LUT-27605 : control access to response details within workgroup

TimotheeHrl · TimotheeHrl · commit 1d17ef31221d · 2024-04-17T17:24:02.000+02:00
diff --git a/src/java/fr/paris/lutece/plugins/forms/service/FormsMultiviewAuthorizationService.java b/src/java/fr/paris/lutece/plugins/forms/service/FormsMultiviewAuthorizationService.java
@@ -38,12 +38,9 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
-
 import javax.servlet.http.HttpServletRequest;
-
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.math.NumberUtils;
-
 import fr.paris.lutece.plugins.forms.business.form.FormResponseItem;
 import fr.paris.lutece.plugins.forms.business.form.column.FormColumnFactory;
 import fr.paris.lutece.plugins.forms.business.form.column.IFormColumn;
@@ -56,6 +53,9 @@
 import fr.paris.lutece.plugins.forms.util.FormsConstants;
 import fr.paris.lutece.plugins.forms.web.form.FormDisplayFactory;
 import fr.paris.lutece.portal.service.admin.AdminUserService;
+import fr.paris.lutece.portal.service.workgroup.AdminWorkgroupService;
+import fr.paris.lutece.plugins.forms.business.Form;
+import fr.paris.lutece.plugins.forms.business.FormResponse;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -121,6 +121,12 @@ public boolean isUserAuthorizedOnFormResponse( HttpServletRequest request, int n
                 List<Integer> listIdFormResponse = listFormResponseItem.stream( ).map( FormResponseItem::getIdFormResponse ).collect( Collectors.toList( ) );
                 bIsUserAuthorizedOnFormResponse = listIdFormResponse.contains( nIdFormResponse );
             }
+            if(bIsUserAuthorizedOnFormResponse) {
+                User user = fr.paris.lutece.portal.service.admin.AdminUserService.getAdminUser(request);
+                FormResponse formResponse = fr.paris.lutece.plugins.forms.business.FormResponseHome.findByPrimaryKey(nIdFormResponse);
+                Form form = fr.paris.lutece.plugins.forms.business.FormHome.findByPrimaryKey(formResponse.getFormId());
+                bIsUserAuthorizedOnFormResponse = AdminWorkgroupService.isAuthorized(form, user);
+            }
         }
 
         return bIsUserAuthorizedOnFormResponse;
