Merge pull request #286 from kit-data-manager/issue-285-Search_for_state_REVOKED_returns_VOLATILE_and_FIXED

Search for state REVOKED returns VOLATILE and FIXED

Author: ThomasJejkal

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 ### Fixed
+* Fixed potential issue with unprivileged find
 
 ### Security
 

src/main/java/edu/kit/datamanager/repo/service/impl/DataResourceService.java

@@ -502,7 +502,7 @@ private Page<DataResource> doFind(
         logger.trace("Checking example for state information.");
         if (example != null && example.getState() != null) {
             //example is set...check if example state should be used
-            if (includeRevoked || !DataResource.State.REVOKED.equals(example.getSubjects())) {
+            if (includeRevoked || !DataResource.State.REVOKED.equals(example.getState())) {
                 logger.trace("Adding state {} from example.", example.getState());
                 //we either are allowed to include revoked state or the state is not 'REVOKED', add state from example
                 states.add(example.getState());
@@ -513,12 +513,11 @@ private Page<DataResource> doFind(
 
         if (states.isEmpty()) {
             logger.trace("No state element received from example. Adding default states VOLATILE and FIXED.");
-            //No state obtained from example...adding default states VOLATILE and FIXED
             states.add(DataResource.State.VOLATILE);
             states.add(DataResource.State.FIXED);
         }
 
-        if (includeRevoked) {
+        if (includeRevoked && !states.contains(DataResource.State.REVOKED)) {
             logger.trace("Flag 'includeRevoked' is enabled. Adding states REVOKED.");
             //Add REVOKED state in case this is allowed (e.g. admin access)
             states.add(DataResource.State.REVOKED);