From 97b1a3b81007c80c637611695f8255ba07dafbd9 Mon Sep 17 00:00:00 2001 From: "adel.ka" Date: Mon, 17 Nov 2025 09:05:29 +0300 Subject: [PATCH] SUPPORT-9572:change --- .../controller/UploadAccessController.java | 26 ++++++++++++++++++ .../ervu/security/SecurityConstants.java | 1 - .../esia/service/EsiaAuthService.java | 2 +- .../webbpm/jwt/helper/SecurityHelper.java | 21 +-------------- .../webbpm/jwt/service/JwtTokenService.java | 15 ++++++++--- frontend/src/ts/ervu/FileUploadChecker.ts | 27 ++++++++++++++++--- 6 files changed, 63 insertions(+), 29 deletions(-) create mode 100644 backend/src/main/java/ru/micord/ervu/controller/UploadAccessController.java diff --git a/backend/src/main/java/ru/micord/ervu/controller/UploadAccessController.java b/backend/src/main/java/ru/micord/ervu/controller/UploadAccessController.java new file mode 100644 index 00000000..a139f6b9 --- /dev/null +++ b/backend/src/main/java/ru/micord/ervu/controller/UploadAccessController.java @@ -0,0 +1,26 @@ +package ru.micord.ervu.controller; + +import javax.servlet.http.HttpServletRequest; + +import org.springframework.http.ResponseEntity; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RestController; +import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService; + +/** + * @author Adel Kalimullin + */ +@RestController +public class UploadAccessController { + private final JwtTokenService jwtTokenService; + + public UploadAccessController(JwtTokenService jwtTokenService) { + this.jwtTokenService = jwtTokenService; + } + + @GetMapping("/upload/access") + public ResponseEntity checkUploadPermission(HttpServletRequest request) { + boolean fileUploadAllowed = jwtTokenService.isFileUploadAllowed(request); + return ResponseEntity.ok(fileUploadAllowed); + } +} diff --git a/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java b/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java index d04446d4..e7e05426 100644 --- a/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java +++ b/backend/src/main/java/ru/micord/ervu/security/SecurityConstants.java @@ -6,6 +6,5 @@ public class SecurityConstants { public static final String AUTH_MARKER = "webbpm.ervu-lkrp-ul"; public static final String PRNS_UUID = "prns_uuid_ul"; public static final String STICKY_SESSION = "stickysession"; - public static final String UPLOAD_ALLOWED_MARKER = "upload_allowed"; public static final String EMPLOYEE_DOCUMENT_PATH = "/employee/document"; } diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java index d8c7789f..9db721d2 100644 --- a/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java +++ b/backend/src/main/java/ru/micord/ervu/security/esia/service/EsiaAuthService.java @@ -556,7 +556,7 @@ public class EsiaAuthService { private void createTokenAndAddCookie(HttpServletResponse response, String userId, String ervuId, Boolean hasRole, Boolean fileUploadAllowed, Long expiresIn) { Token token = jwtTokenService.createAccessToken(userId, expiresIn, ervuId, hasRole, fileUploadAllowed); - securityHelper.addAccessCookies(response, token.getValue(), expiresIn.intValue(), fileUploadAllowed); + securityHelper.addAccessCookies(response, token.getValue(), expiresIn.intValue()); UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null); SecurityContext context = SecurityContextHolder.createEmptyContext(); diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java index 649ab86b..bc697581 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/helper/SecurityHelper.java @@ -17,7 +17,6 @@ import static org.springframework.web.context.request.RequestAttributes.REFERENC import static ru.micord.ervu.security.SecurityConstants.AUTH_MARKER; import static ru.micord.ervu.security.SecurityConstants.AUTH_TOKEN; import static ru.micord.ervu.security.SecurityConstants.PRNS_UUID; -import static ru.micord.ervu.security.SecurityConstants.UPLOAD_ALLOWED_MARKER; public final class SecurityHelper { @Value("${cookie.path:#{null}}") @@ -46,14 +45,6 @@ public final class SecurityHelper { .httpOnly(false) .build(); addResponseCookie(response, emptyAuthMarker); - - ResponseCookie emptyUploadAllowed = createCookie(UPLOAD_ALLOWED_MARKER, null, "/") - .maxAge(0) - .secure(false) - .httpOnly(false) - .build(); - addResponseCookie(response, emptyUploadAllowed); - clearCookie(response, PRNS_UUID, accessCookiePath); } @@ -61,8 +52,7 @@ public final class SecurityHelper { response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString()); } - public void addAccessCookies(HttpServletResponse response, String cookieValue, int expiry, - Boolean fileUploadAllowed) { + public void addAccessCookies(HttpServletResponse response, String cookieValue, int expiry) { ResponseCookie authTokenCookie = createCookie(AUTH_TOKEN, cookieValue, accessCookiePath) .maxAge(expiry) .build(); @@ -74,15 +64,6 @@ public final class SecurityHelper { .httpOnly(false) .build(); addResponseCookie(response, authMarker); - - if (fileUploadAllowed) { - ResponseCookie uploadAllowedCookie = createCookie(UPLOAD_ALLOWED_MARKER, "true", "/") - .maxAge(expiry) - .secure(false) - .httpOnly(false) - .build(); - addResponseCookie(response, uploadAllowedCookie); - } } public ResponseCookie.ResponseCookieBuilder createCookie(String name, String value, String path) { diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java index 386f1063..f64dd2d5 100644 --- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java +++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/service/JwtTokenService.java @@ -97,11 +97,20 @@ public class JwtTokenService { } public String getUserAccountId(HttpServletRequest request) { - String authToken = extractAuthToken(request); + Token validatedToken = getValidatedToken(request); + String[] ids = validatedToken.getUserAccountId().split(":"); + return ids[0]; + } + public boolean isFileUploadAllowed(HttpServletRequest request) { + Token validatedToken = getValidatedToken(request); + return validatedToken.isFileUploadAllowed(); + } + + public Token getValidatedToken(HttpServletRequest request) { + String authToken = extractAuthToken(request); if (authToken != null) { - String[] ids = getToken(authToken).getUserAccountId().split(":"); - return ids[0]; + return getToken(authToken); } else { throw new UnauthorizedException("Failed to get auth data. User unauthorized."); diff --git a/frontend/src/ts/ervu/FileUploadChecker.ts b/frontend/src/ts/ervu/FileUploadChecker.ts index c9aecade..2bd78924 100644 --- a/frontend/src/ts/ervu/FileUploadChecker.ts +++ b/frontend/src/ts/ervu/FileUploadChecker.ts @@ -1,15 +1,34 @@ import {Behavior, Visible} from "@webbpm/base-package"; -import {CookieService} from "ngx-cookie"; +import {HttpClient} from "@angular/common/http"; +import {AuthenticationService} from "../modules/security/authentication.service"; export class FileUploadChecker extends Behavior { - private cookieService: CookieService; + private httpClient: HttpClient; + private authService: AuthenticationService; + private allowed: boolean = false; initialize() { - this.cookieService = this.injector.get(CookieService); + this.httpClient = this.injector.get(HttpClient); + this.authService = this.injector.get(AuthenticationService); + } + + postStart() { + super.postStart(); + if (this.authService.isAuthenticated()){ + this.checkUploadPermission(); + } } @Visible() public fileUploadAllowed(): boolean { - return this.cookieService.get("upload_allowed") != null; + return this.allowed; + } + + private checkUploadPermission(): void { + this.httpClient.get('upload/access') + .toPromise() + .then(response => { + this.allowed = response; + }); } } \ No newline at end of file