restrict the possibility for the role_viewer to see the details of security

dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt

@@ -1019,6 +1019,59 @@ class DatasetServiceIntegrationTest : CsmRedisTestBase() {
     assertEquals(dataset1.connector!!.id, dataset2.connector!!.id)
   }
 
+  @Test
+  fun `As viewer, I can only see my information in security property for findDatasetById`() {
+    dataset = makeDatasetWithRole(role = ROLE_VIEWER)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+
+    datasetSaved = datasetApiService.findDatasetById(organizationSaved.id!!, datasetSaved.id!!)
+    assertEquals(
+        DatasetSecurity(
+            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        datasetSaved.security)
+    assertEquals(1, datasetSaved.security!!.accessControlList.size)
+  }
+
+  @Test
+  fun `As viewer, I can only see my information in security property for findAllDatasets`() {
+    every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+    datasetApiService.deleteDataset(organizationSaved.id!!, datasetSaved.id!!)
+    every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+    dataset = makeDatasetWithRole(role = ROLE_VIEWER)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+
+    val datasets = datasetApiService.findAllDatasets(organizationSaved.id!!, null, null)
+    datasets.forEach {
+      assertEquals(
+          DatasetSecurity(
+              default = ROLE_NONE,
+              mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+          it.security)
+      assertEquals(1, it.security!!.accessControlList.size)
+    }
+  }
+
+  @Test
+  fun `As viewer, I can only see my information in security property for searchDatasets`() {
+    every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+    datasetApiService.deleteDataset(organizationSaved.id!!, datasetSaved.id!!)
+    every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+    dataset = makeDatasetWithRole(role = ROLE_VIEWER)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+
+    val datasets =
+        datasetApiService.searchDatasets(
+            organizationSaved.id!!, DatasetSearch(mutableListOf("dataset")), 0, 10)
+    datasets.forEach {
+      assertEquals(
+          DatasetSecurity(
+              default = ROLE_NONE,
+              mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+          it.security)
+      assertEquals(1, it.security!!.accessControlList.size)
+    }
+  }
+
   fun makeConnector(): Connector {
     return Connector(
         key = "connector",

dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceRBACTest.kt

@@ -1858,7 +1858,7 @@ class DatasetServiceRBACTest : CsmRedisTestBase() {
   @TestFactory
   fun `test Dataset RBAC getDatasetAccessControl`() =
       mapOf(
-              ROLE_VIEWER to false,
+              ROLE_VIEWER to true,
               ROLE_EDITOR to false,
               ROLE_USER to false,
               ROLE_NONE to true,
@@ -2104,7 +2104,7 @@ class DatasetServiceRBACTest : CsmRedisTestBase() {
   @TestFactory
   fun `test Dataset RBAC getDatasetSecurityUsers`() =
       mapOf(
-              ROLE_VIEWER to false,
+              ROLE_VIEWER to true,
               ROLE_EDITOR to false,
               ROLE_USER to false,
               ROLE_NONE to true,
@@ -2180,7 +2180,7 @@ class DatasetServiceRBACTest : CsmRedisTestBase() {
   @TestFactory
   fun `test Dataset RBAC getDatasetSecurity`() =
       mapOf(
-              ROLE_VIEWER to false,
+              ROLE_VIEWER to true,
               ROLE_EDITOR to false,
               ROLE_USER to false,
               ROLE_NONE to true,

dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt

@@ -167,12 +167,12 @@ class DatasetServiceImpl(
             datasetRepository.findAll(pageable).toList()
           }
     }
-
+    result.forEach { it.security = updateSecurityVisibility(it).security }
     return result
   }
 
   override fun findDatasetById(organizationId: String, datasetId: String): Dataset {
-    return getVerifiedDataset(organizationId, datasetId)
+    return updateSecurityVisibility(getVerifiedDataset(organizationId, datasetId))
   }
 
   override fun removeAllDatasetCompatibilityElements(organizationId: String, datasetId: String) {
@@ -237,7 +237,6 @@ class DatasetServiceImpl(
         version = existingConnector.version
       }
     }
-
     return datasetRepository.save(createdDataset)
   }
 
@@ -865,12 +864,15 @@ class DatasetServiceImpl(
       datasetId: String,
       workspaceId: String
   ): Dataset {
+    this.getVerifiedDataset(organizationId, datasetId, PERMISSION_WRITE)
     sendAddDatasetToWorkspaceEvent(organizationId, workspaceId, datasetId)
     return addWorkspaceToLinkedWorkspaceIdList(organizationId, datasetId, workspaceId)
   }
 
   @EventListener(AddWorkspaceToDataset::class)
   fun processEventAddWorkspace(addWorkspaceToDataset: AddWorkspaceToDataset) {
+    this.getVerifiedDataset(
+        addWorkspaceToDataset.organizationId, addWorkspaceToDataset.datasetId, PERMISSION_WRITE)
     addWorkspaceToLinkedWorkspaceIdList(
         addWorkspaceToDataset.organizationId,
         addWorkspaceToDataset.datasetId,
@@ -901,14 +903,17 @@ class DatasetServiceImpl(
       datasetId: String,
       workspaceId: String
   ): Dataset {
-
+    this.getVerifiedDataset(organizationId, datasetId, PERMISSION_WRITE)
     sendRemoveDatasetFromWorkspaceEvent(organizationId, workspaceId, datasetId)
-
     return removeWorkspaceFromLinkedWorkspaceIdList(organizationId, datasetId, workspaceId)
   }
 
