From f48200caa6425324d0d5929004b8a148a0f0cbf7 Mon Sep 17 00:00:00 2001 From: J-N-K Date: Tue, 21 Feb 2023 19:31:55 +0100 Subject: [PATCH] Allow access to rule summary for Role.USERS (#3392) Signed-off-by: Jan N. Klug --- .../core/automation/rest/internal/RuleResource.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bundles/org.openhab.core.automation.rest/src/main/java/org/openhab/core/automation/rest/internal/RuleResource.java b/bundles/org.openhab.core.automation.rest/src/main/java/org/openhab/core/automation/rest/internal/RuleResource.java index 04e5e2155d6..27b46dfc0c6 100644 --- a/bundles/org.openhab.core.automation.rest/src/main/java/org/openhab/core/automation/rest/internal/RuleResource.java +++ b/bundles/org.openhab.core.automation.rest/src/main/java/org/openhab/core/automation/rest/internal/RuleResource.java @@ -40,6 +40,7 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.Status; +import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.UriInfo; import org.eclipse.jdt.annotation.NonNullByDefault; @@ -141,12 +142,17 @@ public RuleResource( // } @GET + @RolesAllowed({ Role.USER, Role.ADMIN }) @Produces(MediaType.APPLICATION_JSON) @Operation(operationId = "getRules", summary = "Get available rules, optionally filtered by tags and/or prefix.", responses = { @ApiResponse(responseCode = "200", description = "OK", content = @Content(array = @ArraySchema(schema = @Schema(implementation = EnrichedRuleDTO.class)))) }) - public Response get(@QueryParam("prefix") final @Nullable String prefix, + public Response get(@Context SecurityContext securityContext, @QueryParam("prefix") final @Nullable String prefix, @QueryParam("tags") final @Nullable List tags, @QueryParam("summary") @Parameter(description = "summary fields only") @Nullable Boolean summary) { + if ((summary == null || !summary) && !securityContext.isUserInRole(Role.ADMIN)) { + // users may only access the summary + return JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Authentication required"); + } // match all Predicate p = r -> true;