TSK-1317: Fixed task comment authorization tests.

rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/Mapping.java

@@ -30,9 +30,8 @@ public final class Mapping {
   public static final String URL_VERSION = PRE + "version";
   public static final String URL_TASKS = PRE + "tasks";
   public static final String URL_TASKS_ID = URL_TASKS + "/{taskId}";
-  public static final String URL_TASK_GET_POST_COMMENTS = URL_TASKS_ID + "/comments";
+  public static final String URL_TASK_COMMENTS = URL_TASKS_ID + "/comments";
-  public static final String URL_TASK_COMMENTS = URL_TASKS + "/comments";
+  public static final String URL_TASK_COMMENT = URL_TASKS + "/comments/{taskCommentId}";
-  public static final String URL_TASK_COMMENT = URL_TASK_COMMENTS + "/{taskCommentId}";
   public static final String URL_TASKS_ID_CLAIM = URL_TASKS_ID + "/claim";
   public static final String URL_TASKS_ID_SELECT_AND_CLAIM = URL_TASKS + "/select-and-claim";
   public static final String URL_TASKS_ID_COMPLETE = URL_TASKS_ID + "/complete";

rest/taskana-rest-spring/src/main/java/pro/taskana/task/rest/TaskCommentController.java

@@ -80,7 +80,7 @@ public class TaskCommentController {
     return response;
   }
 
-  @GetMapping(path = Mapping.URL_TASK_GET_POST_COMMENTS)
+  @GetMapping(path = Mapping.URL_TASK_COMMENTS)
   @Transactional(readOnly = true, rollbackFor = Exception.class)
   public ResponseEntity<TaskanaPagedModel<TaskCommentRepresentationModel>> getTaskComments(
       @PathVariable String taskId,
@@ -168,7 +168,7 @@ public class TaskCommentController {
     return result;
   }
 
-  @PostMapping(path = Mapping.URL_TASK_GET_POST_COMMENTS)
+  @PostMapping(path = Mapping.URL_TASK_COMMENTS)
   @Transactional(rollbackFor = Exception.class)
   public ResponseEntity<TaskCommentRepresentationModel> createTaskComment(
       @PathVariable String taskId,

rest/taskana-rest-spring/src/test/java/pro/taskana/classification/rest/ClassificationControllerIntTest.java

@@ -153,6 +153,28 @@ class ClassificationControllerIntTest {
     assertThat(HttpStatus.CREATED).isEqualTo(responseEntity.getStatusCode());
   }
 
+  @Test
+  @DirtiesContext
+  void should_ThrowNotAuthorized_WhenUserIsNotInRoleAdminOrBusinessAdmin_whileCreating() {
+    String newClassification =
+        "{\"classificationId\":\"\",\"category\":\"MANUAL\","
+            + "\"domain\":\"DOMAIN_A\",\"key\":\"NEW_CLASS\","
+            + "\"name\":\"new classification\",\"type\":\"TASK\"}";
+
+    ThrowingCallable httpCall =
+        () ->
+            template.exchange(
+                restHelper.toUrl(Mapping.URL_CLASSIFICATIONS),
+                HttpMethod.POST,
+                new HttpEntity<>(newClassification, restHelper.getHeadersUser_1_1()),
+                ParameterizedTypeReference.forType(ClassificationRepresentationModel.class));
+
+    assertThatThrownBy(httpCall)
+        .isInstanceOf(HttpClientErrorException.class)
+        .extracting(ex -> ((HttpClientErrorException) ex).getStatusCode())
+        .isEqualTo(HttpStatus.FORBIDDEN);
+  }
+
   @Test
   @DirtiesContext
   void testCreateClassificationWithParentId() {

rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/RestHelper.java

@@ -28,6 +28,8 @@ public class RestHelper {
       "Basic YnVzaW5lc3NhZG1pbjpidXNpbmVzc2FkbWlu";
   public static final String AUTHORIZATION_USER_1_1 = "Basic dXNlci0xLTE6dXNlci0xLTE=";
   public static final String AUTHORIZATION_USER_1_2 = "Basic dXNlci0xLTI6dXNlci0xLTI=";
+  public static final String AUTHORIZATION_USER_2_1 = "Basic dXNlci0yLTE6dXNlci0yLTE=";
+  public static final String AUTHORIZATION_USER_B_1 = "Basic dXNlci1iLTE6dXNlci1iLTE=";
 
   public static final RestTemplate TEMPLATE = getRestTemplate();
 
