From c4aee7e6fc6e73c12ba5e7192d7698d021630080 Mon Sep 17 00:00:00 2001
From: alainbodiguel <alain.bodiguel@gisaia.com>
Date: Tue, 12 Mar 2024 09:50:14 +0100
Subject: [PATCH] Forbid write sharing with group public

---
 .../persistence/server/core/PersistenceService.java      | 5 ++++-
 .../java/io/arlas/persistence/rest/PersistenceIT.java    | 9 ++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/arlas-persistence-core/src/main/java/io/arlas/persistence/server/core/PersistenceService.java b/arlas-persistence-core/src/main/java/io/arlas/persistence/server/core/PersistenceService.java
index daee419..0714893 100644
--- a/arlas-persistence-core/src/main/java/io/arlas/persistence/server/core/PersistenceService.java
+++ b/arlas-persistence-core/src/main/java/io/arlas/persistence/server/core/PersistenceService.java
@@ -76,7 +76,7 @@ static boolean intersect(List<String> a, List<String> b) {
     static boolean isShareableGroup(List<String> group, String zone, IdentityParam identityParam) throws ForbiddenException {
         List<String> userGroupsForZone = getGroupsForZone(zone, identityParam);
         List<String> authorizeGroup = group.stream().filter(userGroupsForZone::contains).toList();
-        if (!authorizeGroup.isEmpty() || group.isEmpty()){
+        if (!authorizeGroup.isEmpty() || group.isEmpty()) {
             return true;
         } else {
             throw new ForbiddenException("You are not authorized to give rights to this group: " + group);
@@ -87,6 +87,9 @@ static void checkReadersWritersGroups(String zone, IdentityParam identityParam,
 
         List<String> writersList = new ArrayList<>(writers);
         List<String> readersList = new ArrayList<>(readers);
+        if (writersList.contains("group/public")) {
+            throw new ForbiddenException("You are not authorized to give writers rights to this group: group/public");
+        }
         isShareableGroup(writersList, zone, identityParam);
         isShareableGroup(readersList, zone, identityParam);
     }
diff --git a/arlas-persistence-tests/src/test/java/io/arlas/persistence/rest/PersistenceIT.java b/arlas-persistence-tests/src/test/java/io/arlas/persistence/rest/PersistenceIT.java
index 22b8323..46a794f 100644
--- a/arlas-persistence-tests/src/test/java/io/arlas/persistence/rest/PersistenceIT.java
+++ b/arlas-persistence-tests/src/test/java/io/arlas/persistence/rest/PersistenceIT.java
@@ -342,7 +342,7 @@ public void test14DeleteWithJustWriteAccess() {
 
     @Test
     public void test15CreateOtherOrganisation() {
-        id = createData(otherCompany, "mySecondRestrictedDocument", List.of(PUBLIC), List.of(PUBLIC))
+        id = createData(otherCompany, "mySecondRestrictedDocument", List.of(PUBLIC), Collections.EMPTY_LIST)
                 .then().statusCode(201)
                 .body("doc_value", equalTo("{\"age\":1}"))
                 .extract().jsonPath().get("id");
@@ -470,6 +470,13 @@ public void test21ListWithPublic() {
         deleteData(otherCompany, id3);
     }
 
+    @Test
+    public void test22CreateWithPublicWriteAccess() {
+        createData(technical, "privateDocument", List.of(TECHNICAL), List.of(PUBLIC))
+                .then().statusCode(403);
+
+    }
+
     protected RequestSpecification givenForUser(UserIdentity userIdentity) {
         return given().header(userHeader, userIdentity.userId)
                 .header(groupsHeader, userIdentity.groups)