RESTWS-946: /session endpoint throws an error if user doesn't have Ge…

…t Providers privilege
openmrs · Jul 4, 2024 · 282d5a5 · 282d5a5
1 parent ff78c3a
commit 282d5a5
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 14 deletions.
diff --git a/...ller/openmrs1_9/SessionController1_9.java → ...ller/openmrs2_0/SessionController2_0.java b/...ller/openmrs1_9/SessionController1_9.java → ...ller/openmrs2_0/SessionController2_0.java
@@ -7,7 +7,7 @@
  * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
  * graphic logo is a trademark of OpenMRS Inc.
  */
-package org.openmrs.module.webservices.rest.web.v1_0.controller.openmrs1_9;
+package org.openmrs.module.webservices.rest.web.v1_0.controller.openmrs2_0;
 
 import org.apache.commons.lang3.LocaleUtils;
 import org.openmrs.Location;
@@ -48,9 +48,9 @@
  */
 @Controller
 @RequestMapping(value = "/rest/" + RestConstants.VERSION_1 + "/session")
-public class SessionController1_9 extends BaseRestController {
+public class SessionController2_0 extends BaseRestController {
 
-	private static final Logger log = LoggerFactory.getLogger(SessionController1_9.class);
+	private static final Logger log = LoggerFactory.getLogger(SessionController2_0.class);
 
 	public static final String USER_CUSTOM_REP = "(uuid,display,username,systemId,userProperties,person:(uuid,display),privileges:(uuid,display,name),roles:(uuid,display,name),links)";
 
@@ -138,13 +138,15 @@ private Provider getCurrentProvider() {
 		if (currentUser != null) {
 			Collection<Provider> providers = new HashSet<Provider>();
 			try {
-				Context.addProxyPrivilege(PrivilegeConstants.VIEW_PROVIDERS);
+				Context.addProxyPrivilege(PrivilegeConstants.GET_PROVIDERS);
+				Context.addProxyPrivilege("View Providers"); // support later versions of OpenMRS
 				if (currentUser.getPerson() != null) {
 					providers = Context.getProviderService().getProvidersByPerson(currentUser.getPerson(), false);
 				}
 			}
 			finally {
-				Context.removeProxyPrivilege(PrivilegeConstants.VIEW_PROVIDERS);
+				Context.removeProxyPrivilege(PrivilegeConstants.GET_PROVIDERS);
+				Context.removeProxyPrivilege("View Providers"); // support later versions of OpenMRS
 			}
 			if (providers.size() > 1) {
 				log.warn("Can't handle users with multiple provider accounts");

diff --git a/.../openmrs1_9/SessionController1_9Test.java → .../openmrs2_0/SessionController2_0Test.java b/.../openmrs1_9/SessionController1_9Test.java → .../openmrs2_0/SessionController2_0Test.java
@@ -7,7 +7,7 @@
  * Copyright (C) OpenMRS Inc. OpenMRS is a registered trademark and the OpenMRS
  * graphic logo is a trademark of OpenMRS Inc.
  */
-package org.openmrs.module.webservices.rest.web.v1_0.controller.openmrs1_9;
+package org.openmrs.module.webservices.rest.web.v1_0.controller.openmrs2_0;
 
 import org.apache.commons.beanutils.PropertyUtils;
 import org.codehaus.jackson.map.ObjectMapper;
@@ -16,36 +16,36 @@
 import org.junit.Test;
 import org.openmrs.GlobalProperty;
 import org.openmrs.Location;
+import org.openmrs.User;
 import org.openmrs.api.APIException;
 import org.openmrs.api.context.Context;
 import org.openmrs.util.OpenmrsConstants;
 import org.openmrs.web.test.BaseModuleWebContextSensitiveTest;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.mock.web.MockServletContext;
-import org.springframework.web.context.request.ServletWebRequest;
-import org.springframework.web.context.request.WebRequest;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 
-public class SessionController1_9Test extends BaseModuleWebContextSensitiveTest {
+@SuppressWarnings("unchecked")
+public class SessionController2_0Test extends BaseModuleWebContextSensitiveTest {
 
 	private static final String SESSION_ID = "test-session-id";
 
 	private static final String UNKNOWN_LOCATION_UUID = "8d6c993e-c2cc-11de-8d13-0010c6dffd0f"; // Unknown Location
 
 	private static final String XANADU_UUID = "9356400c-a5a2-4532-8f2b-2361b3446eb8"; // Xanadu
 
