[SELC-4806] Feat: Added @PreAuthorize in getUserById API (#436)

pagopa · May 14, 2024 · 93423ea · 93423ea
1 parent 7e5d891
commit 93423ea
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/UserV2Controller.java b/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/UserV2Controller.java
@@ -94,17 +94,18 @@ public void deleteRelationshipById(@ApiParam("${swagger.dashboard.user.model.id}
     @GetMapping(value = "/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseStatus(HttpStatus.OK)
     @ApiOperation(value = "", notes = "${swagger.dashboard.user.api.getUserByInternalId}", nickname = "v2GetUserByIdUsingGET")
+    @PreAuthorize("hasPermission(#institutionId, 'InstitutionResource', 'ADMIN')")
     public UserResource getUserById(@ApiParam("${swagger.dashboard.user.model.id}")
                                     @PathVariable("id") String userId,
                                     @ApiParam("${swagger.dashboard.institutions.model.id}")
                                     @RequestParam(value = "institutionId")
-                                    String institutionI,
+                                    String institutionId,
                                     @ApiParam("${swagger.dashboard.user.model.fields}")
                                     @RequestParam(value = "fields", required = false)
                                     List<String> fields) {
         log.trace("getUserById start");
         log.debug("getUserById id = {}", userId);
-        User user = userService.getUserById(userId, institutionI, fields);
+        User user = userService.getUserById(userId, institutionId, fields);
         log.debug(LogUtils.CONFIDENTIAL_MARKER, "getUserById = {}", user);
         log.trace("getUserById end");
         return userMapperV2.toUserResource(user);