fix: grant the access to everyone's estimation page to users with an admin role.

Implementation details:
- VIEW_ANY_ESTIMATION authority has been added and granted to the users with admin role

Fix #889

Author: php-coder

src/main/java/ru/mystamps/web/feature/collection/CollectionServiceImpl.java

@@ -167,7 +167,7 @@ public List<SeriesInCollectionDto> findSeriesInCollection(Integer collectionId,
 
 	@Override
 	@Transactional(readOnly = true)
-	@PreAuthorize(HasAuthority.ADD_SERIES_PRICE_AND_COLLECTION_OWNER)
+	@PreAuthorize(HasAuthority.ADD_SERIES_PRICE_AND_COLLECTION_OWNER_OR_VIEW_ANY_ESTIMATION)
 	public List<SeriesInCollectionWithPriceDto> findSeriesWithPricesBySlug(
 		String slug,
 		String lang) {

src/main/java/ru/mystamps/web/support/spring/security/Authority.java

@@ -36,6 +36,7 @@ public final class Authority {
 	public static final GrantedAuthority IMPORT_SERIES_SALES    = new SimpleGrantedAuthority(StringAuthority.IMPORT_SERIES_SALES);
 	public static final GrantedAuthority MANAGE_TOGGLZ          = new SimpleGrantedAuthority(StringAuthority.MANAGE_TOGGLZ);
 	public static final GrantedAuthority UPDATE_COLLECTION      = new SimpleGrantedAuthority(StringAuthority.UPDATE_COLLECTION);
+	public static final GrantedAuthority VIEW_ANY_ESTIMATION    = new SimpleGrantedAuthority(StringAuthority.VIEW_ANY_ESTIMATION);
 	public static final GrantedAuthority VIEW_DAILY_STATS       = new SimpleGrantedAuthority(StringAuthority.VIEW_DAILY_STATS);
 	public static final GrantedAuthority VIEW_SERIES_SALES      = new SimpleGrantedAuthority(StringAuthority.VIEW_SERIES_SALES);
 	public static final GrantedAuthority VIEW_SITE_EVENTS       = new SimpleGrantedAuthority(StringAuthority.VIEW_SITE_EVENTS);

src/main/java/ru/mystamps/web/support/spring/security/CustomUserDetailsService.java

@@ -80,6 +80,7 @@ private static Collection<? extends GrantedAuthority> getAuthorities(UserDetails
 			authorities.add(Authority.IMPORT_SERIES);
 			authorities.add(Authority.IMPORT_SERIES_SALES);
 			authorities.add(Authority.MANAGE_TOGGLZ);
+			authorities.add(Authority.VIEW_ANY_ESTIMATION);
 			authorities.add(Authority.VIEW_DAILY_STATS);
 			authorities.add(Authority.VIEW_SERIES_SALES);
 			authorities.add(Authority.VIEW_SITE_EVENTS);

src/main/java/ru/mystamps/web/support/spring/security/HasAuthority.java

@@ -22,8 +22,14 @@ public final class HasAuthority {
 	// Constants sorted in an ascending order.
 	public static final String ADD_PARTICIPANT = "hasAuthority('" + StringAuthority.ADD_PARTICIPANT + "')";
 	@SuppressWarnings("PMD.LongVariable")
-	public static final String ADD_SERIES_PRICE_AND_COLLECTION_OWNER
-		= "hasAuthority('" + StringAuthority.ADD_SERIES_PRICE + "') and principal?.userCollectionSlug == #slug";
+	public static final String ADD_SERIES_PRICE_AND_COLLECTION_OWNER_OR_VIEW_ANY_ESTIMATION =
+		"("
+			+ "hasAuthority('" + StringAuthority.ADD_SERIES_PRICE + "') "
+			+ "and "
+			+ "principal?.userCollectionSlug == #slug"
+		+ ") "
+		+ "or "
+		+ "hasAuthority('" + StringAuthority.VIEW_ANY_ESTIMATION + "')";
 	public static final String ADD_SERIES_SALES = "hasAuthority('" + StringAuthority.ADD_SERIES_SALES + "')";
 	public static final String CREATE_CATEGORY = "hasAuthority('" + StringAuthority.CREATE_CATEGORY + "')";
 	public static final String CREATE_COUNTRY = "hasAuthority('" + StringAuthority.CREATE_COUNTRY + "')";

src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java

@@ -92,8 +92,8 @@ protected void configure(HttpSecurity http) throws Exception {
 				.mvcMatchers(Url.SITE_EVENTS_PAGE).hasAuthority(StringAuthority.VIEW_SITE_EVENTS)
 				.mvcMatchers(CountryUrl.SUGGEST_SERIES_COUNTRY).hasAuthority(StringAuthority.CREATE_SERIES)
 				.mvcMatchers(Url.DAILY_STATISTICS).hasAuthority(StringAuthority.VIEW_DAILY_STATS)
-				// @todo #884 /collection/{slug}/estimation: only owner should have access to estimation page
-				.mvcMatchers(CollectionUrl.ESTIMATION_COLLECTION_PAGE).hasAuthority(StringAuthority.ADD_SERIES_PRICE)
+				.mvcMatchers(CollectionUrl.ESTIMATION_COLLECTION_PAGE)
+					.access(HasAuthority.ADD_SERIES_PRICE_AND_COLLECTION_OWNER_OR_VIEW_ANY_ESTIMATION)
 				.regexMatchers(HttpMethod.POST, "/series/[0-9]+")
 					.hasAnyAuthority(
 						StringAuthority.UPDATE_COLLECTION,

src/main/java/ru/mystamps/web/support/spring/security/StringAuthority.java

@@ -32,6 +32,7 @@ public final class StringAuthority {
 	public static final String IMPORT_SERIES_SALES    = "IMPORT_SERIES_SALES";
 	public static final String MANAGE_TOGGLZ          = "MANAGE_TOGGLZ";
 	public static final String UPDATE_COLLECTION      = "UPDATE_COLLECTION";
+	public static final String VIEW_ANY_ESTIMATION    = "VIEW_ANY_ESTIMATION";
 	public static final String VIEW_DAILY_STATS       = "VIEW_DAILY_STATS";
 	public static final String VIEW_SERIES_SALES      = "VIEW_SERIES_SALES";
 	public static final String VIEW_SITE_EVENTS       = "VIEW_SITE_EVENTS";

src/test/robotframework/collection/estimation/access.robot

@@ -28,7 +28,7 @@ Paid user has access only to its own estimation page
 Admin has access only to its own estimation page
 	Log In As               login=admin  password=test  openPage=${true}
 	Go To                   ${SITE_URL}/collection/paid/estimation
-	Element Text Should Be  id=error-msg  Forbidden
+	Element Text Should Be  tag=h3  Paid User's collection
 	Go To                   ${SITE_URL}/collection/admin/estimation
 	Element Text Should Be  tag=h3  Site Admin's collection
 	# No need to log out as a browser will be closed after the test