Merge pull request #31 from protegeproject/fix-checking-capability-closure

alexsilaghi · web-flow · commit 76dfdcaab9bc · 2025-08-28T13:12:26.000+03:00
Fixes who-icatx/icatx-project#274
diff --git a/pom.xml b/pom.xml
@@ -10,7 +10,7 @@
 	</parent>
 	<groupId>edu.stanford.protege</groupId>
 	<artifactId>webprotege-authorization-service</artifactId>
-	<version>3.0.4</version>
+	<version>3.0.5-SNAPSHOT</version>
 	<name>webprotege-authorization-service</name>
 	<description>A service that checks users are authorized to execute operations in WebProtége</description>
 	<properties>
diff --git a/src/main/java/edu/stanford/protege/webprotege/authorization/AccessManagerImpl.java b/src/main/java/edu/stanford/protege/webprotege/authorization/AccessManagerImpl.java
@@ -267,9 +267,9 @@ private Collection<Subject> getSubjectsWithAccessToResource(Resource resource, O
         try {
             var projectId = toProjectIdString(resource);
             var query = query(where(PROJECT_ID).is(projectId));
-            capability.ifPresent(a -> query.addCriteria(where(CAPABILITY_CLOSURE).in(a.id())));
             return find(query)
                     .map(f -> objectMapper.convertValue(f, RoleAssignment.class))
+                    .filter(ra -> capability.map(cap -> ra.getCapabilityClosure().contains(cap)).orElse(true))
                     .map(ra -> {
                         var userName = ra.getUserName();
                         return userName.map(Subject::forUser).orElseGet(Subject::forAnySignedInUser);
@@ -285,9 +285,10 @@ public Collection<Resource> getResourcesAccessibleToSubject(Subject subject, Cap
         lock.readLock().lock();
         try {
             var userName = toUserName(subject);
-            var query = query(where(USER_NAME).is(userName).and(CAPABILITY_CLOSURE).is(capability.id()));
+            var query = query(where(USER_NAME).is(userName));
             return find(query)
                     .map(f -> objectMapper.convertValue(f, RoleAssignment.class))
+                    .filter(ra -> ra.getCapabilityClosure().contains(capability))
                     .map(ra -> {
                         var projectId = ra.getProjectId();
                         if (projectId.isPresent()) {
