Prosoft Git

killbill-uncached

Retrieve user permissions should not require tenant info since

1/13/2015 8:07:52 PM
stephane brossier

stephane brossier

Commit: a3ddbc6

Tree: f97a761

Parents: 3f1e48f

Changes

jaxrs/src/main/java/org/killbill/billing/jaxrs/resources/SecurityResource.java 5(+4 -1)

profiles/killbill/src/main/java/org/killbill/billing/server/security/TenantFilter.java 2(+2 -0)

Details

jaxrs/src/main/java/org/killbill/billing/jaxrs/resources/SecurityResource.java 5(+4 -1) 

diff --git a/jaxrs/src/main/java/org/killbill/billing/jaxrs/resources/SecurityResource.java b/jaxrs/src/main/java/org/killbill/billing/jaxrs/resources/SecurityResource.java
index a9abece..0330c54 100644
--- a/jaxrs/src/main/java/org/killbill/billing/jaxrs/resources/SecurityResource.java
+++ b/jaxrs/src/main/java/org/killbill/billing/jaxrs/resources/SecurityResource.java
@@ -32,6 +32,7 @@ import org.apache.shiro.subject.Subject;
 
 import org.killbill.billing.account.api.AccountUserApi;
 import org.killbill.billing.payment.api.PaymentApi;
+import org.killbill.billing.util.callcontext.TenantContext;
 import org.killbill.clock.Clock;
 import org.killbill.billing.jaxrs.json.SubjectJson;
 import org.killbill.billing.jaxrs.util.Context;
@@ -81,7 +82,9 @@ public class SecurityResource extends JaxRsResourceBase {
     @ApiOperation(value = "List user permissions", response = String.class, responseContainer = "List")
     @ApiResponses(value = {})
     public Response getCurrentUserPermissions(@javax.ws.rs.core.Context final HttpServletRequest request) {
-        final Set<Permission> permissions = securityApi.getCurrentUserPermissions(context.createContext(request));
+        // The getCurrentUserPermissions takes a TenantContext which is not used because permissions are cross tenants (at this point)
+        final TenantContext nullTenantContext = null;
+        final Set<Permission> permissions = securityApi.getCurrentUserPermissions(nullTenantContext);
         final List<String> json = ImmutableList.<String>copyOf(Iterables.<Permission, String>transform(permissions, Functions.toStringFunction()));
         return Response.status(Status.OK).entity(json).build();
     }

profiles/killbill/src/main/java/org/killbill/billing/server/security/TenantFilter.java 2(+2 -0) 

diff --git a/profiles/killbill/src/main/java/org/killbill/billing/server/security/TenantFilter.java b/profiles/killbill/src/main/java/org/killbill/billing/server/security/TenantFilter.java
index 6e1165e..c254cd0 100644
--- a/profiles/killbill/src/main/java/org/killbill/billing/server/security/TenantFilter.java
+++ b/profiles/killbill/src/main/java/org/killbill/billing/server/security/TenantFilter.java
@@ -128,6 +128,8 @@ public class TenantFilter implements Filter {
             final String path = httpServletRequest.getRequestURI();
             if (    // Chicken - egg problem
                     ("/1.0/kb/tenants".equals(path) && "POST".equals(httpServletRequest.getMethod())) ||
+                    // Retrieve user permissions should not require tenant info since this is cross tenants
+                    (("/1.0/kb/security/subject".equals(path) || "/1.0/kb/security/permissions".equals(path)) && "GET".equals(httpServletRequest.getMethod())) ||
                     // Metrics servlets
                     (KillbillGuiceListener.METRICS_SERVLETS_PATHS.contains(path) && "GET".equals(httpServletRequest.getMethod())) ||
                     // See KillBillShiroWebModule#CorsBasicHttpAuthenticationFilter

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github