diff --git a/dhis-2/dhis-services/dhis-service-tracker/src/main/java/org/hisp/dhis/tracker/export/trackedentity/DefaultTrackedEntityService.java b/dhis-2/dhis-services/dhis-service-tracker/src/main/java/org/hisp/dhis/tracker/export/trackedentity/DefaultTrackedEntityService.java index 877345fc116..8484e8147f7 100644 --- a/dhis-2/dhis-services/dhis-service-tracker/src/main/java/org/hisp/dhis/tracker/export/trackedentity/DefaultTrackedEntityService.java +++ b/dhis-2/dhis-services/dhis-service-tracker/src/main/java/org/hisp/dhis/tracker/export/trackedentity/DefaultTrackedEntityService.java @@ -56,6 +56,7 @@ import org.hisp.dhis.program.ProgramService; import org.hisp.dhis.relationship.Relationship; import org.hisp.dhis.relationship.RelationshipItem; +import org.hisp.dhis.security.acl.AclService; import org.hisp.dhis.trackedentity.TrackedEntity; import org.hisp.dhis.trackedentity.TrackedEntityAttribute; import org.hisp.dhis.trackedentity.TrackedEntityAttributeService; @@ -63,6 +64,7 @@ import org.hisp.dhis.trackedentity.TrackedEntityProgramOwner; import org.hisp.dhis.trackedentity.TrackedEntityType; import org.hisp.dhis.trackedentity.TrackedEntityTypeService; +import org.hisp.dhis.trackedentity.TrackedEntityTypeStore; import org.hisp.dhis.trackedentityattributevalue.TrackedEntityAttributeValue; import org.hisp.dhis.tracker.acl.TrackerAccessManager; import org.hisp.dhis.tracker.audit.TrackedEntityAuditService; @@ -88,7 +90,9 @@ class DefaultTrackedEntityService implements TrackedEntityService { private final TrackedEntityAttributeService trackedEntityAttributeService; + private final TrackedEntityTypeStore trackedEntityTypeStore; private final TrackedEntityTypeService trackedEntityTypeService; + private final AclService aclService; private final TrackedEntityAuditService trackedEntityAuditService; @@ -331,9 +335,12 @@ private Set getTrackedEntityAttributeValues( TrackedEntityType trackedEntityType = trackedEntity.getTrackedEntityType(); if (CollectionUtils.isEmpty(trackedEntityType.getTrackedEntityTypeAttributes())) { // the TrackedEntityAggregate does not fetch the TrackedEntityTypeAttributes at the moment + // TODO(DHIS2-18541) bypass ACL as our controller tess as the user must have access to the TET + // if it has access to the TE. trackedEntityType = - trackedEntityTypeService.getTrackedEntityType( - trackedEntity.getTrackedEntityType().getUid()); + // trackedEntityTypeService.getTrackedEntityType( + // trackedEntity.getTrackedEntityType().getUid()); + trackedEntityTypeStore.getByUidNoAcl(trackedEntity.getTrackedEntityType().getUid()); } Set teas = // tracked entity type attributes @@ -494,6 +501,15 @@ private RelationshipItem getRelationshipItem( boolean includeDeleted) throws NotFoundException { Relationship rel = item.getRelationship(); + + // We cannot use trackerAccessManager.canRead(getCurrentUserDetails(), rel).isEmpty() as at + // least the TE items are not hibernate proxies as they come from the aggregate store. At least + // check relationship type access. + if (!aclService.canDataRead(getCurrentUserDetails(), rel.getRelationshipType()) + || (!includeDeleted && rel.isDeleted())) { + return null; + } + RelationshipItem from = getRelationshipItem(trackedEntity, rel.getFrom(), includeDeleted); RelationshipItem to = getRelationshipItem(trackedEntity, rel.getTo(), includeDeleted); if (from == null || to == null) {