Skip to content

Commit

Permalink
Merge pull request Onlineberatung#692 from Onlineberatung/DIAKONIE-24…
Browse files Browse the repository at this point in the history
…5-adapt-endpoint-to-return-only-allowed-sessions

Diakonie 245 adapt endpoint to return only allowed sessions
  • Loading branch information
Leandro13Silva13 authored Apr 5, 2024
2 parents b62828d + c8d42c0 commit 2e5c4aa
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 48 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,15 @@
import javax.ws.rs.BadRequestException;
import lombok.NonNull;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.lang.Nullable;
import org.springframework.stereotype.Service;

/** Service for sessions */
@Service
@RequiredArgsConstructor
@Slf4j
public class SessionService {

private final @NonNull SessionRepository sessionRepository;
Expand Down Expand Up @@ -437,12 +439,18 @@ private List<AgencyDTO> fetchAgencies(List<Session> sessions) {
* @param roles the roles of the given consultant
* @return {@link ConsultantSessionResponseDTO}
*/
public List<ConsultantSessionResponseDTO> getSessionsByConsultantAndGroupOrFeedbackGroupIds(
Consultant consultant, Set<String> rcGroupIds, Set<String> roles) {
public List<ConsultantSessionResponseDTO>
getAllowedSessionsByConsultantAndGroupOrFeedbackGroupIds(
Consultant consultant, Set<String> rcGroupIds, Set<String> roles) {
checkForUserOrConsultantRole(roles);
var sessions = sessionRepository.findByGroupOrFeedbackGroupIds(rcGroupIds);
sessions.forEach(session -> checkConsultantAssignment(consultant, session));
return mapSessionsToConsultantSessionDto(sessions);

List<Session> allowedSessions =
sessions.stream()
.filter(session -> isConsultantPermittedToSession(consultant, session))
.collect(Collectors.toList());

return mapSessionsToConsultantSessionDto(allowedSessions);
}

/**
Expand Down Expand Up @@ -536,6 +544,16 @@ private void checkIfConsultantAndNotAssignedToSessionOrAgency(
}
}

private boolean isConsultantPermittedToSession(Consultant consultant, Session session) {
try {
checkConsultantAssignment(consultant, session);
} catch (ForbiddenException e) {
log.info(e.getMessage());
return false;
}
return true;
}

private void checkConsultantAssignment(Consultant consultant, Session session) {
if (session.isAdvisedBy(consultant)
|| isAllowedToAdvise(consultant, session)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ public List<ConsultantSessionResponseDTO> retrieveSessionsForConsultantAndGroupI
Consultant consultant, List<String> rcGroupIds, Set<String> roles) {
var groupIds = new HashSet<>(rcGroupIds);
var sessions =
sessionService.getSessionsByConsultantAndGroupOrFeedbackGroupIds(
sessionService.getAllowedSessionsByConsultantAndGroupOrFeedbackGroupIds(
consultant, groupIds, roles);
var chats = chatService.getChatSessionsForConsultantByGroupIds(groupIds);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,8 @@
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.RoleMappingResource;
Expand Down Expand Up @@ -710,36 +712,19 @@ void getSessionsForGroupOrFeedbackGroupIdsShouldBeForbiddenIfUserDoesNotParticip
.andExpect(status().isForbidden());
}

@Test
@ParameterizedTest
@WithMockUser(authorities = {AuthorityValue.CONSULTANT_DEFAULT})
@ValueSource(strings = {"QBv2xym9qQ2DoAxkR", "doesNotExist", "mzAdWzQEobJ2PkoxP"})
void
getSessionsForGroupOrFeedbackGroupIdsShouldBeForbiddenIfConsultantDoesNotParticipateInSession()
throws Exception {
givenAConsultantWithSessions();
givenNoRocketChatSubscriptionUpdates();
givenNoRocketChatRoomUpdates();

mockMvc
.perform(
get("/users/sessions/room?rcGroupIds=QBv2xym9qQ2DoAxkR")
.cookie(CSRF_COOKIE)
.header(CSRF_HEADER, CSRF_VALUE)
.header(RC_TOKEN_HEADER_PARAMETER_NAME, RC_TOKEN)
.accept(MediaType.APPLICATION_JSON))
.andExpect(status().isForbidden());
}

@Test
@WithMockUser(authorities = {AuthorityValue.CONSULTANT_DEFAULT})
void getSessionsForGroupOrFeedbackGroupIdsShouldBeNoContentIfNoSessionsFoundForIds()
throws Exception {
getSessionsForGroupOrFeedbackGroupIdsShouldBeNoContentIfConsultantDoesNotParticipateInSessionOrNoSessionsFoundForIdsOrNewEnquiriesForConsultantsNotInAgency(
String rcGroupId) throws Exception {
givenAConsultantWithSessions();
givenNoRocketChatSubscriptionUpdates();
givenNoRocketChatRoomUpdates();

mockMvc
.perform(
get("/users/sessions/room?rcGroupIds=doesNotExist")
get("/users/sessions/room?rcGroupIds=" + rcGroupId)
.cookie(CSRF_COOKIE)
.header(CSRF_HEADER, CSRF_VALUE)
.header(RC_TOKEN_HEADER_PARAMETER_NAME, RC_TOKEN)
Expand Down Expand Up @@ -768,25 +753,6 @@ void getSessionsForGroupOrFeedbackGroupIdsShouldBeNoContentIfNoSessionsFoundForI
.andExpect(jsonPath("sessions", hasSize(1)));
}

