Repository: incubator-geode Updated Branches: refs/heads/develop 5abe957ca -> cf09ac94d
GEODE-2004: Create/update/delete query through rest api should require DATA:READ instead of DATA:WRITE * This closes #262 Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/cf09ac94 Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/cf09ac94 Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/cf09ac94 Branch: refs/heads/develop Commit: cf09ac94ddbd3c0a8dca9a94eac53d95871f1691 Parents: 5abe957 Author: Kevin Duling <kdul...@pivotal.io> Authored: Mon Oct 17 11:02:54 2016 -0700 Committer: Jinmei Liao <jil...@pivotal.io> Committed: Mon Oct 17 11:55:44 2016 -0700 ---------------------------------------------------------------------- .../geode/rest/internal/web/RestSecurityIntegrationTest.java | 6 +++--- .../rest/internal/web/controllers/QueryAccessController.java | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cf09ac94/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java ---------------------------------------------------------------------- diff --git a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java index ef019a4..6e91894 100644 --- a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java +++ b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java @@ -138,7 +138,7 @@ public class RestSecurityIntegrationTest { assertEquals(401, getCode(response)); response = doPost("/queries?id=0&q=", "stranger", "1234567", ""); assertEquals(403, getCode(response)); - response = doPost("/queries?id=0&q=", "dataWriter", "1234567", ""); + response = doPost("/queries?id=0&q=", "dataReader", "1234567", ""); // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable assertEquals(500, getCode(response)); } @@ -149,7 +149,7 @@ public class RestSecurityIntegrationTest { assertEquals(401, getCode(response)); response = doPost("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}"); assertEquals(403, getCode(response)); - response = doPost("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}"); + response = doPost("/queries/id", "dataReader", "1234567", "{\"id\" : \"foo\"}"); // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable assertEquals(500, getCode(response)); } @@ -160,7 +160,7 @@ public class RestSecurityIntegrationTest { assertEquals(401, getCode(response)); response = doPut("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}"); assertEquals(403, getCode(response)); - response = doPut("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}"); + response = doPut("/queries/id", "dataReader", "1234567", "{\"id\" : \"foo\"}"); // We should get a 404 because we're trying to update a query that doesn't exist assertEquals(404, getCode(response)); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cf09ac94/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java ---------------------------------------------------------------------- diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java index e43e5e6..d13c99c 100644 --- a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java +++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java @@ -137,7 +137,7 @@ public class QueryAccessController extends AbstractBaseController { @ApiResponse( code = 409, message = "QueryId already assigned to other query." ), @ApiResponse( code = 500, message = "GemFire throws an error or exception." ) } ) - @PreAuthorize("@securityService.authorize('DATA', 'WRITE')") + @PreAuthorize("@securityService.authorize('DATA', 'READ')") public ResponseEntity<?> create(@RequestParam("id") final String queryId, @RequestParam(value = "q", required = false) String oqlInUrl, @RequestBody(required = false) final String oqlInBody) @@ -234,7 +234,7 @@ public class QueryAccessController extends AbstractBaseController { } ) @ResponseBody @ResponseStatus(HttpStatus.OK) - @PreAuthorize("@securityService.authorize('DATA', 'WRITE')") + @PreAuthorize("@securityService.authorize('DATA', 'READ')") public ResponseEntity<String> runNamedQuery(@PathVariable("query") String queryId, @RequestBody String arguments) { @@ -310,7 +310,7 @@ public class QueryAccessController extends AbstractBaseController { @ApiResponse( code = 404, message = "queryId does not exist." ), @ApiResponse( code = 500, message = "GemFire throws an error or exception." ) } ) - @PreAuthorize("@securityService.authorize('DATA', 'WRITE')") + @PreAuthorize("@securityService.authorize('DATA', 'READ')") public ResponseEntity<?> update( @PathVariable("query") final String queryId, @RequestParam(value = "q", required = false) String oqlInUrl, @RequestBody(required = false) final String oqlInBody) {