From 87141d0604799f27dc864bfc76872a5c04ac4047 Mon Sep 17 00:00:00 2001
From: Alexander Kulyakhtin <alexander_kulyakhtin@epam.com>
Date: Thu, 3 Jul 2025 12:24:21 +0300
Subject: [PATCH] Case-insensitive disjoint

---
 .../security/CancerStudyPermissionEvaluator.java          | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/cbioportal/application/security/CancerStudyPermissionEvaluator.java b/src/main/java/org/cbioportal/application/security/CancerStudyPermissionEvaluator.java
index e4b32bd5ea3..3875339bb7c 100644
--- a/src/main/java/org/cbioportal/application/security/CancerStudyPermissionEvaluator.java
+++ b/src/main/java/org/cbioportal/application/security/CancerStudyPermissionEvaluator.java
@@ -368,7 +368,7 @@ private boolean hasAccessToCancerStudy(
         Arrays.stream(cancerStudy.getGroups().split(";"))
             .filter(g -> !g.isEmpty())
             .collect(Collectors.toSet());
-    if (!Collections.disjoint(groups, grantedAuthorities)) {
+    if (!caseInsensitiveDisjoint(groups, grantedAuthorities)) {
       if (log.isDebugEnabled()) {
         log.debug("hasAccessToCancerStudy(), user has access by groups return true");
       }
@@ -393,6 +393,12 @@ private boolean hasAccessToCancerStudy(
     return toReturn;
   }
 
+  private static boolean caseInsensitiveDisjoint(Collection<String> c1, Collection<String> c2) {
+    Set<String> upperC1 = c1.stream().map(String::toUpperCase).collect(Collectors.toSet());
+    Set<String> upperC2 = c2.stream().map(String::toUpperCase).collect(Collectors.toSet());
+    return Collections.disjoint(upperC1, upperC2);
+  }
+
   private boolean hasAccessToCancerStudy(
       Authentication authentication, String cancerStudyId, Object permission) {
     // everybody has access the 'all' cancer study