feat: prevent public permission for User and Group

shogun-lib/src/main/java/de/terrestris/shogun/lib/controller/security/permission/BasePermissionController.java

@@ -769,6 +769,8 @@ public Map<String, Boolean> isPublic(
             return Map.of("public", publicInstancePermissionService.getPublic(entity.get()));
         } catch (AccessDeniedException ade) {
             throw new EntityAccessDeniedException(entityId, getGenericClassName(), messageSource);
+        } catch (IllegalArgumentException iae) {
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN, iae.getMessage());
         } catch (ResponseStatusException rse) {
             throw rse;
         }  catch (Exception e) {
@@ -793,7 +795,9 @@ public void setPublic(
             throw new EntityAccessDeniedException(entityId, getGenericClassName(), messageSource);
         } catch (ResponseStatusException rse) {
             throw rse;
-        }  catch (Exception e) {
+        }  catch (IllegalArgumentException iae) {
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN, iae.getMessage());
+        } catch (Exception e) {
             throw new CreatePermissionException(e, messageSource);
         }
     }
@@ -815,7 +819,9 @@ public void revokePublic(
             throw new EntityAccessDeniedException(entityId, getGenericClassName(), messageSource);
         } catch (ResponseStatusException rse) {
             throw rse;
-        }  catch (Exception e) {
+        } catch (IllegalArgumentException iae) {
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN, iae.getMessage());
+        } catch (Exception e) {
             throw new DeletePermissionException(e, messageSource);
         }
     }

shogun-lib/src/main/java/de/terrestris/shogun/lib/security/access/entity/BaseEntityPermissionEvaluator.java

@@ -316,6 +316,11 @@ private boolean containsReadPermission(ClassPermission ...classPermissions) {
     }
 
     protected boolean hasPublicPermission(E entity) {
+
+        if (entity.getClass().equals(Group.class) || entity.getClass().equals(User.class)) {
+            return false;
+        }
+
         return publicInstancePermissionService.getPublic(entity);
     }
 

shogun-lib/src/main/java/de/terrestris/shogun/lib/service/security/permission/PublicInstancePermissionService.java

@@ -17,6 +17,8 @@
 package de.terrestris.shogun.lib.service.security.permission;
 
 import de.terrestris.shogun.lib.model.BaseEntity;
+import de.terrestris.shogun.lib.model.Group;
+import de.terrestris.shogun.lib.model.User;
 import de.terrestris.shogun.lib.model.security.permission.PublicInstancePermission;
 import de.terrestris.shogun.lib.repository.security.permission.PublicInstancePermissionRepository;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -36,6 +38,11 @@ public class PublicInstancePermissionService {
     @PreAuthorize("hasRole('ADMIN') or hasPermission(#entity, 'UPDATE')")
     @Transactional(isolation = Isolation.SERIALIZABLE)
     public void setPublic(BaseEntity entity, boolean isPublic) {
+
+        if (entity.getClass().equals(Group.class) || entity.getClass().equals(User.class)) {
+            throw new IllegalArgumentException("Public permissions are not allowed for this entity type.");
+        }
+
         if (isPublic) {
             Optional<PublicInstancePermission> publicOpt = publicInstancePermissionRepository.findByEntityId(entity.getId());
             if (publicOpt.isPresent()) {
@@ -50,6 +57,11 @@ public void setPublic(BaseEntity entity, boolean isPublic) {
     }
 
     public boolean getPublic(BaseEntity entity) {
+
+        if (entity.getClass().equals(Group.class) || entity.getClass().equals(User.class)) {
+            throw new IllegalArgumentException("Public permissions are not allowed for this entity type.");
+        }
+
         return publicInstancePermissionRepository.findByEntityId(entity.getId()).isPresent();
     }
 }