SUPPORT-8407: Fix

backend/src/main/java/esia/service/EsiaAuthService.java

@@ -24,7 +24,6 @@ import esia.config.FormUrlencoded;
 import esia.model.EmployeeModel;
 import esia.model.EsiaTokenResponse;
 import esia.model.OrganizationModel;
-import esia.model.PersonModel;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
 import org.springframework.stereotype.Service;
@@ -47,7 +46,7 @@ public class EsiaAuthService {
   private EsiaConfig esiaConfig;
 
   @Autowired
-  private UlDataService personalDataService;
+  private UlDataService ulDataService;
 
   public String generateAuthCodeUrl() {
     try {
@@ -175,6 +174,10 @@ public class EsiaAuthService {
         throw new RuntimeException(tokenResponse.getError_description());
       }
       String accessToken = tokenResponse.getAccess_token();
+      boolean hasRole = ulDataService.checkRole(accessToken);
+      if (!hasRole) {
+        throw new RuntimeException("The user does not have the required role");
+      }
       Cookie cookie = new Cookie("access_token", accessToken);
       cookie.setHttpOnly(true);
       cookie.setSecure(true);
@@ -192,8 +195,8 @@ public class EsiaAuthService {
       isAuthToken.setPath("/");
       response.addCookie(isAuthToken);
 
-      EmployeeModel employeeModel = personalDataService.getPersonModel(accessToken);
-      OrganizationModel organizationModel = personalDataService.getOrganizationModel(accessToken);
+      EmployeeModel employeeModel = ulDataService.getPersonModel(accessToken);
+      OrganizationModel organizationModel = ulDataService.getOrganizationModel(accessToken);
       return true;
     }
     catch (Exception e) {

backend/src/main/java/esia/service/UlDataService.java

@@ -9,6 +9,8 @@ import esia.model.PersonModel;
  */
 public interface UlDataService {
 
+  boolean checkRole(String accessToken);
+
   EmployeeModel getPersonModel(String accessToken);
 
   PersonModel getChiefPersonModel(String accessToken);

backend/src/main/java/esia/service/UlDataServiceImpl.java

@@ -155,4 +155,28 @@ public class UlDataServiceImpl implements UlDataService {
     }
   }
 
+  @Override
+  public boolean checkRole(String accessToken) {
+    try {
+      EsiaAccessToken esiaAccessToken = readToken(accessToken);
+      String prsnId = esiaAccessToken.getSbj_id();
+      String url = esiaConfig.getEsiaBaseUri() + "rs/orgs/"  + prsnId + "/grps?embed=(elements)";
+      HttpRequest getReq = HttpRequest.newBuilder(URI.create(url))
+          .header(HttpHeaders.CONTENT_TYPE, "application/x-www-form-urlencoded")
+          .header("Authorization", "Bearer ".concat(accessToken))
+          .GET()
+          .timeout(Duration.ofSeconds(60))
+          .build();
+      HttpResponse<String> getResp = HttpClient.newBuilder()
+          .connectTimeout(Duration.ofSeconds(30))
+          .build()
+          .send(getReq, HttpResponse.BodyHandlers.ofString());
+      errorHandler(getResp);
+
+    }
+    catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+    return false;
+  }
 }