diff --git a/src/main/java/net/gepafin/tendermanagement/dao/ApplicationDao.java b/src/main/java/net/gepafin/tendermanagement/dao/ApplicationDao.java index 8d19b48d..6b310bc6 100644 --- a/src/main/java/net/gepafin/tendermanagement/dao/ApplicationDao.java +++ b/src/main/java/net/gepafin/tendermanagement/dao/ApplicationDao.java @@ -174,10 +174,9 @@ public class ApplicationDao { } public List getAllApplications(UserEntity userEntity, Long callId) { - RoleStatusEnum roleStatus = RoleStatusEnum.valueOf(userEntity.getRoleEntity().getRoleType()); - boolean isBeneficiary = RoleStatusEnum.ROLE_BENEFICIARY.equals(roleStatus); + boolean isBeneficiary = isBeneficiary(userEntity); - log.info("Fetching applications for RoleType: {}", roleStatus); + log.info("Fetching applications for RoleType: {}", userEntity.getRoleEntity().getRoleType()); List applicationResponses = new ArrayList<>(); if (callId != null) { @@ -351,7 +350,12 @@ public class ApplicationDao { public ApplicationGetResponseBean getApplicationByFormId( Long applicationId,Long formId, UserEntity userEntity) { List formApplicationResponses = new ArrayList<>(); List formEntities = new ArrayList<>(); - ApplicationEntity applicationEntity = applicationRepository.findById(applicationId) + boolean isBeneficiary = isBeneficiary(userEntity); + ApplicationEntity applicationEntity = isBeneficiary + ? applicationRepository.findByIdAndUserIdAndIsDeletedFalse(applicationId,userEntity.getId()) + .orElseThrow(() -> new CustomValidationException(Status.BAD_REQUEST, Translator.toLocale(GepafinConstant.APPLICATION_NOT_FOUND_MSG))) + : applicationRepository.findById(applicationId) + .stream().findFirst() .orElseThrow(() -> new CustomValidationException(Status.BAD_REQUEST, Translator.toLocale(GepafinConstant.APPLICATION_NOT_FOUND_MSG))); if (formId != null) { @@ -374,6 +378,12 @@ public class ApplicationDao { return createApplicationGetResponseBean(applicationEntity, formEntities, formApplicationResponses); } + private boolean isBeneficiary(UserEntity userEntity) { + RoleStatusEnum roleStatus = RoleStatusEnum.valueOf(userEntity.getRoleEntity().getRoleType()); + boolean isBeneficiary = RoleStatusEnum.ROLE_BENEFICIARY.equals(roleStatus); + return isBeneficiary; + } + private void addFormApplication(FormEntity formEntity, ApplicationEntity applicationEntity, List formApplicationResponses) { FormApplicationResponse formApplicationResponse = processForm(formEntity, applicationEntity); diff --git a/src/main/java/net/gepafin/tendermanagement/repositories/ApplicationRepository.java b/src/main/java/net/gepafin/tendermanagement/repositories/ApplicationRepository.java index 8d41608c..ad9104a5 100644 --- a/src/main/java/net/gepafin/tendermanagement/repositories/ApplicationRepository.java +++ b/src/main/java/net/gepafin/tendermanagement/repositories/ApplicationRepository.java @@ -23,4 +23,7 @@ public interface ApplicationRepository extends JpaRepository findByCallIdAndIsDeletedFalse(Long callId); public List findByIsDeletedFalse(); + + public Optional findByIdAndUserIdAndIsDeletedFalse(Long id,Long userId); + } diff --git a/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormApi.java b/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormApi.java index 04417439..99eb8835 100644 --- a/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormApi.java +++ b/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormApi.java @@ -49,6 +49,7 @@ public interface FormApi { @ExampleObject(value = ErrorConstants.BADREQUEST_ERROR_EXAMPLE) })) }) @PutMapping(value = "/{formId}", produces = { "application/json" }) + @PreAuthorize("hasRole('ROLE_SUPER_ADMIN')") ResponseEntity> updateForm(HttpServletRequest