@@ -87,6 +89,20 @@ public class RestHelper {
     return headers;
   }
 
+  public HttpHeaders getHeadersUser_2_1() {
+    HttpHeaders headers = new HttpHeaders();
+    headers.add("Authorization", AUTHORIZATION_USER_2_1);
+    headers.add("Content-Type", "application/json");
+    return headers;
+  }
+
+  public HttpHeaders getHeadersUser_b_1() {
+    HttpHeaders headers = new HttpHeaders();
+    headers.add("Authorization", AUTHORIZATION_USER_B_1);
+    headers.add("Content-Type", "application/json");
+    return headers;
+  }
+
   /**
    * Return a REST template which is capable of dealing with responses in HAL format.
    *

rest/taskana-rest-spring/src/test/java/pro/taskana/doc/api/TaskCommentControllerRestDocumentation.java

@@ -95,7 +95,7 @@ class TaskCommentControllerRestDocumentation extends BaseRestDocumentation {
         .perform(
             RestDocumentationRequestBuilders.get(
                     restHelper.toUrl(
-                        Mapping.URL_TASK_GET_POST_COMMENTS,
+                        Mapping.URL_TASK_COMMENTS,
                         "TKI:000000000000000000000000000000000000"))
                 .accept(MediaTypes.HAL_JSON)
                 .header("Authorization", ADMIN_CREDENTIALS))
@@ -172,7 +172,7 @@ class TaskCommentControllerRestDocumentation extends BaseRestDocumentation {
             .perform(
                 RestDocumentationRequestBuilders.post(
                         restHelper.toUrl(
-                            Mapping.URL_TASK_GET_POST_COMMENTS,
+                            Mapping.URL_TASK_COMMENTS,
                             "TKI:000000000000000000000000000000000000"))
                     .contentType(MediaTypes.HAL_JSON)
                     .content(createTaskCommentContent)

rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskCommentControllerIntTest.java

@@ -7,7 +7,6 @@ import java.time.Instant;
 import java.util.Comparator;
 import org.assertj.core.api.ThrowableAssert.ThrowingCallable;
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -64,7 +63,6 @@ class TaskCommentControllerIntTest {
         .isEqualTo(HttpStatus.NOT_FOUND);
   }
 
-  @Disabled("Disabled until Authorization check is up!")
   @Test
   void should_FailToReturnTaskComments_When_TaskIstNotVisible() {
 
@@ -88,8 +86,7 @@ class TaskCommentControllerIntTest {
   void should_ReturnSortedAndOrederedTaskCommentsSortedByModified_When_UsingSortAndOrderParams() {
 
     String url =
-        restHelper.toUrl(
+        restHelper.toUrl(Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000");
-            Mapping.URL_TASK_GET_POST_COMMENTS, "TKI:000000000000000000000000000000000000");
 
     ResponseEntity<TaskanaPagedModel<TaskCommentRepresentationModel>>
         getTaskCommentsSortedByModifiedOrderedByDescendingResponse =
@@ -148,8 +145,7 @@ class TaskCommentControllerIntTest {
   void should_ThrowException_When_UsingInvalidSortParam() {
 
     String url =
-        restHelper.toUrl(
+        restHelper.toUrl(Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000");
-            Mapping.URL_TASK_GET_POST_COMMENTS, "TKI:000000000000000000000000000000000000");
 
     ThrowingCallable httpCall =
         () -> {
@@ -164,7 +160,6 @@ class TaskCommentControllerIntTest {
         .isEqualTo(HttpStatus.BAD_REQUEST);
   }
 
-  @Disabled("Disabled until Authorization check is up!")
   @Test
   void should_FailToReturnTaskComment_When_TaskIstNotVisible() {
 
@@ -184,7 +179,6 @@ class TaskCommentControllerIntTest {
         .isEqualTo(HttpStatus.FORBIDDEN);
   }
 
-  @Disabled("Disabled until Authorization check is up!")
   @Test
   void should_FailToCreateTaskComment_When_TaskIsNotVisible() {
 
