8450 api security uses nonexistent permission (#160)

* 8450 api security uses nonexistent permission * revert: ui comment change * Updated comment. Co-authored-by: weskubo-cgi <Wesley.Kubo@gov.bc.ca>
bcgov · Dec 21, 2022 · 60b6ec5 · 60b6ec5
1 parent c3ac0d1
commit 60b6ec5
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 5 deletions.
diff --git a/backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityConfig.java b/backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityConfig.java
@@ -79,7 +79,7 @@ protected void configure(HttpSecurity http) throws Exception {
             .mvcMatchers(HttpMethod.POST, "/group-member/update-number-and-dept").hasRole("UpdateNumberAndDept")
             .mvcMatchers(HttpMethod.POST, "/msp-contracts/get-contract-periods").hasRole("GetContractPeriods")
             .mvcMatchers(HttpMethod.POST, "/msp-contracts/update-contract-address").hasRole("UpdateContractAddress")
-            .mvcMatchers(HttpMethod.POST, "/msp-contracts/inquire-contract").hasAnyRole("ContractInquiry", "GetGroupMembersContractAddress")  //inquire-contract endpoint will require this multi role as it is used by both R40 and R37 transactions
+            .mvcMatchers(HttpMethod.POST, "/msp-contracts/inquire-contract").hasAnyRole("ContractInquiry", "GetContractAddress")  //inquire-contract endpoint will require this multi role as it is used by both R40 and R37 transactions
             .mvcMatchers(HttpMethod.POST, "/patient-registration/get-patient-registration").hasRole("PatientRegistration")
             .mvcMatchers(HttpMethod.GET,  "/payee-mapping/").hasAnyRole("PatientRegistration", "ManageMSPPayeeNumber")
             .mvcMatchers(HttpMethod.POST, "/payee-mapping").hasRole("ManageMSPPayeeNumber")

diff --git a/frontend/src/views/mspcontracts/GetGroupMembersContractAddress.vue b/frontend/src/views/mspcontracts/GetGroupMembersContractAddress.vue
@@ -117,10 +117,7 @@ export default {
           this.showError()
           return
         }
-        /*
-          This screen calls the Contract Inquiry endpoint as the results shown here are a subset of those returned for Contract Inquiry. This does not
-          break security as currently all roles with permissions for R37(Get Group Member's Contract Address) also have permission for R40(Contract Inquiry).
-        */
+        // This screen calls the Contract Inquiry endpoint as the results shown here are a subset of those returned for Contract Inquiry.
         this.result = (await MspContractsService.inquireContract({ phn: this.phn, groupNumber: this.groupNumber })).data
         if (this.result.status === 'error') {
           this.alertStore.setErrorAlert(this.result.message)