From 3be0f57fd0f485a8bb09f04bea4620d1cf8494f1 Mon Sep 17 00:00:00 2001 From: Andrea Di Cesare Date: Wed, 13 Nov 2024 15:34:42 +0100 Subject: [PATCH] :recycle: AuthorizersHandler to first check vetoers and than allowers --- .../security/handlers/AuthorizersHandler.java | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/core/src/main/java/org/restheart/security/handlers/AuthorizersHandler.java b/core/src/main/java/org/restheart/security/handlers/AuthorizersHandler.java index 47e5c8d03..d1c747867 100644 --- a/core/src/main/java/org/restheart/security/handlers/AuthorizersHandler.java +++ b/core/src/main/java/org/restheart/security/handlers/AuthorizersHandler.java @@ -84,24 +84,25 @@ private boolean isAllowed(final Request request) { if (authorizers == null || authorizers.isEmpty()) { return false; } else { - return authorizers.stream() - // at least one ALLOWER must authorize the request + return + // no VETOER must deny the request + authorizers.stream() .filter(a -> a.isEnabled()) .filter(a -> a.getInstance() != null) .map(a -> a.getInstance()) - .filter(a -> PluginUtils.authorizerType(a) == TYPE.ALLOWER) // filter out authorizers that requires authentication when the request is not authenticated .filter(a -> !a.isAuthenticationRequired(request) || request.isAuthenticated()) - .anyMatch(a -> a.isAllowed(request)) - // no VETOER must deny the request + .filter(a -> PluginUtils.authorizerType(a) == TYPE.VETOER) + .allMatch(a -> a.isAllowed(request)) && authorizers.stream() + // at least one ALLOWER must authorize the request .filter(a -> a.isEnabled()) .filter(a -> a.getInstance() != null) .map(a -> a.getInstance()) + .filter(a -> PluginUtils.authorizerType(a) == TYPE.ALLOWER) // filter out authorizers that requires authentication when the request is not authenticated .filter(a -> !a.isAuthenticationRequired(request) || request.isAuthenticated()) - .filter(a -> PluginUtils.authorizerType(a) == TYPE.VETOER) - .allMatch(a -> a.isAllowed(request)); + .anyMatch(a -> a.isAllowed(request)); } } }