geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jinmeil...@apache.org
Subject incubator-geode git commit: GEODE-2004: Create/update/delete query through rest api should require DATA:READ instead of DATA:WRITE
Date Mon, 17 Oct 2016 18:57:06 GMT
Repository: incubator-geode
Updated Branches:
  refs/heads/develop 5abe957ca -> cf09ac94d


GEODE-2004: Create/update/delete query through rest api should require DATA:READ instead of
DATA:WRITE

* This closes #262


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/cf09ac94
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/cf09ac94
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/cf09ac94

Branch: refs/heads/develop
Commit: cf09ac94ddbd3c0a8dca9a94eac53d95871f1691
Parents: 5abe957
Author: Kevin Duling <kduling@pivotal.io>
Authored: Mon Oct 17 11:02:54 2016 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Mon Oct 17 11:55:44 2016 -0700

----------------------------------------------------------------------
 .../geode/rest/internal/web/RestSecurityIntegrationTest.java   | 6 +++---
 .../rest/internal/web/controllers/QueryAccessController.java   | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cf09ac94/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
----------------------------------------------------------------------
diff --git a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
index ef019a4..6e91894 100644
--- a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
+++ b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
@@ -138,7 +138,7 @@ public class RestSecurityIntegrationTest {
     assertEquals(401, getCode(response));
     response = doPost("/queries?id=0&q=", "stranger", "1234567", "");
     assertEquals(403, getCode(response));
-    response = doPost("/queries?id=0&q=", "dataWriter", "1234567", "");
+    response = doPost("/queries?id=0&q=", "dataReader", "1234567", "");
     // because we're only testing the security of the endpoint, not the endpoint functionality,
a 500 is acceptable
     assertEquals(500, getCode(response));
   }
@@ -149,7 +149,7 @@ public class RestSecurityIntegrationTest {
     assertEquals(401, getCode(response));
     response = doPost("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}");
     assertEquals(403, getCode(response));
-    response = doPost("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}");
+    response = doPost("/queries/id", "dataReader", "1234567", "{\"id\" : \"foo\"}");
     // because we're only testing the security of the endpoint, not the endpoint functionality,
a 500 is acceptable
     assertEquals(500, getCode(response));
   }
@@ -160,7 +160,7 @@ public class RestSecurityIntegrationTest {
     assertEquals(401, getCode(response));
     response = doPut("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}");
     assertEquals(403, getCode(response));
-    response = doPut("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}");
+    response = doPut("/queries/id", "dataReader", "1234567", "{\"id\" : \"foo\"}");
     // We should get a 404 because we're trying to update a query that doesn't exist
     assertEquals(404, getCode(response));
   }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cf09ac94/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
index e43e5e6..d13c99c 100644
--- a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
@@ -137,7 +137,7 @@ public class QueryAccessController extends AbstractBaseController {
     @ApiResponse( code = 409, message = "QueryId already assigned to other query." ),
     @ApiResponse( code = 500, message = "GemFire throws an error or exception." )
   } )
-  @PreAuthorize("@securityService.authorize('DATA', 'WRITE')")
+  @PreAuthorize("@securityService.authorize('DATA', 'READ')")
   public ResponseEntity<?> create(@RequestParam("id") final String queryId,
                                   @RequestParam(value = "q", required = false) String oqlInUrl,
                                   @RequestBody(required = false) final String oqlInBody)
@@ -234,7 +234,7 @@ public class QueryAccessController extends AbstractBaseController {
   } )
   @ResponseBody
   @ResponseStatus(HttpStatus.OK)
-  @PreAuthorize("@securityService.authorize('DATA', 'WRITE')")
+  @PreAuthorize("@securityService.authorize('DATA', 'READ')")
   public ResponseEntity<String> runNamedQuery(@PathVariable("query") String queryId,
                                               @RequestBody String arguments)
   {
@@ -310,7 +310,7 @@ public class QueryAccessController extends AbstractBaseController {
     @ApiResponse( code = 404, message = "queryId does not exist." ),
     @ApiResponse( code = 500, message = "GemFire throws an error or exception." )   
   } )
-  @PreAuthorize("@securityService.authorize('DATA', 'WRITE')")
+  @PreAuthorize("@securityService.authorize('DATA', 'READ')")
   public ResponseEntity<?> update( @PathVariable("query") final String queryId,
                                    @RequestParam(value = "q", required = false) String oqlInUrl,
                                    @RequestBody(required = false) final String oqlInBody)
{


Mime
View raw message