Forbid write sharing with group public

gisaia · Mar 12, 2024 · 5e2bed7 · 5e2bed7
1 parent f83b543
commit 5e2bed7
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/...s-persistence-core/src/main/java/io/arlas/persistence/server/core/PersistenceService.java b/...s-persistence-core/src/main/java/io/arlas/persistence/server/core/PersistenceService.java
@@ -76,7 +76,7 @@ static boolean intersect(List<String> a, List<String> b) {
     static boolean isShareableGroup(List<String> group, String zone, IdentityParam identityParam) throws ForbiddenException {
         List<String> userGroupsForZone = getGroupsForZone(zone, identityParam);
         List<String> authorizeGroup = group.stream().filter(userGroupsForZone::contains).toList();
-        if (!authorizeGroup.isEmpty() || group.isEmpty()){
+        if (!authorizeGroup.isEmpty() || group.isEmpty()) {
             return true;
         } else {
             throw new ForbiddenException("You are not authorized to give rights to this group: " + group);
@@ -87,6 +87,9 @@ static void checkReadersWritersGroups(String zone, IdentityParam identityParam,
 
         List<String> writersList = new ArrayList<>(writers);
         List<String> readersList = new ArrayList<>(readers);
+        if (writersList.contains("group/public")) {
+            throw new ForbiddenException("You are not authorized to give writers rights to this group: group/public");
+        }
         isShareableGroup(writersList, zone, identityParam);
         isShareableGroup(readersList, zone, identityParam);
     }

diff --git a/arlas-persistence-tests/src/test/java/io/arlas/persistence/rest/PersistenceIT.java b/arlas-persistence-tests/src/test/java/io/arlas/persistence/rest/PersistenceIT.java
@@ -342,7 +342,7 @@ public void test14DeleteWithJustWriteAccess() {
 
     @Test
     public void test15CreateOtherOrganisation() {
-        id = createData(otherCompany, "mySecondRestrictedDocument", List.of(PUBLIC), List.of(PUBLIC))
+        id = createData(otherCompany, "mySecondRestrictedDocument", List.of(PUBLIC), Collections.EMPTY_LIST)
                 .then().statusCode(201)
                 .body("doc_value", equalTo("{\"age\":1}"))
                 .extract().jsonPath().get("id");
@@ -470,6 +470,13 @@ public void test21ListWithPublic() {
         deleteData(otherCompany, id3);
     }
 
+    @Test
+    public void test22CreateWithPublicWriteAccess() {
+        createData(technical, "privateDocument", List.of(TECHNICAL), List.of(PUBLIC))
+                .then().statusCode(403);
+
+    }
+
     protected RequestSpecification givenForUser(UserIdentity userIdentity) {
         return given().header(userHeader, userIdentity.userId)
                 .header(groupsHeader, userIdentity.groups)