X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=ecomp-portal-BE-common%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fportalapp%2Fportal%2Fcontroller%2FFunctionalMenuController.java;h=5e13127c02fa1d607290bcfa05cbb715417dc76e;hb=8e83c25788017acd56271a72286f7dcbc974e76d;hp=97af437386092618b8b0099171376b12d4d37fc5;hpb=6e50276a42ab82cfe34ced9cf97e545283f37f2a;p=portal.git

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java
index 97af4373..5e13127c 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java
@@ -49,6 +49,7 @@ import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.Response;
 
 import org.json.JSONObject;
 import org.onap.portalapp.controller.EPRestrictedBaseController;
@@ -74,6 +75,7 @@ import org.onap.portalapp.util.EPUserUtils;
 import org.onap.portalapp.validation.DataValidator;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.util.SystemProperties;
+import org.onap.portalsdk.core.web.support.UserUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
@@ -641,10 +643,18 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
 	 */
 	@RequestMapping(value = {
 			"/portalApi/userApplicationRoles" }, method = RequestMethod.GET, produces = "application/json")
-	public List<BusinessCardApplicationRolesList> getAppList(HttpServletRequest request,
+	public List<BusinessCardApplicationRolesList> getAppList(HttpServletRequest request, HttpServletResponse response,
 			@RequestParam("userId") String userId) throws IOException {
 
 		List<BusinessCardApplicationRolesList> AppRoles = null;
+		
+		if(!UserUtils.getUserSession(request).getOrgUserId().equalsIgnoreCase(userId)) {
+			logger.error(EELFLoggerDelegate.errorLogger, "Not authorized to view roles of others ");
+			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+			response.getWriter().flush();
+			return null;
+		}
+			
 		try {
 			List<BusinessCardApplicationRole> userAppRoleList = functionalMenuService.getUserAppRolesList(userId);