You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by ji...@apache.org on 2016/10/17 18:57:06 UTC
incubator-geode git commit: GEODE-2004: Create/update/delete query
through rest api should require DATA:READ instead of DATA:WRITE
Repository: incubator-geode
Updated Branches:
refs/heads/develop 5abe957ca -> cf09ac94d
GEODE-2004: Create/update/delete query through rest api should require DATA:READ instead of DATA:WRITE
* This closes #262
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/cf09ac94
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/cf09ac94
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/cf09ac94
Branch: refs/heads/develop
Commit: cf09ac94ddbd3c0a8dca9a94eac53d95871f1691
Parents: 5abe957
Author: Kevin Duling <kd...@pivotal.io>
Authored: Mon Oct 17 11:02:54 2016 -0700
Committer: Jinmei Liao <ji...@pivotal.io>
Committed: Mon Oct 17 11:55:44 2016 -0700
----------------------------------------------------------------------
.../geode/rest/internal/web/RestSecurityIntegrationTest.java | 6 +++---
.../rest/internal/web/controllers/QueryAccessController.java | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cf09ac94/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
----------------------------------------------------------------------
diff --git a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
index ef019a4..6e91894 100644
--- a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
+++ b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
@@ -138,7 +138,7 @@ public class RestSecurityIntegrationTest {
assertEquals(401, getCode(response));
response = doPost("/queries?id=0&q=", "stranger", "1234567", "");
assertEquals(403, getCode(response));
- response = doPost("/queries?id=0&q=", "dataWriter", "1234567", "");
+ response = doPost("/queries?id=0&q=", "dataReader", "1234567", "");
// because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable
assertEquals(500, getCode(response));
}
@@ -149,7 +149,7 @@ public class RestSecurityIntegrationTest {
assertEquals(401, getCode(response));
response = doPost("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}");
assertEquals(403, getCode(response));
- response = doPost("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}");
+ response = doPost("/queries/id", "dataReader", "1234567", "{\"id\" : \"foo\"}");
// because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable
assertEquals(500, getCode(response));
}
@@ -160,7 +160,7 @@ public class RestSecurityIntegrationTest {
assertEquals(401, getCode(response));
response = doPut("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}");
assertEquals(403, getCode(response));
- response = doPut("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}");
+ response = doPut("/queries/id", "dataReader", "1234567", "{\"id\" : \"foo\"}");
// We should get a 404 because we're trying to update a query that doesn't exist
assertEquals(404, getCode(response));
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/cf09ac94/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
index e43e5e6..d13c99c 100644
--- a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/controllers/QueryAccessController.java
@@ -137,7 +137,7 @@ public class QueryAccessController extends AbstractBaseController {
@ApiResponse( code = 409, message = "QueryId already assigned to other query." ),
@ApiResponse( code = 500, message = "GemFire throws an error or exception." )
} )
- @PreAuthorize("@securityService.authorize('DATA', 'WRITE')")
+ @PreAuthorize("@securityService.authorize('DATA', 'READ')")
public ResponseEntity<?> create(@RequestParam("id") final String queryId,
@RequestParam(value = "q", required = false) String oqlInUrl,
@RequestBody(required = false) final String oqlInBody)
@@ -234,7 +234,7 @@ public class QueryAccessController extends AbstractBaseController {
} )
@ResponseBody
@ResponseStatus(HttpStatus.OK)
- @PreAuthorize("@securityService.authorize('DATA', 'WRITE')")
+ @PreAuthorize("@securityService.authorize('DATA', 'READ')")
public ResponseEntity<String> runNamedQuery(@PathVariable("query") String queryId,
@RequestBody String arguments)
{
@@ -310,7 +310,7 @@ public class QueryAccessController extends AbstractBaseController {
@ApiResponse( code = 404, message = "queryId does not exist." ),
@ApiResponse( code = 500, message = "GemFire throws an error or exception." )
} )
- @PreAuthorize("@securityService.authorize('DATA', 'WRITE')")
+ @PreAuthorize("@securityService.authorize('DATA', 'READ')")
public ResponseEntity<?> update( @PathVariable("query") final String queryId,
@RequestParam(value = "q", required = false) String oqlInUrl,
@RequestBody(required = false) final String oqlInBody) {