Feat: add missing CF header in public case

gisaia · Feb 17, 2025 · 626f6df · 626f6df
1 parent f3ce733
commit 626f6df
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/arlas-commons/src/main/java/io/arlas/filter/impl/AbstractPolicyEnforcer.java b/arlas-commons/src/main/java/io/arlas/filter/impl/AbstractPolicyEnforcer.java
@@ -214,7 +214,7 @@ public void filter(ContainerRequestContext ctx, String method, String path, Stri
                             logUAM(LOGGER::debug, ALLOWED, "public (no token): " + log);
                         }
                         // use a dummy CF in order to bypass the CFUtil and give access to public collections
-                        ctx.getHeaders().add(COLUMN_FILTER, "*:*");
+                        ctx.getHeaders().add(COLUMN_FILTER, "dummy:*");
                     }
                     return;
                 }
@@ -281,6 +281,7 @@ public void filter(ContainerRequestContext ctx, String method, String path, Stri
                 }
                 if (isPublic) {
                     putDecision(getDecisionCacheKey(ctx, method, fullPath, accessToken), Boolean.TRUE);
+                    ctx.getHeaders().add(COLUMN_FILTER, "dummy:*");
                     logUAM(LOGGER::debug, ALLOWED, "public (with token): " + log);
                     return;
                 }
@@ -290,6 +291,7 @@ public void filter(ContainerRequestContext ctx, String method, String path, Stri
                     logUAM(LOGGER::warn, DENIED,"unauthorized (invalid token): " + log);
                     ctx.abortWith(Response.status(UNAUTHORIZED).build());
                 } else {
+                    ctx.getHeaders().add(COLUMN_FILTER, "dummy:*");
                     logUAM(LOGGER::debug, ALLOWED,"public (invalid token): " + log);
                 }
                 return;

diff --git a/arlas-rest/src/main/java/io/arlas/server/rest/collections/CollectionService.java b/arlas-rest/src/main/java/io/arlas/server/rest/collections/CollectionService.java
@@ -172,8 +172,9 @@ public Response importCollections(
         Set<String> allowedCollections = ColumnFilterUtil.getAllowedCollections(Optional.ofNullable(columnFilter));
         for (CollectionReference collection : collections) {
             for (String c : allowedCollections) {
+                // In case of collection/* POST is public, we import only public collection, because of dummy column filter ctx.getHeaders().add(COLUMN_FILTER, "dummy:*");
                 if ((c.endsWith("*") && collection.collectionName.startsWith(c.substring(0, c.indexOf("*"))))
-                        || collection.collectionName.equals(c)) {
+                        || collection.collectionName.equals(c) || collection.params.collectionOrganisations.isPublic) {
                     try {
                         savedCollections.add(save(collection.collectionName, collection.params, true, organisations));
                     } catch (Exception e) {
@@ -531,6 +532,8 @@ public CollectionReference save(String collection, CollectionReferenceParameters
     })
 
     public Response delete(
+            @Parameter(hidden = true)
+            @HeaderParam(value = ARLAS_ORGANISATION) String organisations,
             @Parameter(name = "collection",
                     description = "collection",
                     required = true)
@@ -547,6 +550,8 @@ public Response delete(
         if (collection != null && collection.equals(META_COLLECTION_NAME)) {
             throw new NotAllowedException("Forbidden operation on '" + META_COLLECTION_NAME + "'");
         }
+        CollectionReference collectionReference = collectionReferenceService.getCollectionReference(collection,Optional.ofNullable(organisations));
+        collectionReferenceService.checkIfAllowedForOrganisations(collectionReference, Optional.ofNullable(organisations), true);
         collectionReferenceService.deleteCollectionReference(collection);
         return ResponseFormatter.getSuccessResponse("Collection " + collection + " deleted.");
     }