-	private SessionController1_9 controller;
+	private SessionController2_0 controller;
 
 	private HttpServletRequest hsr;
 
 	@Before
 	public void before() {
-		controller = Context.getRegisteredComponents(SessionController1_9.class).iterator().next(); // should only be 1
+		controller = Context.getRegisteredComponents(SessionController2_0.class).iterator().next(); // should only be 1
 		MockHttpServletRequest mockHsr = new MockHttpServletRequest();
 		mockHsr.setSession(new MockHttpSession(new MockServletContext(), SESSION_ID));
 		hsr = mockHsr;
@@ -56,7 +56,7 @@ public void before() {
 	}
 
 	/**
-	 * @see SessionController1_9#delete(HttpServletRequest) 
+	 * @see SessionController2_0#delete(HttpServletRequest)
 	 * @verifies log the client out
 	 */
 	@Test
@@ -68,7 +68,7 @@ public void delete_shouldLogTheClientOut() throws Exception {
 	}
 
 	/**
-	 * @see SessionController1_9#get()
+	 * @see SessionController2_0#get()
 	 * @verifies return the session id if the user is authenticated
 	 */
 	@Test
@@ -105,7 +105,7 @@ public void get_shouldReturnLocationIfTheUserIsAuthenticated() throws Exception
 	}
 
 	/**
-	 * @see SessionController1_9#get()
+	 * @see SessionController2_0#get()
 	 * @verifies return the session with current provider if the user is authenticated
 	 */
 	@Test
@@ -169,4 +169,23 @@ public void post_shouldFailWhenSettingNonexistantLocation() throws Exception {
 		String content = "{\"sessionLocation\":\"fake-nonexistant-uuid\"}";
 		controller.post(hsr, new ObjectMapper().readValue(content, HashMap.class));
 	}
+
+	/**
+	 * @see SessionController2_0#get()
+	 * @verifies return the session with current provider if the user doesn't have Get Providers privileges
+	 */
+	@Test
+	public void get_shouldReturnCurrentProviderIfTheUserDoesNotHaveGetProvidersPrivileges() throws Exception {
+		executeDataSet("sessionControllerTestDataset.xml");
+
+		// authenticate new user without privileges
+		Context.logout();
+		Context.authenticate("test_user", "test");
+		Assert.assertTrue(Context.isAuthenticated());
+
+		Object ret = controller.get();
+		Object currentProvider = PropertyUtils.getProperty(ret, "currentProvider");
+		Assert.assertNotNull(currentProvider);
+		Assert.assertTrue(currentProvider.toString().contains("Test Provider"));
+	}
 }
diff --git a/omod-2.0/src/test/resources/sessionControllerTestDataset.xml b/omod-2.0/src/test/resources/sessionControllerTestDataset.xml
@@ -0,0 +1,8 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<dataset>
+
+    <person person_id="601" gender="M" dead="false" birthdate_estimated="0" creator="1" date_created="2008-08-15 15:57:09.0" voided="false" uuid="hy6b4e41-790c-484f-b6ed-71dc3e4222de"/>
+    <users user_id="601" person_id="601" system_id="7-5" username="test_user" password="4a1750c8607d0fa237de36c6305715c223415189" salt="c788c6ad82a157b712392ca695dfcf2eed193d7f" creator="1" date_created="2008-08-15 15:57:09.0" retired="false" uuid="06d05314-e132-11de-babe-001e37123456"/>
+    <provider provider_id="601" person_id="601" name="Mr. Test Provider" identifier="Test Provider" creator="1" date_created="2008-08-15 15:57:09.0" retired="false" uuid="e1009293-c561-47ae-b112-214052c17888" />
+
+</dataset>