@@ -197,10 +191,10 @@ class TaskCommentControllerIntTest {
         () -> {
           template.exchange(
               restHelper.toUrl(
-                  Mapping.URL_TASK_GET_POST_COMMENTS, "TKI:000000000000000000000000000000000000"),
+                  Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000000"),
               HttpMethod.POST,
               new HttpEntity<>(
-                  taskCommentRepresentationModelToCreate, restHelper.getHeadersUser_1_1()),
+                  taskCommentRepresentationModelToCreate, restHelper.getHeadersUser_b_1()),
               ParameterizedTypeReference.forType(TaskCommentRepresentationModel.class));
         };
     assertThatThrownBy(httpCall)
@@ -219,7 +213,7 @@ class TaskCommentControllerIntTest {
     ThrowingCallable httpCall =
         () -> {
           template.exchange(
-              restHelper.toUrl(Mapping.URL_TASK_GET_POST_COMMENTS, "DefinatelyNotExistingId"),
+              restHelper.toUrl(Mapping.URL_TASK_COMMENTS, "DefinatelyNotExistingId"),
               HttpMethod.POST,
               new HttpEntity<>(
                   taskCommentRepresentationModelToCreate, restHelper.getHeadersAdmin()),
@@ -262,7 +256,6 @@ class TaskCommentControllerIntTest {
         .isEqualTo(HttpStatus.CONFLICT);
   }
 
-  @Disabled("Disabled until Authorization check is up!")
   @Test
   void should_FailToUpdateTaskComment_When_UserHasNoAuthorization() {
     String url =
@@ -329,19 +322,18 @@ class TaskCommentControllerIntTest {
         .isEqualTo(HttpStatus.BAD_REQUEST);
   }
 
-  @Disabled("Disabled until Authorization check is up!")
   @Test
   void should_FailToDeleteTaskComment_When_UserHasNoAuthorization() {
 
     ResponseEntity<TaskanaPagedModel<TaskCommentRepresentationModel>>
-        getTaskCommentsBeforeDeleteionResponse =
+        getTaskCommentsBeforeDeletionResponse =
             template.exchange(
                 restHelper.toUrl(
                     Mapping.URL_TASK_COMMENTS, "TKI:000000000000000000000000000000000001"),
                 HttpMethod.GET,
-                new HttpEntity<String>(restHelper.getHeadersAdmin()),
+                new HttpEntity<String>(restHelper.getHeadersUser_1_2()),
                 TASK_COMMENT_PAGE_MODEL_TYPE);
-    assertThat(getTaskCommentsBeforeDeleteionResponse.getBody().getContent()).hasSize(2);
+    assertThat(getTaskCommentsBeforeDeletionResponse.getBody().getContent()).hasSize(2);
 
     String url =
         restHelper.toUrl(Mapping.URL_TASK_COMMENT, "TCI:000000000000000000000000000000000004");
@@ -355,6 +347,8 @@ class TaskCommentControllerIntTest {
               ParameterizedTypeReference.forType(TaskCommentRepresentationModel.class));
         };
     assertThatThrownBy(httpCall)
+        .isInstanceOf(HttpClientErrorException.class)
+        .hasMessageContaining("TaskComment creator and current user must match.")
         .extracting(ex -> ((HttpClientErrorException) ex).getStatusCode())
         .isEqualTo(HttpStatus.FORBIDDEN);
   }

rest/taskana-rest-spring/src/test/java/pro/taskana/task/rest/TaskControllerIntTest.java

@@ -795,6 +795,23 @@ class TaskControllerIntTest {
         .hasMessageContaining("409");
   }
 
+  @Test
+  void should_ThrowNotAuthorized_When_UserHasNoAuthorizationOnTask() {
+    String url = restHelper.toUrl(Mapping.URL_TASKS_ID, "TKI:000000000000000000000000000000000000");
+
+    ThrowingCallable httpCall =
+        () ->
+            template.exchange(
+                url,
+                HttpMethod.GET,
+                new HttpEntity<String>(restHelper.getHeadersUser_b_1()),
+                ParameterizedTypeReference.forType(TaskRepresentationModel.class));
+
+    assertThatThrownBy(httpCall)
+        .extracting(ex -> ((HttpClientErrorException) ex).getStatusCode())
+        .isEqualTo(HttpStatus.FORBIDDEN);
+  }
+
   private TaskRepresentationModel getTaskResourceSample() {
     ClassificationSummaryRepresentationModel classificationResource =
         new ClassificationSummaryRepresentationModel();