From 4cf2acfd7d0dcb015afe76c6f1e7a27f2f860e64 Mon Sep 17 00:00:00 2001
From: Shinsuke Sugaya <shinsuke@apache.org>
Date: Mon, 12 Feb 2018 10:41:36 +0900
Subject: [PATCH] fix #1497 check if access token is set

---
 .../codelibs/fess/helper/RoleQueryHelper.java  | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java b/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java
index f1a1346f0..0fbd4a6b0 100644
--- a/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java
@@ -118,9 +118,7 @@ public class RoleQueryHelper {
                 buildByCookieNameMapping(request, roleSet);
             }
 
-            if (isApiRequest) {
-                processAccessToken(request, roleSet);
-            }
+            final boolean hasAccessToken = processAccessToken(request, roleSet, isApiRequest);
 
             final RequestManager requestManager = ComponentUtil.getRequestManager();
             try {
@@ -130,7 +128,9 @@ public class RoleQueryHelper {
                             if (isApiRequest && ComponentUtil.getFessConfig().getApiAccessTokenRequiredAsBoolean()) {
                                 throw new InvalidAccessTokenException("invalid_token", "Access token is requried.");
                             }
-                            roleSet.addAll(fessConfig.getSearchGuestPermissionList());
+                            if (!hasAccessToken) {
+                                roleSet.addAll(fessConfig.getSearchGuestPermissionList());
+                            }
                         });
             } catch (final RuntimeException e) {
                 try {
@@ -156,8 +156,14 @@ public class RoleQueryHelper {
         return roleSet;
     }
 
-    protected void processAccessToken(final HttpServletRequest request, final Set<String> roleSet) {
-        ComponentUtil.getComponent(AccessTokenService.class).getPermissions(request).ifPresent(p -> p.forEach(roleSet::add));
+    protected boolean processAccessToken(final HttpServletRequest request, final Set<String> roleSet, final boolean isApiRequest) {
+        if (isApiRequest) {
+            return ComponentUtil.getComponent(AccessTokenService.class).getPermissions(request).map(p -> {
+                p.forEach(roleSet::add);
+                return true;
+            }).orElse(false);
+        }
+        return false;
     }
 
     protected void processParameter(final HttpServletRequest request, final Set<String> roleSet) {
-- 
GitLab