Fixing Problem: MetaDataRepository.getExerciseById was not secured

against unauthorized users

src/main/java/at/ac/uibk/gitsearch/repository/search/MetaDataRepository.java

@@ -551,15 +551,16 @@ public class MetaDataRepository {
 	/**
 	 * just a convenience method 
 	 * @param exerciseId the parsed exercise id
+	 * @param user the user (if authenticated)
 	 * @return search result 
 	 * @throws NotFoundException if not found
 	 */
-	public SearchResultDTO getExerciseById(ExerciseId exerciseId) throws NotFoundException {
-		return getExerciseById(exerciseId.toString());
+	public SearchResultDTO getExerciseById(ExerciseId exerciseId, Optional<User> user) throws NotFoundException {
+		return getExerciseById(exerciseId.toString(), user);
 	}
 
 	
-	public SearchResultDTO getExerciseById(String exerciseId) throws NotFoundException {
+	public SearchResultDTO getExerciseById(String exerciseId, Optional<User> user) throws NotFoundException {
 		SearchRequest searchRequest = new SearchRequest(SearchRepositoryConstants.INDEX_METADATA);
 
 		BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery();
@@ -568,6 +569,7 @@ public class MetaDataRepository {
 
 		SearchSourceBuilder sourceBuilder = new SearchSourceBuilder();
 		sourceBuilder.query(queryBuilder).size(10);
+		addAuthorizationQuery(user, queryBuilder);
 
 		searchRequest.source(sourceBuilder);
 

src/main/java/at/ac/uibk/gitsearch/service/GitlabService.java

@@ -157,7 +157,7 @@ public class GitlabService {
 	public InputStream getRepositoryFile(ExerciseId exerciseId, String filePath)
 			throws GitLabApiException, IOException {
 
-		final SearchResultDTO exercise = metaDataRepository.getExerciseById(exerciseId);
+		final SearchResultDTO exercise = metaDataRepository.getExerciseById(exerciseId, tokenProvider.getCurrentPrincipal());
 		final GitLabApi gitLabApi = gitLabRepository.getGitLabApi(tokenProvider.getGitLabAccessInfo());
 		RepositoryFile file;
 		file = gitLabApi.getRepositoryFileApi().getFile(exercise.getProject().getProjectId(),

src/main/java/at/ac/uibk/gitsearch/service/SearchService.java

@@ -215,7 +215,7 @@ public class SearchService {
 	
 	public File exportExercise(String exerciseId) throws IOException {
 		try{
-			final SearchResultDTO exercise = metaDataRepository.getExerciseById(exerciseId);
+			final SearchResultDTO exercise = metaDataRepository.getExerciseById(exerciseId, tokenProvider.getCurrentPrincipal());
 			final GitLabApi gitLabApi = gitLabRepository.getGitLabApi(tokenProvider.getGitLabAccessInfo());
 			InputStream inputFile = shoppingBasketService.rePackageGitLabProjectZip(new ZipInputStream(gitLabApi.getRepositoryApi().getRepositoryArchive(exercise.getProject().getProject_id(), "HEAD", "zip")), "from project " + exerciseId);
 			File file = new File("exercise" + exerciseId + ".zip");
@@ -242,7 +242,7 @@ public class SearchService {
 	
 	public Optional<SearchResultDTO> findExerciseById(ExerciseId exerciseId) {
 		try {
-			SearchResultDTO result = metaDataRepository.getExerciseById(exerciseId.toString());
+			SearchResultDTO result = metaDataRepository.getExerciseById(exerciseId.toString(), tokenProvider.getCurrentPrincipal());
 			return Optional.ofNullable(result);
 		} catch (javax.ws.rs.NotFoundException e) {
 			log.error("exercise with id {} not found?", exerciseId, e);

src/test/java/at/ac/uibk/gitsearch/repository/search/MetaDataRepositoryIT.java

@@ -9,6 +9,7 @@ import static org.junit.Assert.assertThat;
 
 import java.io.IOException;
 import java.util.List;
+import java.util.Optional;
 
 import javax.ws.rs.NotFoundException;
 
@@ -77,9 +78,9 @@ public class MetaDataRepositoryIT {
 
 	@Test
 	public void getByExerciseId() throws IOException {
-		// This test assumes that the test entries have consecutive ids
-		for (int i : new int[] { 1, 2, 3 }) {
-			final SearchResultDTO exerciseById = metaDataRepository.getExerciseById(i + "");
+		// This test assumes that the test entries are public
+		for (int i : new int[] { 1 }) {
+			final SearchResultDTO exerciseById = metaDataRepository.getExerciseById(i + "", Optional.empty());
 			assertNotNull("should be found:", exerciseById);
 			assertEquals("Id should be the same", i + "", exerciseById.getExerciseId());
 		}
@@ -90,7 +91,7 @@ public class MetaDataRepositoryIT {
 		// This test assumes that the test entries have consecutive ids
 		String exerciseId = "999999"; // should not exist
 		Assertions.assertThrows(NotFoundException.class, () -> {
-			metaDataRepository.getExerciseById(exerciseId);},
+			metaDataRepository.getExerciseById(exerciseId, Optional.empty());},
 				"Exercise for id " + exerciseId + " should not exist:");
 	}
 }

src/test/java/at/ac/uibk/gitsearch/service/InfoMailServiceIT.java

@@ -159,7 +159,7 @@ public class InfoMailServiceIT {
 
 	@BeforeEach
 	public void setUpChangedExercise() throws JsonGenerationException, JsonMappingException, IOException {
-		final SearchResultDTO testExercise = metaDataRepository.getExerciseById(TEST_EXERCISE_ID);
+		final SearchResultDTO testExercise = metaDataRepository.getExerciseById(TEST_EXERCISE_ID, Optional.empty());
 
 		testExercise.getProject().setLast_activity_at(Instant.now());
 

src/test/java/at/ac/uibk/gitsearch/web/rest/SearchResourceIT.java

@@ -32,7 +32,7 @@ import at.ac.uibk.gitsearch.web.rest.ExerciseResourceIT.StreamResultMatcher;
  * Integration tests for the {@link UserResource} REST controller.
  */
 @AutoConfigureMockMvc
-@WithMockUser(authorities = AuthoritiesConstants.USER)
+@WithMockUser(authorities = {AuthoritiesConstants.USER, "sharing"})
 @SpringBootTest(classes = GitsearchApp.class)
 public class SearchResourceIT {