Commits

Colin Chauvet  committed ddf5c9e

Added admin permission check on REST resource

  • Participants
  • Parent commits 48a582b

Comments (0)

Files changed (2)

File src/main/java/com/example/plugins/tutorial/confluence/notification/resource/NotificationResource.java

 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
+import com.atlassian.confluence.security.PermissionManager;
 import com.atlassian.confluence.user.AuthenticatedUserThreadLocal;
 import com.atlassian.confluence.user.UserAccessor;
 import com.atlassian.mywork.model.Notification;
     public static final String PLUGIN_KEY = "com.example.plugins.tutorial.confluence.notification";
     private final LocalNotificationService notificationService;
     private final UserAccessor userAccessor;
+    private final PermissionManager permissionManager;
 
-    public NotificationResource(final LocalNotificationService notificationService, final UserAccessor userAccessor)
+    public NotificationResource(final LocalNotificationService notificationService, final UserAccessor userAccessor, final PermissionManager permissionManager)
     {
         this.notificationService = notificationService;
         this.userAccessor = userAccessor;
+        this.permissionManager = permissionManager;
     }
 
-
     @POST
     public Response createNotification(@FormParam ("title") String title, @FormParam ("message") String message)
             throws Exception
     {
+        if (isAdmin())
+        {
+            sendNotificationToAllUsers(title, message);
+            return Response.ok().build();
+        }
+        else
+        {
+            return Response.status(Response.Status.FORBIDDEN).build();
+        }
+    }
 
-        sendNotificationToAllUsers(title, message);
-        return Response.ok().build();
+    @GET
+    public Response findAllNotifications() throws Exception
+    {
+        if (isAdmin())
+        {
+            final Iterable<Notification> notifications = notificationService.findAll(AuthenticatedUserThreadLocal.getUser().getName());
+            Iterables.filter(notifications, new Predicate<Notification>()
+            {
+                @Override
+                public boolean apply(@Nullable final Notification notification)
+                {
+                    return PLUGIN_KEY.equals(notification.getApplication());
+                }
+            });
+            return Response.ok(Iterables.limit(notifications, MAX_RESULT)).build();
+        }
+        else
+        {
+            return Response.status(Response.Status.FORBIDDEN).build();
+        }
+    }
+
+    private boolean isAdmin()
+    {
+        return permissionManager.isConfluenceAdministrator(AuthenticatedUserThreadLocal.getUser());
     }
 
     private void sendNotificationToAllUsers(final String title, final String message)
                 .createNotification()).get();
     }
 
-    @GET
-    public Response findAllNotifications() throws Exception
-    {
-        // get all notifications by global id
-        final Iterable<Notification> notifications = notificationService.findAll(AuthenticatedUserThreadLocal.getUser().getName());
-        Iterables.filter(notifications, new Predicate<Notification>()
-        {
-            @Override
-            public boolean apply(@Nullable final Notification notification)
-            {
-                return PLUGIN_KEY.equals(notification.getApplication());
-            }
-        });
-        return Response.ok(Iterables.limit(notifications, MAX_RESULT)).build();
-    }
-
-
 }

File src/main/resources/templates/admin.vm

 <html>
 <head>
-    <title>Notification Administration</title>
+    <title>All user notifications</title>
 
     <meta name="decorator" content="atl.admin">
     $webResourceManager.requireResourcesForContext("com.example.plugins.tutorial.confluence.notification.admin")
 </script>
 
 <form id="notification" class="aui">
-    <h2>Confluence Notifier Administration</h2>
+    <h2>Confluence Notifier</h2>
 
     <div id="field-container">
         <div>