From 07cedb9d65c92d27c0a6c4eaf410ddf6d801ce5f Mon Sep 17 00:00:00 2001
From: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com>
Date: Mon, 24 Mar 2025 11:19:04 +0530
Subject: [PATCH] Adds missing permissions on alerts (#20387)

---
 .../EventSubscriptionResource.java            | 34 +++++++------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/resources/events/subscription/EventSubscriptionResource.java b/openmetadata-service/src/main/java/org/openmetadata/service/resources/events/subscription/EventSubscriptionResource.java
index 26d35fc300f..0ac10e70b65 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/events/subscription/EventSubscriptionResource.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/events/subscription/EventSubscriptionResource.java
@@ -78,7 +78,6 @@ import org.openmetadata.service.apps.bundles.changeEvent.AlertFactory;
 import org.openmetadata.service.apps.bundles.changeEvent.Destination;
 import org.openmetadata.service.events.errors.EventPublisherException;
 import org.openmetadata.service.events.scheduled.EventSubscriptionScheduler;
-import org.openmetadata.service.events.subscription.AlertUtil;
 import org.openmetadata.service.events.subscription.EventsSubscriptionRegistry;
 import org.openmetadata.service.exception.EntityNotFoundException;
 import org.openmetadata.service.jdbi3.CollectionDAO;
@@ -479,6 +478,8 @@ public class EventSubscriptionResource
           @PathParam("id")
           UUID id)
       throws SchedulerException {
+    OperationContext operationContext = new OperationContext(entityType, MetadataOperation.DELETE);
+    authorizer.authorize(securityContext, operationContext, getResourceContextById(id));
     EventSubscription eventSubscription = repository.get(null, id, repository.getFields("id"));
     EventSubscriptionScheduler.getInstance().deleteEventSubscriptionPublisher(eventSubscription);
     EventSubscriptionScheduler.getInstance().deleteSuccessfulAndFailedEventsRecordByAlert(id);
@@ -509,6 +510,8 @@ public class EventSubscriptionResource
           @PathParam("id")
           UUID id)
       throws SchedulerException {
+    OperationContext operationContext = new OperationContext(entityType, MetadataOperation.DELETE);
+    authorizer.authorize(securityContext, operationContext, getResourceContextById(id));
     EventSubscription eventSubscription = repository.get(null, id, repository.getFields("id"));
     EventSubscriptionScheduler.getInstance().deleteEventSubscriptionPublisher(eventSubscription);
     EventSubscriptionScheduler.getInstance().deleteSuccessfulAndFailedEventsRecordByAlert(id);
@@ -532,6 +535,8 @@ public class EventSubscriptionResource
           @PathParam("name")
           String name)
       throws SchedulerException {
+    OperationContext operationContext = new OperationContext(entityType, MetadataOperation.DELETE);
+    authorizer.authorize(securityContext, operationContext, getResourceContextByName(name));
     EventSubscription eventSubscription =
         repository.getByName(null, name, repository.getFields("id"));
     EventSubscriptionScheduler.getInstance().deleteEventSubscriptionPublisher(eventSubscription);
@@ -621,7 +626,9 @@ public class EventSubscriptionResource
       @Parameter(description = "AlertType", schema = @Schema(type = "string"))
           @PathParam("alertType")
           CreateEventSubscription.AlertType alertType) {
-
+    OperationContext operationContext =
+        new OperationContext(entityType, MetadataOperation.VIEW_ALL);
+    authorizer.authorize(securityContext, operationContext, getResourceContext());
     if (alertType.equals(NOTIFICATION)) {
       return new ResultList<>(EventsSubscriptionRegistry.listEntityNotificationDescriptors());
     } else {
@@ -629,26 +636,6 @@ public class EventSubscriptionResource
     }
   }
 
-  @GET
-  @Path("/validation/condition/{expression}")
-  @Operation(
-      operationId = "validateCondition",
-      summary = "Validate a given condition",
-      description = "Validate a given condition expression used in filtering rules.",
-      responses = {
-        @ApiResponse(responseCode = "204", description = "No value is returned"),
-        @ApiResponse(responseCode = "400", description = "Invalid expression")
-      })
-  public void validateCondition(
-      @Context UriInfo uriInfo,
-      @Context SecurityContext securityContext,
-      @Parameter(description = "Expression to validate", schema = @Schema(type = "string"))
-          @PathParam("expression")
-          String expression) {
-    authorizer.authorizeAdmin(securityContext);
-    AlertUtil.validateExpression(expression, Boolean.class);
-  }
-
   @GET
   @Path("/{id}/processedEvents")
   @Operation(
@@ -671,6 +658,9 @@ public class EventSubscriptionResource
       @Parameter(description = "Id of the Event Subscription", schema = @Schema(type = "UUID"))
           @PathParam("id")
           UUID id) {
+    OperationContext operationContext =
+        new OperationContext(entityType, MetadataOperation.VIEW_ALL);
+    authorizer.authorize(securityContext, operationContext, getResourceContextById(id));
     return Response.ok()
         .entity(EventSubscriptionScheduler.getInstance().checkIfPublisherPublishedAllEvents(id))
         .build();