request, @Parameter(description = "The form ID", required = true) @PathVariable("formId") Long formId, @Parameter(description = "form request object", required = true) @Valid @RequestBody FormRequest formRequest,@Parameter(description = "force delete flow ",required = true)@RequestParam(value = "forceDeleteFlow",required = true)Boolean forceDeleteFlow); @@ -78,6 +79,7 @@ public interface FormApi { @ApiResponse(responseCode = "400", description = "Bad Request", content = @Content(mediaType = MediaType.APPLICATION_JSON_VALUE, examples = { @ExampleObject(value = ErrorConstants.BADREQUEST_ERROR_EXAMPLE) })) }) @DeleteMapping(value = "/{formId}") + @PreAuthorize("hasRole('ROLE_SUPER_ADMIN')") ResponseEntity> deleteForm(HttpServletRequest request, @Parameter(description = "The form ID", required = true) @PathVariable("formId") Long formId); diff --git a/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormFieldApi.java b/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormFieldApi.java index 341b3fed..0aeecf0f 100644 --- a/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormFieldApi.java +++ b/src/main/java/net/gepafin/tendermanagement/web/rest/api/FormFieldApi.java @@ -13,6 +13,7 @@ import net.gepafin.tendermanagement.model.util.Response; import net.gepafin.tendermanagement.web.rest.api.errors.ErrorConstants; import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.List; @@ -30,6 +31,7 @@ public interface FormFieldApi { @ExampleObject(value = ErrorConstants.BADREQUEST_ERROR_EXAMPLE) })) }) @PostMapping(value = "", produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE) + @PreAuthorize("hasRole('ROLE_SUPER_ADMIN')") public ResponseEntity> createFormField(HttpServletRequest request, @Parameter(description = "form field request object", required = true) @Valid @RequestBody FormFieldRequest formFieldRequest); @@ -46,6 +48,7 @@ public interface FormFieldApi { @ExampleObject(value = ErrorConstants.BADREQUEST_ERROR_EXAMPLE) })) }) @PutMapping(value = "/{formFieldId}", produces = { "application/json" }) + @PreAuthorize("hasRole('ROLE_SUPER_ADMIN')") ResponseEntity> updateFormField(HttpServletRequest request, @Parameter(description = "The form field ID", required = true) @PathVariable("formFieldId") Long formFieldId, @Parameter(description = "form field request object", required = true) @Valid @RequestBody FormFieldRequest formFieldRequest); @@ -61,6 +64,7 @@ public interface FormFieldApi { @ExampleObject(value = ErrorConstants.BADREQUEST_ERROR_EXAMPLE) })) }) @GetMapping(value = "/{formFieldId}", produces = { "application/json" }) + @PreAuthorize("hasRole('ROLE_SUPER_ADMIN')") ResponseEntity> getFormFieldById(HttpServletRequest request, @Parameter(description = "The form field ID", required = true) @PathVariable("formFieldId") Long formFieldId); @@ -75,6 +79,7 @@ public interface FormFieldApi { @ApiResponse(responseCode = "400", description = "Bad Request", content = @Content(mediaType = MediaType.APPLICATION_JSON_VALUE, examples = { @ExampleObject(value = ErrorConstants.BADREQUEST_ERROR_EXAMPLE) })) }) @DeleteMapping(value = "/{formFieldId}") + @PreAuthorize("hasRole('ROLE_SUPER_ADMIN')") ResponseEntity> deleteForm(HttpServletRequest request, @Parameter(description = "The form field ID", required = true) @PathVariable("formFieldId") Long formFieldId); @@ -89,6 +94,7 @@ public interface FormFieldApi { @ExampleObject(value = ErrorConstants.BADREQUEST_ERROR_EXAMPLE) })) }) @GetMapping(value = "", produces = { "application/json" }) + @PreAuthorize("hasRole('ROLE_SUPER_ADMIN')") ResponseEntity>> getAllFormField(HttpServletRequest request); }