore;
 import org.hisp.dhis.trackedentityattributevalue.TrackedEntityAttributeValue;
 import org.hisp.dhis.tracker.acl.TrackerAccessManager;
 import org.hisp.dhis.tracker.audit.TrackedEntityAuditService;
@@ -88,7 +90,9 @@ class DefaultTrackedEntityService implements TrackedEntityService {
 
   private final TrackedEntityAttributeService trackedEntityAttributeService;
 
+  private final TrackedEntityTypeStore trackedEntityTypeStore;
   private final TrackedEntityTypeService trackedEntityTypeService;
+  private final AclService aclService;
 
   private final TrackedEntityAuditService trackedEntityAuditService;
 
@@ -331,9 +335,12 @@ private Set<TrackedEntityAttributeValue> getTrackedEntityAttributeValues(
     TrackedEntityType trackedEntityType = trackedEntity.getTrackedEntityType();
     if (CollectionUtils.isEmpty(trackedEntityType.getTrackedEntityTypeAttributes())) {
       // the TrackedEntityAggregate does not fetch the TrackedEntityTypeAttributes at the moment
+      // TODO(DHIS2-18541) bypass ACL as our controller tess as the user must have access to the TET
+      // if it has access to the TE.
       trackedEntityType =
-          trackedEntityTypeService.getTrackedEntityType(
-              trackedEntity.getTrackedEntityType().getUid());
+          //          trackedEntityTypeService.getTrackedEntityType(
+          //              trackedEntity.getTrackedEntityType().getUid());
+          trackedEntityTypeStore.getByUidNoAcl(trackedEntity.getTrackedEntityType().getUid());
     }
 
     Set<String> teas = // tracked entity type attributes
@@ -494,6 +501,15 @@ private RelationshipItem getRelationshipItem(
       boolean includeDeleted)
       throws NotFoundException {
     Relationship rel = item.getRelationship();
+
+    // We cannot use trackerAccessManager.canRead(getCurrentUserDetails(), rel).isEmpty() as at
+    // least the TE items are not hibernate proxies as they come from the aggregate store. At least
+    // check relationship type access.
+    if (!aclService.canDataRead(getCurrentUserDetails(), rel.getRelationshipType())
+        || (!includeDeleted && rel.isDeleted())) {
+      return null;
+    }
+
     RelationshipItem from = getRelationshipItem(trackedEntity, rel.getFrom(), includeDeleted);
     RelationshipItem to = getRelationshipItem(trackedEntity, rel.getTo(), includeDeleted);
     if (from == null || to == null) {