Check permissions in the opt-out resource

bernd · bernd · commit d556b931adbc · 2015-11-03T15:54:17.000+01:00
diff --git a/src/main/java/org/graylog/plugins/usagestatistics/UsageStatsOptOutResource.java b/src/main/java/org/graylog/plugins/usagestatistics/UsageStatsOptOutResource.java
@@ -35,10 +35,15 @@
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 
+import static org.graylog2.shared.security.RestPermissions.CLUSTER_CONFIG_ENTRY_CREATE;
+import static org.graylog2.shared.security.RestPermissions.CLUSTER_CONFIG_ENTRY_READ;
+
 @RequiresAuthentication
 @Api(value = "Usage Statistics Opt-Out", description = "Anonymous usage statistics opt-out state of this Graylog setup")
 @Path("/opt-out")
 public class UsageStatsOptOutResource extends RestResource implements PluginRestResource {
+    private static final String CLUSTER_CONFIG_INSTANCE = UsageStatsOptOutState.class.getCanonicalName();
+
     private final UsageStatsOptOutService usageStatsOptOutService;
 
     @Inject
@@ -54,6 +59,8 @@ public UsageStatsOptOutResource(UsageStatsOptOutService usageStatsOptOutService)
             @ApiResponse(code = 500, message = "Internal Server Error")
     })
     public UsageStatsOptOutState getOptOutState() {
+        checkPermission(CLUSTER_CONFIG_ENTRY_READ, CLUSTER_CONFIG_INSTANCE);
+
         final UsageStatsOptOutState optOutState = usageStatsOptOutService.getOptOutState();
 
         if (optOutState == null) {
@@ -73,6 +80,8 @@ public UsageStatsOptOutState getOptOutState() {
             @ApiResponse(code = 500, message = "Internal Server Error")
     })
     public void setOptOutState(@Valid @NotNull UsageStatsOptOutState optOutState) {
+        checkPermission(CLUSTER_CONFIG_ENTRY_CREATE, CLUSTER_CONFIG_INSTANCE);
+
         usageStatsOptOutService.setOptOutState(optOutState);
     }
 }
