add support for sample filter in hasPermission

Author: onursumer

src/main/java/org/cbioportal/application/rest/vcolumnstore/ColumnStoreSampleController.java

@@ -38,13 +38,11 @@
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestAttribute;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.Collection;
 import java.util.List;
 
 @RestController
@@ -146,7 +144,7 @@ public ResponseEntity<List<SampleDTO>> getSamplesByKeyword(
         }
     }
 
-    @PreAuthorize("hasPermission(#involvedCancerStudies, 'Collection<CancerStudyId>', T(org.cbioportal.legacy.utils.security.AccessLevel).READ)")
+    @PreAuthorize("hasPermission(#sampleFilter, 'SampleFilter', T(org.cbioportal.legacy.utils.security.AccessLevel).READ)")
     @PostMapping(
         value = "/samples/fetch",
         consumes = MediaType.APPLICATION_JSON_VALUE,
@@ -159,13 +157,6 @@ public ResponseEntity<List<SampleDTO>> getSamplesByKeyword(
         content = @Content(array = @ArraySchema(schema = @Schema(implementation = Sample.class)))
     )
     public ResponseEntity<List<SampleDTO>> fetchSamples(
-        @Parameter(hidden = true) // prevent reference to this attribute in the swagger-ui interface
-        @RequestAttribute(required = false, value = "involvedCancerStudies")
-        Collection<String> involvedCancerStudies,
-        @Parameter(hidden = true) // prevent reference to this attribute in the swagger-ui interface. this attribute is needed for the @PreAuthorize tag above.
-        @Valid
-        @RequestAttribute(required = false, value = "interceptedSampleFilter")
-        SampleFilter interceptedSampleFilter,
         @Parameter(required = true, description = "List of sample identifiers")
         @Valid
         @RequestBody(required = false)
@@ -175,11 +166,11 @@ public ResponseEntity<List<SampleDTO>> fetchSamples(
         ProjectionType projection
     ) {
         if (projection == ProjectionType.META) {
-            HttpHeaders responseHeaders = fetchMetaSamplesHeaders(interceptedSampleFilter);
+            HttpHeaders responseHeaders = fetchMetaSamplesHeaders(sampleFilter);
             return new ResponseEntity<>(responseHeaders, HttpStatus.OK);
         }
         else {
-            List<Sample> samples = sampleUseCases.fetchSamplesUseCase().execute(interceptedSampleFilter, projection);
+            List<Sample> samples = sampleUseCases.fetchSamplesUseCase().execute(sampleFilter, projection);
             return new ResponseEntity<>(SampleMapper.INSTANCE.toDtos(samples), HttpStatus.OK);
         }
     }

src/main/java/org/cbioportal/application/security/CancerStudyPermissionEvaluator.java

@@ -36,6 +36,7 @@
 import java.util.*;
 import java.util.stream.Collectors;
 
+import org.cbioportal.application.security.util.CancerStudyExtractorUtil;
 import org.cbioportal.legacy.model.CancerStudy;
 import org.cbioportal.legacy.model.MolecularProfile;
 import org.cbioportal.legacy.model.Patient;
@@ -46,6 +47,7 @@
 import org.cbioportal.legacy.web.parameter.DataBinCountFilter;
 import org.cbioportal.legacy.web.parameter.GenericAssayDataCountFilter;
 import org.cbioportal.legacy.web.parameter.GenomicDataCountFilter;
+import org.cbioportal.legacy.web.parameter.SampleFilter;
 import org.cbioportal.legacy.web.parameter.StudyViewFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -192,6 +194,13 @@ public boolean hasPermission(Authentication authentication, Serializable targetI
             return hasAccessToSampleLists(authentication, (Collection<String>) targetId, permission);
         } else if (targetType.contains("Filter")) {
             switch (targetId) {
+                case SampleFilter sampleFilter -> {
+                    return hasAccessToCancerStudies(
+                        authentication,
+                        CancerStudyExtractorUtil.extractCancerStudyIdsFromSampleFilter(sampleFilter, this.cacheMapUtil),
+                        permission
+                    );
+                }
                 case StudyViewFilter studyViewFilter -> {
                    return hasAccessToCancerStudies(authentication, studyViewFilter.getUniqueStudyIds(), permission);
                 }
@@ -216,7 +225,6 @@ public boolean hasPermission(Authentication authentication, Serializable targetI
                     }
                     return hasAccessToCancerStudies(authentication, studyIds, permission);
                 }
-
                 case GenericAssayDataCountFilter genericAssayDataCountFilter -> {
                     Set<String> studyIds = new HashSet<>();
                     if (genericAssayDataCountFilter.getStudyViewFilter() != null) {

src/main/java/org/cbioportal/application/security/util/CancerStudyExtractorUtil.java

@@ -0,0 +1,55 @@
+package org.cbioportal.application.security.util;
+
+import org.cbioportal.legacy.persistence.cachemaputil.CacheMapUtil;
+import org.cbioportal.legacy.web.parameter.SampleFilter;
+import org.cbioportal.legacy.web.parameter.SampleIdentifier;
+import org.cbioportal.legacy.web.util.UniqueKeyExtractor;
+
+import java.util.Collection;
+import java.util.List;
+
+public class CancerStudyExtractorUtil {
+    
+    private CancerStudyExtractorUtil() {}
+    
+    public static Collection<String> extractCancerStudyIdsFromSampleFilter(
+        SampleFilter sampleFilter,
+        CacheMapUtil cacheMapUtil
+    ) {
+        Collection<String> studyIds;
+        
+        if (sampleFilter.getSampleListIds() != null) {
+            studyIds = extractCancerStudyIdsFromSampleListIds(
+                sampleFilter.getSampleListIds(),
+                cacheMapUtil
+            );
+        } else if (sampleFilter.getSampleIdentifiers() != null) {
+            studyIds = extractCancerStudyIdsFromSampleIdentifiers(sampleFilter.getSampleIdentifiers());
+        } else {
+            studyIds = UniqueKeyExtractor.extractUniqueKeys(sampleFilter.getUniqueSampleKeys());
+        }
+        
+        return studyIds;
+    }
+
+    public static Collection<String> extractCancerStudyIdsFromSampleListIds(
+        List<String> sampleListIds,
+        CacheMapUtil cacheMapUtil
+    ) {
+        return sampleListIds
+            .stream()
+            .map(sampleListId -> cacheMapUtil.getSampleListMap().get(sampleListId).getCancerStudyIdentifier())
+            .distinct()
+            .toList();
+    }
+
+    public static Collection<String> extractCancerStudyIdsFromSampleIdentifiers(
+        Collection<SampleIdentifier> sampleIdentifiers
+    ) {
+        return sampleIdentifiers
+            .stream()
+            .map(SampleIdentifier::getStudyId)
+            .distinct()
+            .toList();
+    }
+}

src/main/java/org/cbioportal/legacy/web/util/UniqueKeyExtractor.java

@@ -1,12 +1,20 @@
 package org.cbioportal.legacy.web.util;
 
 import org.cbioportal.legacy.utils.Encoder;
+
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Collection;
 
 public class UniqueKeyExtractor {
 
     private UniqueKeyExtractor() {}
+
+    public static Collection<String> extractUniqueKeys(List<String> uniqueKeys) {
+        Collection<String> studyIds = new ArrayList<>();
+        extractUniqueKeys(uniqueKeys, studyIds, null);
+        return studyIds;
+    }
 
     public static void extractUniqueKeys(List<String> uniqueKeys, Collection<String> studyIdsToReturn) {
         extractUniqueKeys(uniqueKeys, studyIdsToReturn, null);