diff --git a/src/main/java/org/cbioportal/security/VirtualStudyPermissionService.java b/src/main/java/org/cbioportal/security/VirtualStudyPermissionService.java deleted file mode 100644 index 40183545102..00000000000 --- a/src/main/java/org/cbioportal/security/VirtualStudyPermissionService.java +++ /dev/null @@ -1,56 +0,0 @@ -package org.cbioportal.security; - -import org.cbioportal.utils.security.AccessLevel; -import org.cbioportal.web.parameter.StudyViewFilter; -import org.cbioportal.web.parameter.VirtualStudy; -import org.cbioportal.web.parameter.VirtualStudyData; -import org.cbioportal.web.parameter.VirtualStudySamples; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.stereotype.Service; - -import java.util.Iterator; -import java.util.List; -import java.util.Optional; -import java.util.Set; -import java.util.stream.Collectors; - -@Service -public class VirtualStudyPermissionService { - - private final Optional cancerStudyPermissionEvaluator; - - public VirtualStudyPermissionService(Optional cancerStudyPermissionEvaluator) { - this.cancerStudyPermissionEvaluator = cancerStudyPermissionEvaluator; - } - - public void filterOutForbiddenStudies(List virtualStudies) { - Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - if (authentication == null || cancerStudyPermissionEvaluator.isEmpty()) { - return; - } - Iterator virtualStudyIterator = virtualStudies.iterator(); - while (virtualStudyIterator.hasNext()) { - VirtualStudy virtualStudy = virtualStudyIterator.next(); - VirtualStudyData virtualStudyData = virtualStudy.getData(); - - Set filteredStudies = virtualStudyData.getStudies().stream() - .filter(study -> - cancerStudyPermissionEvaluator.get().hasPermission(authentication, study.getId(), "CancerStudyId", AccessLevel.READ)) - .collect(Collectors.toSet()); - if (filteredStudies.isEmpty()) { - virtualStudyIterator.remove(); - continue; - } - virtualStudyData.setStudies(filteredStudies); - - StudyViewFilter studyViewFilter = virtualStudyData.getStudyViewFilter(); - List filteredStudyIds = studyViewFilter.getStudyIds().stream() - .filter(studyId -> - cancerStudyPermissionEvaluator.get().hasPermission(authentication, studyId, "CancerStudyId", AccessLevel.READ)) - .toList(); - virtualStudyData.getStudyViewFilter().setStudyIds(filteredStudyIds); - } - - } -} diff --git a/src/main/java/org/cbioportal/web/PublicVirtualStudiesController.java b/src/main/java/org/cbioportal/web/PublicVirtualStudiesController.java index 3266530e896..65bafd7cfab 100644 --- a/src/main/java/org/cbioportal/web/PublicVirtualStudiesController.java +++ b/src/main/java/org/cbioportal/web/PublicVirtualStudiesController.java @@ -4,7 +4,6 @@ import io.swagger.v3.oas.annotations.media.Content; import io.swagger.v3.oas.annotations.media.Schema; import io.swagger.v3.oas.annotations.responses.ApiResponse; -import org.cbioportal.security.VirtualStudyPermissionService; import org.cbioportal.service.CancerTypeService; import org.cbioportal.service.exception.AccessForbiddenException; import org.cbioportal.service.exception.CancerTypeNotFoundException; @@ -52,20 +51,16 @@ public class PublicVirtualStudiesController { private final CancerTypeService cancerTypeService; - private final VirtualStudyPermissionService virtualStudyPermissionService; - public PublicVirtualStudiesController( @Value("${session.endpoint.publisher-api-key:}") String requiredPublisherApiKey, SessionServiceRequestHandler sessionServiceRequestHandler, @Value("${session.service.url:}") String sessionServiceURL, - CancerTypeService cancerTypeService, - VirtualStudyPermissionService virtualStudyPermissionService + CancerTypeService cancerTypeService ) { this.requiredPublisherApiKey = requiredPublisherApiKey; this.sessionServiceRequestHandler = sessionServiceRequestHandler; this.sessionServiceURL = sessionServiceURL; this.cancerTypeService = cancerTypeService; - this.virtualStudyPermissionService = virtualStudyPermissionService; } @GetMapping @@ -82,7 +77,6 @@ public ResponseEntity> getPublicVirtualStudies() { }); List virtualStudies = responseEntity.getBody(); - virtualStudyPermissionService.filterOutForbiddenStudies(virtualStudies); return new ResponseEntity<>(virtualStudies, HttpStatus.OK); } diff --git a/src/main/java/org/cbioportal/web/SessionServiceController.java b/src/main/java/org/cbioportal/web/SessionServiceController.java index b1f8b92fc7e..801fdafa419 100644 --- a/src/main/java/org/cbioportal/web/SessionServiceController.java +++ b/src/main/java/org/cbioportal/web/SessionServiceController.java @@ -12,7 +12,6 @@ import io.swagger.v3.oas.annotations.responses.ApiResponse; import jakarta.servlet.http.HttpServletResponse; import jakarta.validation.constraints.Size; -import org.cbioportal.security.VirtualStudyPermissionService; import org.cbioportal.service.util.CustomAttributeWithData; import org.cbioportal.service.util.CustomDataSession; import org.cbioportal.service.util.SessionServiceRequestHandler; @@ -80,9 +79,6 @@ public class SessionServiceController { @Value("${session.service.url:}") private String sessionServiceURL; - @Autowired - private VirtualStudyPermissionService virtualStudyPermissionService; - private static Map> pageToSettingsDataClass = ImmutableMap.of( SessionPage.study_view, StudyPageSettings.class, SessionPage.results_view, ResultsPageSettings.class @@ -216,14 +212,7 @@ public ResponseEntity getSession(@PathVariable Session.SessionType type Session session; switch (type) { case virtual_study: - VirtualStudy virtualStudy = sessionServiceObjectMapper.readValue(sessionDataJson, VirtualStudy.class); - List virtualStudies = new ArrayList<>(); - virtualStudies.add(virtualStudy); - virtualStudyPermissionService.filterOutForbiddenStudies(virtualStudies); - if (virtualStudies.isEmpty()) { - return new ResponseEntity<>(HttpStatus.NOT_FOUND); - } - session = virtualStudies.getFirst(); + session = sessionServiceObjectMapper.readValue(sessionDataJson, VirtualStudy.class); break; case settings: session = sessionServiceObjectMapper.readValue(sessionDataJson, PageSettings.class); @@ -266,7 +255,6 @@ public ResponseEntity> getUserStudies() throws JsonProcessing new ParameterizedTypeReference>() {}); List virtualStudyList = responseEntity.getBody(); - virtualStudyPermissionService.filterOutForbiddenStudies(virtualStudyList); return new ResponseEntity<>(virtualStudyList, HttpStatus.OK); } catch (Exception exception) { LOG.error("Error occurred", exception);