From 7c0e0a454b1ff2420e63a8f115d5f388ab8a0ae3 Mon Sep 17 00:00:00 2001
From: Anton Abushkevich <anton.abushkevich@gmail.com>
Date: Fri, 7 Oct 2022 17:35:11 +0300
Subject: [PATCH]  Admin cannot assign protected tag to entity #2119

---
 .../org/ohdsi/webapi/tag/TagSecurityUtils.java   | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/ohdsi/webapi/tag/TagSecurityUtils.java b/src/main/java/org/ohdsi/webapi/tag/TagSecurityUtils.java
index e55a542beb..ec04c877d8 100644
--- a/src/main/java/org/ohdsi/webapi/tag/TagSecurityUtils.java
+++ b/src/main/java/org/ohdsi/webapi/tag/TagSecurityUtils.java
@@ -9,6 +9,8 @@
 import org.ohdsi.webapi.pathway.domain.PathwayAnalysisEntity;
 import org.ohdsi.webapi.reusable.domain.Reusable;
 
+import javax.ws.rs.BadRequestException;
+
 public class TagSecurityUtils {
     public static String COHORT_DEFINITION = "cohortdefinition";
     public static String CONCEPT_SET = "conceptset";
@@ -40,7 +42,19 @@ public static boolean checkPermission(final String asset, final String method) {
             return false;
         }
 
-        final String permission = String.format("%s:*:protectedtag:*:%s", asset, method);
+        final String template;
+        switch (method) {
+            case "post":
+                template = "%s:*:protectedtag:post";
+                break;
+            case "delete":
+                template = "%s:*:protectedtag:*:delete";
+                break;
+            default:
+                throw new BadRequestException(String.format("Unsupported method: %s", method));
+
+        }
+        final String permission = String.format(template, asset);
         return SecurityUtils.getSubject().isPermitted(permission);
     }