From 8b2c06c6d64b22c5f0754a37c6bcf1762099cecc Mon Sep 17 00:00:00 2001
From: Georgy Litvinov <georgy.litvinov@tib.eu>
Date: Tue, 14 May 2024 17:22:51 +0200
Subject: [PATCH] Additional authorization check added

---
 .../controller/PagedSearchController.java     | 25 ++++++++++++++++---
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java
index 9596ed483..932545ed2 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java
@@ -22,6 +22,12 @@
 import javax.servlet.http.HttpServletResponse;
 
 import edu.cornell.mannlib.vitro.webapp.application.ApplicationUtils;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.IndividualAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
@@ -232,10 +238,13 @@ protected ResponseValues processRequest(VitroRequest vreq) {
             for (SearchResultDocument doc : docs) {
                 try {
                     String uri = doc.getStringValue(VitroSearchTermNames.URI);
-                    Individual ind = iDao.getIndividualByURI(uri);
-                    if (ind != null) {
-                        ind.setSearchSnippet(getSnippet(doc, response));
-                        individuals.add(ind);
+                    boolean isAuthorized = isAuthorized(vreq, uri);
+                    if (isAuthorized) {
+                        Individual ind = iDao.getIndividualByURI(uri);
+                        if (ind != null) {
+                            ind.setSearchSnippet(getSnippet(doc, response));
+                            individuals.add(ind);
+                        }   
                     }
                 } catch (Exception e) {
                     log.error("Problem getting usable individuals from search hits. ", e);
@@ -315,6 +324,14 @@ protected ResponseValues processRequest(VitroRequest vreq) {
         }
     }
 
+    private boolean isAuthorized(VitroRequest vreq, String uri) {
+        AccessObject ao = new IndividualAccessObject(uri);
+        ao.setModel(vreq.getJenaOntModel());
+        AuthorizationRequest request = new SimpleAuthorizationRequest(ao, AccessOperation.DISPLAY);
+        boolean isAuthorized = PolicyHelper.isAuthorizedForActions(vreq, request);
+        return isAuthorized;
+    }
+
     private long getSpentTime(long startTime) {
         return (System.nanoTime() - startTime) / 1000000;
     }