From b984fcbf48c4702da99f79b334fb7708cf3d6d2d Mon Sep 17 00:00:00 2001
From: weskubo-cgi <Wesley.Kubo@gov.bc.ca>
Date: Mon, 24 Oct 2022 14:42:01 -0700
Subject: [PATCH] Fixed missing/erroneous backend security. Fixed path
 formatting.

---
 .../gov/hlth/hnweb/security/SecurityConfig.java  | 16 +++++++++-------
 frontend/src/services/BaseService.js             |  6 +++---
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityConfig.java b/backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityConfig.java
index 5e5ecd30..4c09b884 100644
--- a/backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityConfig.java
+++ b/backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityConfig.java
@@ -56,17 +56,19 @@ protected void configure(HttpSecurity http) throws Exception {
         	.and()
         	.cors(Customizer.withDefaults())
             .authorizeRequests()
-            .mvcMatchers(HttpMethod.GET, "/docs/**").permitAll()
-            .mvcMatchers(HttpMethod.GET, "/audit/organizations").hasRole("AuditReporting")
+            .mvcMatchers(HttpMethod.GET,  "/docs/**").permitAll()
+            .mvcMatchers(HttpMethod.GET,  "/audit/organizations").hasRole("AuditReporting")
             .mvcMatchers(HttpMethod.POST, "/audit/audit-report").hasRole("AuditReporting")
-            .mvcMatchers(HttpMethod.GET, "/bulletins").fullyAuthenticated() 
-            .mvcMatchers(HttpMethod.POST, "/patient-registration/get-patient-registration").hasRole("PatientRegistration") 
+            .mvcMatchers(HttpMethod.POST, "/audit/download-report").hasRole("AuditReporting")
+            .mvcMatchers(HttpMethod.GET,  "/bulletins").fullyAuthenticated()  
             .mvcMatchers(HttpMethod.POST, "/eligibility/check-msp-coverage-status").hasRole("MSPCoverageCheck")
             .mvcMatchers(HttpMethod.POST, "/eligibility/check-eligibility").hasRole("CheckEligibility")
             .mvcMatchers(HttpMethod.POST, "/eligibility/inquire-phn").hasRole("PHNInquiry")
             .mvcMatchers(HttpMethod.POST, "/eligibility/lookup-phn").hasRole("PHNLookup")
             .mvcMatchers(HttpMethod.POST, "/maintenance/change-cancel-date").hasRole("ChangeCancelDate")
+            .mvcMatchers(HttpMethod.POST, "/maintenance/change-effective-date").hasRole("ChangeEffectiveDate")
             .mvcMatchers(HttpMethod.POST, "/maintenance/renew-cancelled-group-coverage").hasRole("RenewCancelledCoverage")
+            .mvcMatchers(HttpMethod.POST, "/maintenance/reinstate-over-age-dependent").hasRole("ReinstateOverAgeDependent")
             .mvcMatchers(HttpMethod.POST, "/enrollment/enroll-subscriber").hasAnyRole("AddPermitHolderWithPHN", "AddPermitHolderWOPHN")
             .mvcMatchers(HttpMethod.POST, "/enrollment/get-person-details").hasRole("AddPermitHolderWithPHN")
             .mvcMatchers(HttpMethod.POST, "/enrollment/name-search").hasRole("AddPermitHolderWOPHN")
@@ -75,13 +77,13 @@ protected void configure(HttpSecurity http) throws Exception {
             .mvcMatchers(HttpMethod.POST, "/group-member/cancel-dependent").hasRole("CancelDependent")
             .mvcMatchers(HttpMethod.POST, "/group-member/cancel-group-member").hasRole("CancelGroupMember")
             .mvcMatchers(HttpMethod.POST, "/group-member/update-number-and-dept").hasRole("UpdateNumberAndDept")
-            .mvcMatchers(HttpMethod.POST, "/group-member/reinstate-over-age-dependent").hasRole("ReinstateOverAgeDependent")
             .mvcMatchers(HttpMethod.POST, "/msp-contracts/get-contract-periods").hasRole("GetContractPeriods")
             .mvcMatchers(HttpMethod.POST, "/msp-contracts/update-contract-address").hasRole("UpdateContractAddress")
             .mvcMatchers(HttpMethod.POST, "/msp-contracts/inquire-contract").hasAnyRole("ContractInquiry", "GetGroupMembersContractAddress")  //inquire-contract endpoint will require this multi role as it is used by both R40 and R37 transactions
-            .mvcMatchers(HttpMethod.GET, "/payee-mapping/").hasAnyRole("PatientRegistration", "ManageMSPPayeeNumber")
+            .mvcMatchers(HttpMethod.POST, "/patient-registration/get-patient-registration").hasRole("PatientRegistration")
+            .mvcMatchers(HttpMethod.GET,  "/payee-mapping/").hasAnyRole("PatientRegistration", "ManageMSPPayeeNumber")
             .mvcMatchers(HttpMethod.POST, "/payee-mapping").hasRole("ManageMSPPayeeNumber")
-            .mvcMatchers(HttpMethod.PUT, "/payee-mapping/").hasRole("ManageMSPPayeeNumber")
+            .mvcMatchers(HttpMethod.PUT,  "/payee-mapping/").hasRole("ManageMSPPayeeNumber")
             .mvcMatchers(HttpMethod.DELETE, "/payee-mapping/").hasRole("ManageMSPPayeeNumber")
             .mvcMatchers(HttpMethod.GET, "/user/**").fullyAuthenticated()
             .mvcMatchers("/*").denyAll()
diff --git a/frontend/src/services/BaseService.js b/frontend/src/services/BaseService.js
index d4c25fe3..8e4908a4 100644
--- a/frontend/src/services/BaseService.js
+++ b/frontend/src/services/BaseService.js
@@ -5,8 +5,8 @@ import keycloak from '../keycloak'
 export const resources = {
   bulletins: '/bulletins',
   enrollment: {
-    nameSearch: 'enrollment/name-search',
-    getPersonDetails: 'enrollment/get-person-details',
+    nameSearch: '/enrollment/name-search',
+    getPersonDetails: '/enrollment/get-person-details',
     enrollSubscriber: '/enrollment/enroll-subscriber',
   },
   eligibility: {
@@ -19,7 +19,7 @@ export const resources = {
     getPatientRegistration: '/patient-registration/get-patient-registration',
   },
   bcscPayeeMappings: {
-    getBcscPayeeMapping: '/payee-mapping'
+    getBcscPayeeMapping: '/payee-mapping',
   },
   groupMember: {
     addGroupMember: '/group-member/add-group-member',