fix(topic-data): fix security on delete compacted topic

close #725
tchiotludo · Jun 3, 2021 · d0620e6 · d0620e6
1 parent 2d89dc4
commit d0620e6
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 7 deletions.
diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1,4 @@
-micronautVersion=2.5.0
+micronautVersion=2.5.5
 confluentVersion=6.1.1
 kafkaVersion=2.8.0
 kafkaScalaVersion=2.13

diff --git a/src/main/java/org/akhq/controllers/AbstractController.java b/src/main/java/org/akhq/controllers/AbstractController.java
@@ -54,6 +54,12 @@ private static List<String> expandRoles(List<String> roles) {
             .collect(Collectors.toList());
     }
 
+    protected boolean isAllowed(String role) {
+        return this.getRights()
+            .stream()
+            .anyMatch(s -> s.equals(role));
+    }
+
     @SuppressWarnings("unchecked")
     protected List<String> getRights() {
         if (!applicationContext.containsBean(SecurityService.class)) {

diff --git a/src/main/java/org/akhq/controllers/ErrorController.java b/src/main/java/org/akhq/controllers/ErrorController.java
@@ -71,11 +71,11 @@ private HttpResponse<?> renderExecption(HttpRequest<?> request, Exception e) {
 
     @Error(global = true)
     public HttpResponse<?> error(HttpRequest<?> request, AuthorizationException e) throws URISyntaxException {
-
         if (request.getUri().toString().startsWith("/api")) {
-            return HttpResponse.unauthorized().body( new JsonError("Unauthorized"));
+            return HttpResponse.unauthorized().body(new JsonError("Unauthorized"));
         }
-        return HttpResponse.temporaryRedirect(this.uri("/login"));
+
+        return HttpResponse.temporaryRedirect(this.uri("/ui/login"));
     }
 
     @Error(global = true)

diff --git a/src/main/java/org/akhq/controllers/TopicController.java b/src/main/java/org/akhq/controllers/TopicController.java
@@ -35,7 +35,6 @@
 import java.util.concurrent.ExecutionException;
 import java.util.stream.Collectors;
 import javax.inject.Inject;
-import org.akhq.models.Record;
 
 @Slf4j
 @Secured(Role.ROLE_TOPIC_READ)
@@ -192,7 +191,7 @@ public ResultNextList<Record> data(
             data,
             options.after(data, uri),
             (options.getPartition() == null ? topic.getSize() : topic.getSize(options.getPartition())),
-            topic.canDeleteRecords(cluster, configRepository)
+            this.isAllowed(Role.ROLE_TOPIC_DATA_DELETE) && topic.canDeleteRecords(cluster, configRepository)
         );
     }
 
@@ -378,7 +377,7 @@ public ResultNextList<Record> record(
                 data,
                 URIBuilder.empty(),
                 data.size(),
-                topic.canDeleteRecords(cluster, configRepository)
+            this.isAllowed(Role.ROLE_TOPIC_DATA_DELETE) && topic.canDeleteRecords(cluster, configRepository)
         );
     }