@Test
@WithMockUser(authorities = {AuthorityValue.CONSULTANT_DEFAULT})
void
getSessionsForGroupOrFeedbackGroupIdsShouldReturnForbiddenForNewEnquiriesForConsultantsNotInAgency()
throws Exception {
givenAConsultantWithSessions();
givenNoRocketChatSubscriptionUpdates();
givenNoRocketChatRoomUpdates();

mockMvc
.perform(
get("/users/sessions/room?rcGroupIds=mzAdWzQEobJ2PkoxP")
.cookie(CSRF_COOKIE)
.header(CSRF_HEADER, CSRF_VALUE)
.header(RC_TOKEN_HEADER_PARAMETER_NAME, RC_TOKEN)
.accept(MediaType.APPLICATION_JSON))
.andExpect(status().isForbidden());
}

@Test
@WithMockUser(authorities = {AuthorityValue.USER_DEFAULT})
void getSessionForIdShouldFindSessionsBySessionId() throws Exception {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import static java.util.Collections.singleton;
import static java.util.Collections.singletonList;
import static liquibase.util.BooleanUtils.isTrue;
import static org.assertj.core.api.Assertions.assertThat;
import static org.hamcrest.CoreMatchers.everyItem;
import static org.hamcrest.CoreMatchers.instanceOf;
import static org.hamcrest.MatcherAssert.assertThat;
Expand Down Expand Up @@ -783,7 +784,7 @@ void initializeSession_Should_initializePeerChat_When_consultingTypeSettingsHasP

@Test
void
getSessionsByConsultantAndGroupOrFeedbackGroupIds_should_find_new_anonymous_enquiry_if_consultant_may_advise_consulting_type() {
getAllowedSessionsByConsultantAndGroupOrFeedbackGroupIds_should_find_new_anonymous_enquiry_if_consultant_may_advise_consulting_type() {
Session anonymousEnquiry =
createAnonymousNewEnquiryWithConsultingType(AGENCY_DTO_SUCHT.getConsultingType());
when(sessionRepository.findByGroupOrFeedbackGroupIds(singleton("rcGroupId")))
Expand All @@ -794,12 +795,34 @@ void initializeSession_Should_initializePeerChat_When_consultingTypeSettingsHasP
var consultant = createConsultantWithAgencies(agency);

var sessionResponse =
sessionService.getSessionsByConsultantAndGroupOrFeedbackGroupIds(
sessionService.getAllowedSessionsByConsultantAndGroupOrFeedbackGroupIds(
consultant, singleton("rcGroupId"), singleton(UserRole.CONSULTANT.getValue()));

assertEquals(1, sessionResponse.size());
}

@Test
void
getAllowedSessionsByConsultantAndGroupOrFeedbackGroupIds_should_only_return_the_sessions_the_consultant_can_see() {
// given
List<Session> sessions = new ArrayList<>();
ConsultantAgency agency = new ConsultantAgency();
agency.setAgencyId(4711L);
var consultant = createConsultantWithAgencies(agency);
var allowedSession = giveAllowedSessionWithID(1L, consultant);
sessions.add(giveAllowedSessionWithID(2L, null));
sessions.add(allowedSession);
when(sessionRepository.findByGroupOrFeedbackGroupIds(singleton("rcGroupId")))
.thenReturn(sessions);
// when
var sessionResponse =
sessionService.getAllowedSessionsByConsultantAndGroupOrFeedbackGroupIds(
consultant, singleton("rcGroupId"), singleton(UserRole.CONSULTANT.getValue()));
// then
assertThat(sessionResponse).hasSize(1);
assertThat(sessionResponse.get(0).getSession().getId()).isEqualTo(allowedSession.getId());
}

@Test
void
getSessionsByIds_should_find_new_anonymous_enquiry_if_consultant_may_advise_consulting_type() {
Expand Down Expand Up @@ -882,6 +905,14 @@ private List<UserSessionResponseDTO> getSomeUserId(String someUserId, Session an
someUserId, singleton(anonymousEnquiry.getId()), singleton(UserRole.ANONYMOUS.getValue()));
}

private Session giveAllowedSessionWithID(Long id, Consultant consultant) {
Session allowedSession =
createAnonymousNewEnquiryWithConsultingType(AGENCY_DTO_SUCHT.getConsultingType());
allowedSession.setId(id);
allowedSession.setConsultant(consultant);
return allowedSession;
}

private Session createAnonymousNewEnquiryWithConsultingType(int consultingTypeId) {
var session = easyRandom.nextObject(Session.class);
session.setAgencyId(null);
Expand Down

0 comments on commit 2e5c4aa

Please sign in to comment.