   @EventListener(RemoveWorkspaceFromDataset::class)
   fun processEventRemoveWorkspace(removeWorkspaceFromDataset: RemoveWorkspaceFromDataset) {
+    this.getVerifiedDataset(
+        removeWorkspaceFromDataset.organizationId,
+        removeWorkspaceFromDataset.datasetId,
+        PERMISSION_WRITE)
     removeWorkspaceFromLinkedWorkspaceIdList(
         removeWorkspaceFromDataset.organizationId,
         removeWorkspaceFromDataset.datasetId,
@@ -1028,16 +1033,21 @@ class DatasetServiceImpl(
 
     val defaultPageSize = csmPlatformProperties.twincache.dataset.defaultPageSize
     val pageable = constructPageRequest(page, size, defaultPageSize)
+    var datasetList = listOf<Dataset>()
     if (pageable != null) {
-      return datasetRepository
-          .findDatasetByTags(organizationId, datasetSearch.datasetTags.toSet(), pageable)
-          .toList()
-    }
-    return findAllPaginated(defaultPageSize) {
-      datasetRepository
-          .findDatasetByTags(organizationId, datasetSearch.datasetTags.toSet(), it)
-          .toList()
+      datasetList =
+          datasetRepository
+              .findDatasetByTags(organizationId, datasetSearch.datasetTags.toSet(), pageable)
+              .toList()
     }
+    datasetList =
+        findAllPaginated(defaultPageSize) {
+          datasetRepository
+              .findDatasetByTags(organizationId, datasetSearch.datasetTags.toSet(), it)
+              .toList()
+        }
+    datasetList.forEach { it.security = updateSecurityVisibility(it).security }
+    return datasetList
   }
 
   override fun getDatasetSecurity(organizationId: String, datasetId: String): DatasetSecurity {
@@ -1208,6 +1218,7 @@ class DatasetServiceImpl(
       }
     }
   }
+
   private fun sendTwingraphImportJobInfoRequestEvent(
       dataset: Dataset,
       organizationId: String
@@ -1275,6 +1286,26 @@ class DatasetServiceImpl(
     csmRbac.verify(dataset.getRbac(), requiredPermission)
     return dataset
   }
+
+  fun updateSecurityVisibility(dataset: Dataset): Dataset {
+    if (csmRbac.check(dataset.getRbac(), PERMISSION_READ_SECURITY).not()) {
+      val username = getCurrentAccountIdentifier(csmPlatformProperties)
+      val retrievedAC = dataset.security!!.accessControlList.firstOrNull { it.id == username }
+      if (retrievedAC != null) {
+        return dataset.copy(
+            security =
+                DatasetSecurity(
+                    default = dataset.security!!.default,
+                    accessControlList = mutableListOf(retrievedAC)))
+      } else {
+        return dataset.copy(
+            security =
+                DatasetSecurity(
+                    default = dataset.security!!.default, accessControlList = mutableListOf()))
+      }
+    }
+    return dataset
+  }
 }
 
 fun Dataset.getRbac(): RbacSecurity {

dataset/src/test/kotlin/com/cosmotech/dataset/service/DatasetServiceImplTests.kt

@@ -12,6 +12,7 @@ import com.cosmotech.api.id.CsmIdGenerator
 import com.cosmotech.api.rbac.CsmAdmin
 import com.cosmotech.api.rbac.CsmRbac
 import com.cosmotech.api.rbac.PERMISSION_CREATE_CHILDREN
+import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
 import com.cosmotech.api.utils.ResourceScanner
 import com.cosmotech.api.utils.getCurrentAccountIdentifier
@@ -59,7 +60,10 @@ fun baseDataset() =
         name = "My Dataset",
         description = "My Dataset description",
         organizationId = ORGANIZATION_ID,
-    )
+        security =
+            DatasetSecurity(
+                default = ROLE_NONE,
+                accessControlList = mutableListOf(DatasetAccessControl(USER_ID, ROLE_NONE))))
 
 @ExtendWith(MockKExtension::class)
 class DatasetServiceImplTests {
@@ -427,11 +431,7 @@ class DatasetServiceImplTests {
 
   @Test
   fun `deleteDataset should delete Dataset and its twingraph`() {
-    val dataset =
-        baseDataset()
-            .copy(
-                twingraphId = "twingraphId",
-            )
+    val dataset = baseDataset().copy(twingraphId = "twingraphId")
     every { organizationService.getVerifiedOrganization(ORGANIZATION_ID) } returns Organization()
     every { datasetRepository.findBy(ORGANIZATION_ID, DATASET_ID) } returns Optional.of(dataset)
     every { getCurrentAuthenticatedRoles(csmPlatformProperties) } returns