Skip to content

[BUG] Authorization is broken when cancer study groups are not in uppercase #11609

New issue
New issue
Open
#11687
#11610
Open
[BUG] Authorization is broken when cancer study groups are not in uppercase#11609
#11687
#11610
Assignees
dippindots
Labels
bug
@akulyakhtin

Description

@akulyakhtin
akulyakhtin
opened on Jul 2, 2025

Describe the bug
When authentication and authorization are turned on in application.properties
and when 'group' field in the 'cancer_study' table contains lowercase characters
then authorization by groups does not work.

To Reproduce

  1. set authentication=oauth2 and authorization=true in application.properties
  2. add a record to 'cancer_study' table with 'groups' field set to 'Group_123' and 'public' field set to 0.
  3. add a record to 'authorities' table with 'email' field set to user's email and 'authority' field set to 'Group_123'
  4. Go to cbioportal, login and observe home page

Expected behavior
Cancer study, specified in the record, should be present at the home page

Observed behavior
Cancer study is NOT present at the home page.

(it also can not be accessed by any other means because the authority is not granted).

Root cause
In CancerStudyPermisisonEvaluator.java the below code checks if the user is granted authority by groups:

Set<String> grantedAuthorities = getGrantedAuthorities(authentication);
...
if (!Collections.disjoint(groups, grantedAuthorities)) {
      if (log.isDebugEnabled()) {
        log.debug("hasAccessToCancerStudy(), user has access by groups return true");
      }
      return true;
    }
}

getGrantedAuthorities() method converts all elements of 'grantedAuthorities' to upper case even when they are not in upper case in the 'authorities' table:

private Set<String> getGrantedAuthorities(Authentication authentication) {
...
for (String au : allAuthorities) {
        if (au.toUpperCase().startsWith(appName + ":")) {
          grantedAuthorities.add(au.substring(appName.length() + 1).toUpperCase());
        }
 }
...

Elements of 'groups', however, come from 'cancer_study' table as they are.

Collections.disjoint() uses equals and therefore it makes case-sensitive comparison.
Therefore, 'Group_123" not being equal 'GROUP_123,' the access is not granted

The proposed fix is to implement utility method disjointIgnoreCase (can be private in that file) which should be a trivial task.

I can submit a pull request for this fix.

Best regards,
Alexander

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions