From d6bb54d71e7b6952265d7a88ca73385085cf82e1 Mon Sep 17 00:00:00 2001
From: Allan England <allan.england@manchester.ac.uk>
Date: Wed, 20 Mar 2024 16:22:50 +0000
Subject: [PATCH] Put restriction around getting a single proposal, use this in
 places that get data but doesnt yet work for updates

---
 .../pst/apiimpl/rest/ProposalResource.java    | 29 +++++++++++++------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/main/java/org/orph2020/pst/apiimpl/rest/ProposalResource.java b/src/main/java/org/orph2020/pst/apiimpl/rest/ProposalResource.java
index cc74b88..6def612 100644
--- a/src/main/java/org/orph2020/pst/apiimpl/rest/ProposalResource.java
+++ b/src/main/java/org/orph2020/pst/apiimpl/rest/ProposalResource.java
@@ -3,9 +3,9 @@
  * Created on 16/03/2022 by Paul Harrison (paul.harrison@manchester.ac.uk).
  */
 
-import io.quarkus.oidc.IdToken;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
+import jakarta.persistence.TypedQuery;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
@@ -122,6 +122,18 @@ public List<ProposalSynopsis> getProposals(@RestQuery String investigatorName, @
         }
     }
 
+    private ObservingProposal singleObservingProposal(Long proposalCode)
+    {
+        TypedQuery<ObservingProposal> q = em.createQuery(
+                "Select o From ObservingProposal o, Investigator i where i member of o.investigators "
+                        + "and o._id = :pid and i.person._id = :uid",
+                ObservingProposal.class
+        );
+        q.setParameter("pid", proposalCode);
+        q.setParameter("uid", subjectMapResource.subjectMap(accessToken.getSubject()).getPerson().getId());
+        return q.getSingleResult();
+    }
+
     @GET
     @Operation(summary = "get the Proposal specified by the 'proposalCode'")
     @APIResponse(
@@ -133,7 +145,7 @@ public List<ProposalSynopsis> getProposals(@RestQuery String investigatorName, @
     public ObservingProposal getObservingProposal(@PathParam("proposalCode") Long proposalCode)
             throws WebApplicationException
     {
-        return findObject(ObservingProposal.class, proposalCode);
+        return singleObservingProposal(proposalCode);
     }
 
     @POST
@@ -164,7 +176,7 @@ public Response deleteObservingProposal(@PathParam("proposalCode") long code)
     @Path(proposalRoot + "/title")
     @Operation(summary = "get the title of the ObservingProposal specified by 'proposalCode'")
     public Response getObservingProposalTitle(@PathParam("proposalCode") Long proposalCode) {
-        ObservingProposal proposal = findObject(ObservingProposal.class, proposalCode);
+        ObservingProposal proposal = singleObservingProposal(proposalCode);
         return responseWrapper(proposal.getTitle(), 200);
     }
 
@@ -173,7 +185,7 @@ public Response getObservingProposalTitle(@PathParam("proposalCode") Long propos
     @Path(proposalRoot + "/validate")
     @Operation(summary = "validate the proposal, get summary strings of it's state.  Optionally pass a cycle to compare dates with.")
     public ProposalValidation validateObservingProposal(@PathParam("proposalCode") Long proposalCode, @RestQuery long cycleId) {
-        ObservingProposal proposal = findObject(ObservingProposal.class, proposalCode);
+        ObservingProposal proposal = singleObservingProposal(proposalCode);
         boolean valid = true;
         String info = "Your proposal is ready for submission";
         StringBuilder warn = new StringBuilder();
@@ -234,6 +246,7 @@ public ProposalValidation validateObservingProposal(@PathParam("proposalCode") L
     @PUT
     @Operation(summary = "change the title of an ObservingProposal")
     @Consumes(MediaType.TEXT_PLAIN)
+    //@RolesAllowed("default-roles-orppst")
     @Transactional(rollbackOn = {WebApplicationException.class})
     @Path(proposalRoot +"/title")
     public Response replaceTitle(
@@ -242,9 +255,7 @@ public Response replaceTitle(
             throws WebApplicationException
     {
         ObservingProposal proposal = findObject(ObservingProposal.class, proposalCode);
-
         proposal.setTitle(replacementTitle);
-
         return responseWrapper(proposal.getTitle(), 201);
     }
 
@@ -270,7 +281,7 @@ public Response replaceSummary(@PathParam("proposalCode") long proposalCode, Str
     @Path(proposalRoot + "/kind")
     @Operation(summary = "get the 'kind' of ObservingProposal specified by the 'proposalCode")
     public ProposalKind getObservingProposalKind(@PathParam("proposalCode") Long proposalCode) {
-        ObservingProposal proposal = findObject(ObservingProposal.class, proposalCode);
+        ObservingProposal proposal = getObservingProposal(proposalCode);
         return proposal.getKind();
     }
 
@@ -302,7 +313,7 @@ public Justification getJustification(@PathParam("proposalCode") Long proposalCo
                                           @PathParam("which") String which)
         throws WebApplicationException
     {
-        ObservingProposal observingProposal = findObject(ObservingProposal.class, proposalCode);
+        ObservingProposal observingProposal = getObservingProposal(proposalCode);
 
         //avoid returning nulls to frontend clients
         return switch (which) {
@@ -580,7 +591,7 @@ public Response removeField(@PathParam("proposalCode") Long proposalCode, @PathP
     @Path(proposalRoot+"/export")
     public Response exportProposal(@PathParam("proposalCode")Long proposalCode)
             throws WebApplicationException {
-        ObservingProposal proposalForExport = findObject(ObservingProposal.class, proposalCode);
+        ObservingProposal proposalForExport = getObservingProposal(proposalCode);
 
         return Response
                 .status(Response.Status.OK)