From 8ec7c4edea3a30b0c1a9134d8360d1e781e2915c Mon Sep 17 00:00:00 2001
From: Paulo Gustavo Veiga <pveiga@wisemapping.com>
Date: Sun, 19 Nov 2023 07:57:23 -0800
Subject: [PATCH] Move couple of classes to services Improve label security.

---
 .../com/wisemapping/config/MethodSecurityConfig.java   |  1 -
 .../java/com/wisemapping/service/LabelServiceImpl.java | 10 ++++++++--
 .../java/com/wisemapping/service/RecaptchaService.java |  8 +++++++-
 .../com/wisemapping/util/VelocityEngineWrapper.java    |  2 ++
 .../src/main/webapp/WEB-INF/wisemapping-service.xml    | 10 ----------
 5 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/wise-webapp/src/main/java/com/wisemapping/config/MethodSecurityConfig.java b/wise-webapp/src/main/java/com/wisemapping/config/MethodSecurityConfig.java
index 5e7d328b..c046f169 100644
--- a/wise-webapp/src/main/java/com/wisemapping/config/MethodSecurityConfig.java
+++ b/wise-webapp/src/main/java/com/wisemapping/config/MethodSecurityConfig.java
@@ -12,7 +12,6 @@ import org.springframework.security.config.annotation.method.configuration.Enabl
 
 @Configuration
 @EnableMethodSecurity(
-        prePostEnabled = true,
         securedEnabled = true,
         jsr250Enabled = true)
 public class MethodSecurityConfig  {
diff --git a/wise-webapp/src/main/java/com/wisemapping/service/LabelServiceImpl.java b/wise-webapp/src/main/java/com/wisemapping/service/LabelServiceImpl.java
index daaa0c9b..c152b3da 100644
--- a/wise-webapp/src/main/java/com/wisemapping/service/LabelServiceImpl.java
+++ b/wise-webapp/src/main/java/com/wisemapping/service/LabelServiceImpl.java
@@ -24,6 +24,7 @@ import com.wisemapping.model.User;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Propagation;
 import org.springframework.transaction.annotation.Transactional;
@@ -38,7 +39,8 @@ public class LabelServiceImpl implements LabelService {
     private LabelManager labelManager;
 
     @Override
-    public void addLabel(@NotNull final Label label, @NotNull final User user) throws WiseMappingException {
+    @PreAuthorize("hasAnyRole('USER', 'ADMIN') && hasPermission(#user, 'WRITE')")
+    public void addLabel(@NotNull final Label label, @NotNull final User user) {
 
         label.setCreator(user);
         labelManager.addLabel(label);
@@ -46,22 +48,26 @@ public class LabelServiceImpl implements LabelService {
 
     @NotNull
     @Override
+    @PreAuthorize("hasAnyRole('USER', 'ADMIN') && hasPermission(#user, 'READ')")
     public List<Label> getAll(@NotNull final User user) {
         return labelManager.getAllLabels(user);
     }
 
-    @Override @Nullable
+    @Override
+    @PreAuthorize("hasAnyRole('USER', 'ADMIN') && hasPermission(#user, 'READ')")
     public Label findLabelById(int id, @NotNull final User user) {
         return labelManager.getLabelById(id, user);
     }
 
     @Nullable
     @Override
+    @PreAuthorize("hasAnyRole('USER', 'ADMIN') && hasPermission(#user, 'READ')")
     public Label getLabelByTitle(@NotNull String title, @NotNull final User user) {
         return labelManager.getLabelByTitle(title, user);
     }
 
     @Override
+    @PreAuthorize("hasAnyRole('USER', 'ADMIN') && hasPermission(#user, 'WRITE')")
     public void removeLabel(@NotNull Label label, @NotNull User user) throws WiseMappingException {
         if (label.getCreator().equals(user)) {
             labelManager.removeLabel(label);
diff --git a/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java b/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java
index 17d6cb1f..cfb5d67c 100644
--- a/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java
+++ b/wise-webapp/src/main/java/com/wisemapping/service/RecaptchaService.java
@@ -29,21 +29,27 @@ import org.apache.http.client.fluent.Request;
 import org.jetbrains.annotations.Nullable;
 
 import jakarta.validation.constraints.NotNull;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Service;
+
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
-
+@Service
 public class RecaptchaService {
 
     final private static Logger logger = LogManager.getLogger();
+
     final private static String GOOGLE_RECAPTCHA_VERIFY_URL =
             "https://www.google.com/recaptcha/api/siteverify";
 
     private final static ObjectMapper objectMapper = new ObjectMapper();
     public static final String CATCH_ERROR_CODE_TIMEOUT_OR_DUPLICATE = "timeout-or-duplicate";
     public static final String CATCHA_ERROR_CODE_INPUT_RESPONSE = "invalid-input-response";
+
+    @Value("${google.recaptcha2.secretKey}")
     private String recaptchaSecret;
 
     @Nullable
diff --git a/wise-webapp/src/main/java/com/wisemapping/util/VelocityEngineWrapper.java b/wise-webapp/src/main/java/com/wisemapping/util/VelocityEngineWrapper.java
index 44ebb6a3..6ced8b0d 100644
--- a/wise-webapp/src/main/java/com/wisemapping/util/VelocityEngineWrapper.java
+++ b/wise-webapp/src/main/java/com/wisemapping/util/VelocityEngineWrapper.java
@@ -21,7 +21,9 @@ import org.apache.commons.collections.ExtendedProperties;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.runtime.RuntimeConstants;
 import org.jetbrains.annotations.NotNull;
+import org.springframework.stereotype.Component;
 
+@Component
 public class VelocityEngineWrapper {
     private final VelocityEngine velocityEngine;
 
diff --git a/wise-webapp/src/main/webapp/WEB-INF/wisemapping-service.xml b/wise-webapp/src/main/webapp/WEB-INF/wisemapping-service.xml
index 97dadf1c..ac79a5b9 100755
--- a/wise-webapp/src/main/webapp/WEB-INF/wisemapping-service.xml
+++ b/wise-webapp/src/main/webapp/WEB-INF/wisemapping-service.xml
@@ -18,9 +18,6 @@
         <property name="velocityEngineWrapper" ref="velocityEngineWrapper"/>
     </bean>
 
-	<bean id="httpInvoker" class="com.wisemapping.service.google.http.HttpInvoker">
-	</bean>
-
     <bean id="googleService" class="com.wisemapping.service.google.GoogleService">
 		<property name="httpInvoker" ref="httpInvoker"/>
         <property name="optinConfirmUrl" value="${security.oauth2.google.confirmUrl}"/>
@@ -30,10 +27,6 @@
         <property name="callbackUrl" value="${security.oauth2.google.callbackUrl}"/>
 	</bean>
 
-    <bean id="recaptchaService" class="com.wisemapping.service.RecaptchaService">
-        <property name="recaptchaSecret" value="${google.recaptcha2.secretKey}"/>
-    </bean>
-
     <bean id="mailSender" class="org.springframework.mail.javamail.JavaMailSenderImpl">
         <property name="host" value="${mail.smtp.host}"/>
         <property name="port" value="${mail.smtp.port}"/>
@@ -49,9 +42,6 @@
         </property>
     </bean>
 
-    <bean id="velocityEngineWrapper" class="com.wisemapping.util.VelocityEngineWrapper">
-    </bean>
-
     <bean id="notificationService" class="com.wisemapping.mail.NotificationService">
         <property name="baseUrl" value="${site.baseurl:http://localhost:8080/}"/>
         <property name="mailer" ref="mailer"/>