diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java index 1426aa330..7fb991877 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java @@ -30,6 +30,7 @@ import java.util.Calendar; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; @@ -55,6 +56,7 @@ * * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/batchcreateuseraccounts.html") public class BatchCreateUserAccountsController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java index e40c3c53e..683e52ba2 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.RequestMapping; @@ -41,6 +42,7 @@ * Only accessed by a WISE admin user. * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/enabledisableuser") public class EnableDisableUserController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java index 0f9b93adc..009b7bc36 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletRequest; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; @@ -50,6 +51,7 @@ * @author Patrick Lawler * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/lookupuser") public class LookupUserController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java index 5462caab0..a669be627 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.security.core.GrantedAuthority; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; @@ -44,6 +45,7 @@ * * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/manageuserroles.html") public class ManageUserRolesController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java index ea7aae0b5..38cb480bf 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java @@ -1,6 +1,7 @@ package org.wise.portal.presentation.web.controllers.admin; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.GetMapping; @@ -8,6 +9,7 @@ import org.springframework.web.bind.annotation.RequestParam; import org.wise.portal.service.authentication.UserDetailsService; +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/show-all-users") public class ShowAllUsersController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java index 74a352317..cbff00917 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java @@ -1,6 +1,7 @@ package org.wise.portal.presentation.web.controllers.admin; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.security.acls.model.Permission; import org.springframework.web.bind.annotation.*; import org.wise.portal.dao.ObjectNotFoundException; @@ -13,6 +14,7 @@ import java.util.List; import java.util.Set; +@Secured("ROLE_ADMINISTRATOR") @RestController @RequestMapping("/api/admin/project/shared") public class UpdateProjectSharedPermissionsAPIController { diff --git a/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java b/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java index b608d1272..0107e87e3 100644 --- a/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java +++ b/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java @@ -85,14 +85,25 @@ protected void configure(HttpSecurity http) throws Exception { .addFilterAfter(googleOpenIdConnectFilter(), OAuth2ClientContextFilter.class) .addFilterAfter(microsoftOpenIdConnectFilter(), OAuth2ClientContextFilter.class) .addFilterAfter(authenticationProcessingFilter(), GoogleOpenIdConnectFilter.class) - .authorizeRequests().antMatchers("/api/login/impersonate") - .hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/admin/**") - .hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/author/**").hasAnyRole("TEACHER") + .authorizeRequests() + // User, role, portal, news and destructive maintenance endpoints must be + // restricted to administrators. They were previously reachable by researchers + // through the broad "/admin/**" rule, which let a researcher grant themselves + // the administrator role or manage other users' accounts. These more specific + // rules are listed first so they take precedence over the broader ones below. + .antMatchers("/admin/account/**", "/admin/portal/**", "/admin/news/**", + "/admin/mergeProjectMetadata", "/admin/run/replacebase64withpng.html", "/api/admin/**") + .hasRole("ADMINISTRATOR") + .antMatchers("/api/login/impersonate").hasAnyRole("ADMINISTRATOR", "RESEARCHER") + .antMatchers("/admin/**").hasAnyRole("ADMINISTRATOR", "RESEARCHER") + .antMatchers("/author/**").hasAnyRole("TEACHER") .antMatchers("/project/notifyAuthor*/**").hasAnyRole("TEACHER") - .antMatchers("/student/account/info").hasAnyRole("TEACHER").antMatchers("/student/**") - .hasAnyRole("STUDENT").antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT") - .antMatchers("/teacher/**").hasAnyRole("TEACHER").antMatchers("/sso/discourse") - .hasAnyRole("TEACHER", "STUDENT").antMatchers("/").permitAll(); + .antMatchers("/student/account/info").hasAnyRole("TEACHER") + .antMatchers("/student/**").hasAnyRole("STUDENT") + .antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT") + .antMatchers("/teacher/**").hasAnyRole("TEACHER") + .antMatchers("/sso/discourse").hasAnyRole("TEACHER", "STUDENT") + .antMatchers("/").permitAll(); http.formLogin().loginPage("/login").permitAll(); http.logout().addLogoutHandler(wiseLogoutHandler()) .logoutRequestMatcher(new AntPathRequestMatcher("/api/logout"));