LUT-27605 : check access form within workgroup control with single function

TimotheeHrl · TimotheeHrl · commit b4f86c46a48f · 2024-09-23T15:04:46.000+02:00
diff --git a/src/java/fr/paris/lutece/plugins/forms/service/FormsMultiviewAuthorizationService.java b/src/java/fr/paris/lutece/plugins/forms/service/FormsMultiviewAuthorizationService.java
@@ -55,9 +55,6 @@
 import fr.paris.lutece.portal.service.admin.AdminUserService;
 import fr.paris.lutece.portal.service.workgroup.AdminWorkgroupService;
 import fr.paris.lutece.plugins.forms.business.Form;
-import fr.paris.lutece.plugins.forms.business.FormResponse;
-import fr.paris.lutece.plugins.forms.business.FormResponseHome;
-import fr.paris.lutece.plugins.forms.business.FormHome;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -123,17 +120,28 @@ public boolean isUserAuthorizedOnFormResponse( HttpServletRequest request, int n
                 List<Integer> listIdFormResponse = listFormResponseItem.stream( ).map( FormResponseItem::getIdFormResponse ).collect( Collectors.toList( ) );
                 bIsUserAuthorizedOnFormResponse = listIdFormResponse.contains( nIdFormResponse );
             }
-            if(bIsUserAuthorizedOnFormResponse) {
-                User user = AdminUserService.getAdminUser(request);
-                FormResponse formResponse = FormResponseHome.findByPrimaryKey(nIdFormResponse);
-                Form form = FormHome.findByPrimaryKey(formResponse.getFormId());
-                bIsUserAuthorizedOnFormResponse = AdminWorkgroupService.isAuthorized(form, user);
-            }
         }
 
         return bIsUserAuthorizedOnFormResponse;
     }
 
+    /**
+     * Check if the user is authorized to access the form response within workgroup constraints
+     *
+     * @param request
+     *           The request to use to determine if the user can access the details of the given form response
+     * @param form
+     *          The Form
+     * @return true if the user is authorized to access the form response, false otherwise
+     */
+    @Override
+    public boolean isUserAuthorizedOnFormResponseWithinWorkgroup(HttpServletRequest request, Form form)
+    {
+        User user = AdminUserService.getAdminUser(request);
+        return  AdminWorkgroupService.isAuthorized(form, user);
+    }
+
+
     /**
      * Build a form response id filter from an id response
      * 
diff --git a/src/java/fr/paris/lutece/plugins/forms/service/IFormsMultiviewAuthorizationService.java b/src/java/fr/paris/lutece/plugins/forms/service/IFormsMultiviewAuthorizationService.java
@@ -34,6 +34,7 @@
 package fr.paris.lutece.plugins.forms.service;
 
 import javax.servlet.http.HttpServletRequest;
+import fr.paris.lutece.plugins.forms.business.Form;
 
 /**
  * Forms service for managing the authorization on access form response from the multiview page
@@ -51,4 +52,7 @@ public interface IFormsMultiviewAuthorizationService
      * @return the boolean which tell if the connected user is authorized to access the form response or not
      */
     boolean isUserAuthorizedOnFormResponse( HttpServletRequest request, int nIdFormResponse );
+
+
+    boolean isUserAuthorizedOnFormResponseWithinWorkgroup(HttpServletRequest request, Form form);
 }
diff --git a/src/java/fr/paris/lutece/plugins/forms/web/admin/MultiviewFormResponseDetailsJspBean.java b/src/java/fr/paris/lutece/plugins/forms/web/admin/MultiviewFormResponseDetailsJspBean.java
@@ -77,10 +77,8 @@
 import fr.paris.lutece.plugins.forms.web.form.response.view.FormResponseViewModelProcessorFactory;
 import fr.paris.lutece.plugins.forms.web.form.response.view.IFormResponseViewModelProcessor;
 import fr.paris.lutece.plugins.workflowcore.business.state.State;
-import fr.paris.lutece.portal.business.user.AdminUser;
 import fr.paris.lutece.portal.business.user.AdminUserHome;
 import fr.paris.lutece.portal.service.admin.AccessDeniedException;
-import fr.paris.lutece.portal.service.admin.AdminUserService;
 import fr.paris.lutece.portal.service.rbac.RBACService;
 import fr.paris.lutece.portal.service.security.SecurityTokenService;
 import fr.paris.lutece.portal.service.spring.SpringContextService;
@@ -178,7 +176,12 @@ public String getResponseDetails( HttpServletRequest request ) throws AccessDeni
         boolean bRBACAuthorization = RBACService.isAuthorized( Form.RESOURCE_TYPE, Integer.toString( formResponse.getFormId( ) ),
                 FormsResourceIdService.PERMISSION_VIEW_FORM_RESPONSE, (User) getUser( ) );
         boolean bAuthorizedRecord = _formsMultiviewAuthorizationService.isUserAuthorizedOnFormResponse( request, nIdFormResponse );
-
+        if(bAuthorizedRecord)
+        {
+            int nIdForm = formResponse.getFormId( );
+            Form form = FormHome.findByPrimaryKey(nIdForm);
+            bAuthorizedRecord = _formsMultiviewAuthorizationService.isUserAuthorizedOnFormResponseWithinWorkgroup( request, form );
+        }
         if ( !bRBACAuthorization || !bAuthorizedRecord )
         {
             throw new AccessDeniedException( MESSAGE_ACCESS_DENIED );
