Merge pull request #6097 from deutschebank/db-contrib/waltz-6061-meas…

…urable-ratings-permissions-fix Db contrib/waltz 6061 measurable ratings permissions fix
finos · Jun 14, 2022 · e389634 · e389634
2 parents 35deb55 + ef7258e
commit e389634
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/waltz-web/src/main/java/org/finos/waltz/web/endpoints/api/MeasurableRatingEndpoint.java b/waltz-web/src/main/java/org/finos/waltz/web/endpoints/api/MeasurableRatingEndpoint.java
@@ -147,7 +147,7 @@ private Collection<MeasurableRating> saveRoute(Request request, Response z) thro
                 : Operation.ADD;
 
         checkHasPermissionForThisOperation(command.measurableId(), command.entityReference(), operation, getUsername(request));
-        requireRole(userRoleService, request, measurableRatingService.getRequiredRatingEditRole(mkRef(EntityKind.MEASURABLE, command.measurableId())));
+
         return measurableRatingService.save(command, false);
     }
 
@@ -188,8 +188,10 @@ private void checkHasPermissionForThisOperation(Long measurableId,
                 .user(username)
                 .build();
 
+        boolean involvementBasedPermissions = permissionGroupService.hasPermission(checkPermissionCommand);
+
         checkTrue(
-                roleBasedPermissions || permissionGroupService.hasPermission(checkPermissionCommand),
+                roleBasedPermissions || involvementBasedPermissions,
                 format("User does not have permission to %s measurable ratings for this %s", operation.name().toLowerCase(), parentReference.kind().prettyName()));
     }