From 18e1cc5593aac9ff551476073fefdc0bda83710b Mon Sep 17 00:00:00 2001
From: Mounir Nayab <mounir.nayab@xelians.fr>
Date: Thu, 2 Jul 2020 17:57:49 +0200
Subject: [PATCH] [FENIX-39] check criteria's subqueries authorized keys

---
 .../java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java b/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java
index d8489ed7..ba76a41b 100644
--- a/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java
+++ b/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java
@@ -131,6 +131,7 @@ public final class CriteriaUtils {
                 throw new ForbiddenException("Criterion with key : " + criterion.getKey() + " is not allowed");
             }
         });
+        criteriaDto.getSubQueries().forEach(queryDto -> checkContainsAuthorizedKeys(queryDto, allowedKeys));
     }
 
     public static QueryDto fromJson(final String criteriaJson) {
-- 
GitLab