Merged in task/dspace-cris-2024_02_x/DSC-2686 (pull request DSpace#5256)

Task/dspace cris 2024 02 x/DSC-2686

Approved-by: Mykhaylo Boychuk

Author: vins01-4science

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ConfigurationRestRepository.java

@@ -43,7 +43,7 @@ protected String[] getExposedProperties() {
         return configurationService.getArrayProperty("rest.properties.exposed");
     }
 
-    protected String[] getAdminRestrictedProperties() {
+    protected String[] getAdminExposedProperties() {
         return configurationService.getArrayProperty("admin.rest.properties.exposed");
     }
 
@@ -66,12 +66,13 @@ protected String[] getAdminRestrictedProperties() {
     @Override
     @PreAuthorize("permitAll()")
     public PropertyRest findOne(Context context, String property) {
-        List<String> exposedProperties = Arrays.asList(getExposedProperties());
-        List<String> adminRestrictedProperties = Arrays.asList(getAdminRestrictedProperties());
+        if (
+            !isAdminAllowed(context, property) && !isExposed(property)
+        ) {
+            throw new ResourceNotFoundException("No such configuration property: " + property);
+        }
 
-        if (!configurationService.hasProperty(property) ||
-            (adminRestrictedProperties.contains(property) && !isCurrentUserAdmin(context)) ||
-            (!exposedProperties.contains(property) && !isCurrentUserAdmin(context))) {
+        if (!configurationService.hasProperty(property)) {
             throw new ResourceNotFoundException("No such configuration property: " + property);
         }
 
@@ -82,6 +83,16 @@ public PropertyRest findOne(Context context, String property) {
         return propertyRest;
     }
 
+    private boolean isExposed(String property) {
+        List<String> exposedProperties = Arrays.asList(getExposedProperties());
+        return exposedProperties.contains(property);
+    }
+
+    private boolean isAdminAllowed(Context context, String property) {
+        List<String> adminExposedProperties = Arrays.asList(getAdminExposedProperties());
+        return adminExposedProperties.contains(property) && isCurrentUserAdmin(context);
+    }
+
     private boolean isCurrentUserAdmin(Context context) {
         try {
             return authorizeService.isAdmin(context);

dspace-server-webapp/src/test/java/org/dspace/app/rest/ConfigurationRestRepositoryIT.java

@@ -60,6 +60,13 @@ public void getAdminRestrictedValueRetrieved() throws Exception {
             .andExpect(status().is2xxSuccessful());
     }
 
+    @Test
+    public void getNonAdminRestrictedPropertyNotRetrieved() throws Exception {
+        String tokenAdmin = getAuthToken(admin.getEmail(), password);
+        getClient(tokenAdmin).perform(get("/api/config/properties/db.url"))
+                             .andExpect(status().isNotFound());
+    }
+
     @Test
     public void getAll() throws Exception {
         getClient().perform(get("/api/config/properties/"))