Merge pull request #450 from molgenis/fix/#449-resource-non-super

fix: grant permissions for downloading objects

armadillo/src/main/java/org/molgenis/armadillo/controller/StorageController.java

@@ -43,6 +43,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -240,6 +241,7 @@ public void deleteObject(
   }
 
   @Operation(summary = "Download an object")
+  @PreAuthorize("hasAnyRole('ROLE_SU', 'ROLE_' + #project.toUpperCase() + '_RESEARCHER')")
   @ApiResponses(
       value = {
         @ApiResponse(responseCode = "204", description = "Object downloaded successfully"),
@@ -264,6 +266,7 @@ public void deleteObject(
         Map.of(PROJECT, project, OBJECT, object));
   }
 
+  @PreAuthorize("hasAnyRole('ROLE_SU', 'ROLE_' + #project.toUpperCase() + '_RESEARCHER')")
   private ResponseEntity<ByteArrayResource> getObject(String project, String object) {
     var inputStream = storage.loadObject(project, object);
     var objectParts = object.split("/");

armadillo/src/main/java/org/molgenis/armadillo/storage/ArmadilloStorageService.java

@@ -87,7 +87,7 @@ public void deleteObject(String project, String object) {
     storageService.delete(SHARED_PREFIX + project, object);
   }
 
-  @PreAuthorize("hasRole('ROLE_SU')")
+  @PreAuthorize("hasAnyRole('ROLE_SU', 'ROLE_' + #project.toUpperCase() + '_RESEARCHER')")
   public InputStream loadObject(String project, String object) {
     throwIfUnknown(project, object);
     return storageService.load(SHARED_PREFIX + project, object);