Apply security to query method

Author: sven1103

project-management/src/main/java/life/qbic/projectmanagement/application/api/AsyncProjectServiceImpl.java

@@ -84,16 +84,25 @@ public Mono<ProjectCreationResponse> create(ProjectCreationRequest request)
   @Override
   public Flux<SamplePreview> getSamplePreviews(String projectId, String experimentId, int offset,
       int limit, List<SortOrder> sortOrders, String filter) {
-    return Flux.defer(() -> {
-      try {
-        return Flux.fromIterable(
-            sampleInfoService.queryPreview(ExperimentId.parse(experimentId), offset, limit,
-                sortOrders, filter));
-      } catch (Exception e) {
-        log.error("Error getting sample previews", e);
-        return Flux.error(new RequestFailedException("Error getting sample previews"));
-      }
-    }).subscribeOn(scheduler);
+    SecurityContext securityContext = SecurityContextHolder.getContext();
+    return applySecurityContextMany(Flux.defer(() ->
+        fetchSamplePreviews(projectId, experimentId, offset, limit, sortOrders, filter)))
+        .subscribeOn(scheduler)
+        .transform(original -> writeSecurityContextMany(original, securityContext))
+        .retryWhen(defaultRetryStrategy());
+  }
+
+  private Flux<SamplePreview> fetchSamplePreviews(String projectId, String experimentId, int offset,
+      int limit, List<SortOrder> sortOrders, String filter) {
+    try {
+      return Flux.fromIterable(
+          sampleInfoService.queryPreview(ProjectId.parse(projectId),
+              ExperimentId.parse(experimentId), offset, limit,
+              sortOrders, filter));
+    } catch (Exception e) {
+      log.error("Error getting sample previews", e);
+      return Flux.error(new RequestFailedException("Error getting sample previews"));
+    }
   }
 
   @Override

project-management/src/main/java/life/qbic/projectmanagement/application/sample/SampleInformationService.java

@@ -79,10 +79,19 @@ public Collection<Sample> retrieveSamplesForExperiment(ProjectId projectId, Stri
     return sampleRepository.findSamplesByExperimentId(ExperimentId.parse(experimentId));
   }
 
+  /**
+   * @deprecated Use {@link #retrieveSamplesByIds(ProjectId, Collection)} instead.
+   */
+  @Deprecated(since = "1.10.0", forRemoval = true)
   public List<Sample> retrieveSamplesByIds(Collection<SampleId> sampleIds) {
     return sampleRepository.findSamplesBySampleId(sampleIds.stream().toList());
   }
 
+  @PreAuthorize("hasPermission(#projectId, 'life.qbic.projectmanagement.domain.model.project.Project', 'READ')")
+  public List<Sample> retrieveSamplesByIds(ProjectId projectId, Collection<SampleId> sampleIds) {
+    return sampleRepository.findSamplesBySampleId(sampleIds.stream().toList());
+  }
+
   @PreAuthorize("hasPermission(#projectId, 'life.qbic.projectmanagement.domain.model.project.Project', 'READ')")
   public List<Sample> retrieveSampleForBatch(ProjectId projectId, String batchId) {
     return sampleRepository.findSamplesByBatchId(BatchId.parse(batchId));
@@ -106,7 +115,9 @@ public List<Sample> retrieveSamplesForBatch(BatchId batchId) {
    * @param sortOrders the sort orders to apply
    * @return the results in the provided range
    * @since 1.0.0
+   * @deprecated Use {@link #queryPreview(ProjectId, ExperimentId, int, int, List, String)} instead.
    */
+  @Deprecated(since = "1.10.0", forRemoval = true)
   public List<SamplePreview> queryPreview(ExperimentId experimentId, int offset, int limit,
       List<SortOrder> sortOrders, String filter) {
     // returned by JPA -> UnmodifiableRandomAccessList
@@ -118,6 +129,40 @@ public List<SamplePreview> queryPreview(ExperimentId experimentId, int offset, i
     return new ArrayList<>(previewList);
   }
 
+  /**
+   * Queries {@link SamplePreview}s with a provided offset and limit that supports pagination.
+   * Applies the Spring Security context as well.
+   *
+   * @param projectId  the project ID that contains the information (required to apply the security
+   *                   context)
+   * @param offset     the offset for the search result to start
+   * @param limit      the maximum number of results that should be returned
+   * @param sortOrders the sort orders to apply
+   * @return the results in the provided range
+   * @since 1.10.0
+   */
+  @PreAuthorize("hasPermission(#projectId, 'life.qbic.projectmanagement.domain.model.project.Project', 'READ')")
+  public List<SamplePreview> queryPreview(ProjectId projectId, ExperimentId experimentId,
+      int offset, int limit,
+      List<SortOrder> sortOrders, String filter) {
+    // returned by JPA -> UnmodifiableRandomAccessList
+    List<SamplePreview> previewList = samplePreviewLookup.queryByExperimentId(experimentId,
+        offset,
+        limit,
+        sortOrders, filter);
+    // the list must be modifiable for spring security to filter it
+    return new ArrayList<>(previewList);
+  }
+
+  @PreAuthorize("hasPermission(#projectId, 'life.qbic.projectmanagement.domain.model.project.Project', 'READ')")
+  public Optional<Sample> findSample(ProjectId projectId, SampleId sampleId) {
+    return sampleRepository.findSample(sampleId);
+  }
+
+  /**
+   * @deprecated Use {@link #findSample(ProjectId, SampleId)} instead.
+   */
+  @Deprecated(since = "1.10.0", forRemoval = true)
   public Optional<Sample> findSample(SampleId sampleId) {
     return sampleRepository.findSample(sampleId);
   }