From a0c06e80b42b43e87f913d4aac46215886d5a1ec Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Fri, 17 Nov 2023 13:13:25 +0100
Subject: [PATCH] There can be more then one institution_admin

---
 README.md                                                | 4 ++--
 .../src/main/java/access/repository/UserRepository.java  | 2 +-
 .../security/UserHandlerMethodArgumentResolver.java      | 9 +++++++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 328b4875..b3556c24 100644
--- a/README.md
+++ b/README.md
@@ -42,13 +42,13 @@ mvn clean deploy
 
 ### [Endpoints](#endpoints)
 
-<https://access.test.surfconext.nl/ui/swagger-ui/index.html>
+<https://invite.test.surfconext.nl/ui/swagger-ui/index.html>
 
 <https://mock.test.surfconext.nl/>
 
 <https://welcome.test.surfconext.nl/>
 
-<https://access.test.surfconext.nl/>
+<https://invite.test.surfconext.nl/>
 
 ### [Mock](#mock)
 
diff --git a/server/src/main/java/access/repository/UserRepository.java b/server/src/main/java/access/repository/UserRepository.java
index a1fa0976..7ecc456d 100644
--- a/server/src/main/java/access/repository/UserRepository.java
+++ b/server/src/main/java/access/repository/UserRepository.java
@@ -14,7 +14,7 @@ public interface UserRepository extends JpaRepository<User, Long> {
 
     Optional<User> findBySubIgnoreCase(String sub);
 
-    Optional<User> findByOrganizationGUIDAndAndInstitutionAdmin(String organizationGUID, boolean institutionAdmin);
+    List<User> findByOrganizationGUIDAndAndInstitutionAdmin(String organizationGUID, boolean institutionAdmin);
 
     List<User> findByUserRoles_role_id(Long roleId);
 
diff --git a/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java b/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java
index c1436cd0..e8e56b7b 100755
--- a/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java
+++ b/server/src/main/java/access/security/UserHandlerMethodArgumentResolver.java
@@ -19,6 +19,7 @@
 
 import java.security.Principal;
 import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -66,8 +67,12 @@ public User resolveArgument(MethodParameter methodParameter,
             APIToken apiToken = apiTokenRepository.findByHashedValue(hashedToken)
                     .orElseThrow(UserRestrictionException::new);
             String organizationGuid = apiToken.getOrganizationGUID();
-            User user = userRepository.findByOrganizationGUIDAndAndInstitutionAdmin(organizationGuid, true)
-                    .orElseThrow(UserRestrictionException::new);
+            List<User> institutionAdmins = userRepository.findByOrganizationGUIDAndAndInstitutionAdmin(organizationGuid, true);
+            if (institutionAdmins.isEmpty()) {
+                throw new UserRestrictionException();
+            }
+            //Does not make any difference security-wise which user we return
+            User user = institutionAdmins.get(0);
             //The overhead is justified for API usage
             user.setApplications(manage.providersByInstitutionalGUID(organizationGuid));
             user.setInstitution(manage.identityProviderByInstitutionalGUID(organizationGuid).orElse(Collections.emptyMap()));