Fix api overview page visibility

chamilaadhi · Oct 16, 2024 · 1c6916b · 1c6916b
1 parent 763494a
commit 1c6916b
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 12 deletions.
diff --git a/...apimgt.persistence/src/main/java/org/wso2/carbon/apimgt/persistence/dto/DevPortalAPI.java b/...apimgt.persistence/src/main/java/org/wso2/carbon/apimgt/persistence/dto/DevPortalAPI.java
@@ -45,6 +45,7 @@ public class DevPortalAPI extends DevPortalAPIInfo {
 
     private String subscriptionAvailability; // need to decide isSubscriptionAvailable
     private String subscriptionAvailableOrgs; // (subscriptionAvailableTenants): need to decide the value of "isSubscriptionAvailable"
+    private String visibleOrganizations; //visible organizations
     private String authorizationHeader;
     private String apiKeyHeader;
     private List<String> securityScheme = new ArrayList<>();
@@ -340,13 +341,20 @@ public void setGatewayVendor(String gatewayVendor) {
         this.gatewayVendor = gatewayVendor;
     }
 
+    public String getVisibleOrganizations() {
+        return visibleOrganizations;
+    }
+
+    public void setVisibleOrganizations(String visibleOrganizations) {
+        this.visibleOrganizations = visibleOrganizations;
+    }
+
     public String getAsyncTransportProtocols() { return asyncTransportProtocols; }
 
     public void setAsyncTransportProtocols(String asyncTransportProtocols) {
         this.asyncTransportProtocols = asyncTransportProtocols;
     }
 
-
     @Override
     public String toString() {
         return "DevPortalAPI [status=" + status + ", isDefaultVersion=" + isDefaultVersion + ", description="
@@ -355,16 +363,17 @@ public String toString() {
                 + businessOwnerEmail + ", transports=" + transports + ", redirectURL=" + redirectURL
                 + ", apiExternalProductionEndpoint=" + apiExternalProductionEndpoint + ", apiExternalSandboxEndpoint="
                 + apiExternalSandboxEndpoint + ", apiOwner=" + apiOwner + ", advertiseOnly=" + advertiseOnly
-                + ", subscriptionAvailability=" + subscriptionAvailability + ", subscriptionAvailableOrgs="
-                + subscriptionAvailableOrgs + ", authorizationHeader=" + authorizationHeader + ", securityScheme="
-                + securityScheme + ", environments=" + environments + ", gatewayVendor=" + gatewayVendor
-                +  ", asyncTransportProtocols=" + asyncTransportProtocols  + ", apiCategories=" + apiCategories
-                + ", isMonetizationEnabled=" + isMonetizationEnabled + ", keyManagers=" + keyManagers
-                + ", deploymentEnvironments=" + deploymentEnvironments + ", tags=" + tags + ", additionalProperties="
-                + additionalProperties + ", endpointConfig=" + endpointConfig + ", type=" + type + ", advertisedOnly="
-                + advertisedOnly + ", swaggerDefinition=" + swaggerDefinition + ", contextTemplate=" + contextTemplate
-                + ", apiSecurity=" + apiSecurity + ", visibility=" + visibility + ", visibleRoles=" + visibleRoles
-                + "]";
+                + ", vendor=" + vendor + ", subscriptionAvailability=" + subscriptionAvailability
+                + ", subscriptionAvailableOrgs=" + subscriptionAvailableOrgs + ", visibleOrganizations="
+                + visibleOrganizations + ", authorizationHeader=" + authorizationHeader + ", apiKeyHeader="
+                + apiKeyHeader + ", securityScheme=" + securityScheme + ", environments=" + environments
+                + ", apiCategories=" + apiCategories + ", isMonetizationEnabled=" + isMonetizationEnabled
+                + ", keyManagers=" + keyManagers + ", deploymentEnvironments=" + deploymentEnvironments + ", tags="
+                + tags + ", additionalProperties=" + additionalProperties + ", endpointConfig=" + endpointConfig
+                + ", type=" + type + ", advertisedOnly=" + advertisedOnly + ", swaggerDefinition=" + swaggerDefinition
+                + ", contextTemplate=" + contextTemplate + ", apiSecurity=" + apiSecurity + ", visibility=" + visibility
+                + ", visibleRoles=" + visibleRoles + ", gatewayVendor=" + gatewayVendor + ", asyncTransportProtocols="
+                + asyncTransportProtocols + "]";
     }
 
     public String getApiSecurity() {

diff --git a/...re.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/impl/ApisApiServiceImpl.java b/...re.v1/src/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/impl/ApisApiServiceImpl.java
@@ -1168,6 +1168,12 @@ private APIDTO getAPIByAPIId(String apiId, String organization, OrganizationInfo
             APIConsumer apiConsumer = RestApiCommonUtil.getLoggedInUserConsumer();
             ApiTypeWrapper api = apiConsumer.getAPIorAPIProductByUUID(apiId, organization);
             String status = api.getStatus();
+            String visibleOrgs = api.getApi().getVisibleOrganizations();
+            String userOrg = userOrgInfo.getOrganizationSelector();
+
+            if (!api.isAPIProduct() && !RestApiUtil.isOrganizationVisibilityAllowed(visibleOrgs, userOrg)) {
+                RestApiUtil.handleAuthorizationFailure(RestApiConstants.RESOURCE_API, apiId, log);
+            }
 
             // Extracting clicked API name by the user, for the recommendation system
             String userName = RestApiCommonUtil.getLoggedInUsername();

diff --git a/...c/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/impl/ApplicationsApiServiceImpl.java b/...c/main/java/org/wso2/carbon/apimgt/rest/api/store/v1/impl/ApplicationsApiServiceImpl.java
@@ -1297,9 +1297,11 @@ public Response applicationsApplicationIdOauthKeysKeyMappingIdGenerateTokenPost(
         String username = RestApiCommonUtil.getLoggedInUsername();
         APIConsumer apiConsumer = RestApiCommonUtil.getConsumer(username);
         Application application = apiConsumer.getApplicationByUUID(applicationId);
+        OrganizationInfo orgInfo = RestApiUtil.getOrganizationInfo(messageContext);
 
         if (application != null) {
-            if (RestAPIStoreUtils.isUserAccessAllowedForApplication(application)) {
+            if (RestAPIStoreUtils.isUserAccessAllowedForApplication(application) || (orgInfo.getOrganizationSelector() != null
+                    && orgInfo.getOrganizationSelector().equals(application.getSharedOrganization()))) {
                 ApplicationKeyDTO appKey = getApplicationKeyByAppIDAndKeyMapping(applicationId, keyMappingId);
                 if (appKey != null) {
                     String jsonInput = null;

diff --git a/...t.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/utils/RestApiUtil.java b/...t.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/utils/RestApiUtil.java
@@ -1293,4 +1293,21 @@ public static String resolveOrganization (HashMap<String,Object> message) throws
         String organization = resolver.resolve(properties);
         return  organization;
     }
+
+    public static boolean isOrganizationVisibilityAllowed(String visibleOrgs, String userOrg) {
+        boolean allowed = false;
+
+        if (StringUtils.isEmpty(visibleOrgs) || APIConstants.DEFAULT_VISIBLE_ORG.equals(visibleOrgs)) {
+            allowed = true;
+        } else {
+            List<String> visibleOrgList = Arrays.asList(visibleOrgs.split(","));
+
+            if(visibleOrgList.contains(userOrg)) {
+                allowed = true;
+            } else {
+                allowed = false;
+            }
+        }
+        return allowed;
+    }
 }