fix(ConfigurationRestRepository): refactor property access control and improve admin checks

vins01-4science · vins01-4science · commit 090f57a856d6 · 2026-01-26T12:49:57.000+01:00
credits: @saschaszott ref: #537, DSC-2686
diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java
@@ -66,14 +66,13 @@ protected String[] getAdminExposedProperties() {
     @Override
     @PreAuthorize("permitAll()")
     public PropertyRest findOne(Context context, String property) {
-        List<String> exposedProperties = Arrays.asList(getExposedProperties());
-        List<String> adminExposedProperties = Arrays.asList(getAdminExposedProperties());
+        if (
+            !isAdminAllowed(context, property) && !isExposed(property)
+        ) {
+            throw new ResourceNotFoundException("No such configuration property: " + property);
+        }
 
-        if (!configurationService.hasProperty(property) ||
-            (
-                !exposedProperties.contains(property) &&
-                (!isCurrentUserAdmin(context) || !adminExposedProperties.contains(property))
-            )) {
+        if (!configurationService.hasProperty(property)) {
             throw new ResourceNotFoundException("No such configuration property: " + property);
         }
 
@@ -84,6 +83,16 @@ public PropertyRest findOne(Context context, String property) {
         return propertyRest;
     }
 
+    private boolean isExposed(String property) {
+        List<String> exposedProperties = Arrays.asList(getExposedProperties());
+        return exposedProperties.contains(property);
+    }
+
+    private boolean isAdminAllowed(Context context, String property) {
+        List<String> adminExposedProperties = Arrays.asList(getAdminExposedProperties());
+        return adminExposedProperties.contains(property) && isCurrentUserAdmin(context);
+    }
+
     private boolean isCurrentUserAdmin(Context context) {
         try {
             return authorizeService.isAdmin(context);
diff --git a/dspace-server-webapp/src/test/java/org/dspace/app/rest/ConfigurationRestRepositoryIT.java b/dspace-server-webapp/src/test/java/org/dspace/app/rest/ConfigurationRestRepositoryIT.java
@@ -60,6 +60,13 @@ public void getAdminRestrictedValueRetrieved() throws Exception {
             .andExpect(status().is2xxSuccessful());
     }
 
+    @Test
+    public void getNonAdminRestrictedPropertyNotRetrieved() throws Exception {
+        String tokenAdmin = getAuthToken(admin.getEmail(), password);
+        getClient(tokenAdmin).perform(get("/api/config/properties/db.url"))
+                             .andExpect(status().isNotFound());
+    }
+
     @Test
     public void getAll() throws Exception {
         getClient().perform(get("/api/config/properties/"))
